[Bug 117] OpenSSH second-guesses PAM
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu May 9 13:38:34 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=117
------- Additional Comments From fcusack at fcusack.com 2002-05-09 13:38 -------
Forwarding a fake username also means there is an undocumented username
that has side effects caused by sshd; although all caps probably makes
this a non-concern, to me it still smacks of special names like COM.
This will be my last comment on the matter:
- You are not doing anything by using 'NOUSER', at least nothing I can
figure out. If this is to prevent some kind of attack, please add
comments in the code.
- You *are* causing problems. eg, my sshd w/ PAM uses a RADIUS backend.
On my RADIUS server I get logs for 'NOUSER' failing. I would like to
know what the attempted username was, and I would like to get this from
a central source (the RADIUS server). I will admit, on the level of
"problems" this is minor if 'NOUSER' actually prevents some attack.
- The protocol 1 code path does not call PAM at all for invalid users.
This would be acceptable for the protocol 2 code path, and better than
using 'NOUSER', but eliminate the possibility of non-login services.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list