[Bug 117] OpenSSH second-guesses PAM

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 9 13:38:34 EST 2002


------- Additional Comments From fcusack at fcusack.com  2002-05-09 13:38 -------
Forwarding a fake username also means there is an undocumented username
that has side effects caused by sshd; although all caps probably makes
this a non-concern, to me it still smacks of special names like COM.

This will be my last comment on the matter:

- You are not doing anything by using 'NOUSER', at least nothing I can
  figure out.  If this is to prevent some kind of attack, please add
  comments in the code.
- You *are* causing problems.  eg, my sshd w/ PAM uses a RADIUS backend.
  On my RADIUS server I get logs for 'NOUSER' failing.  I would like to
  know what the attempted username was, and I would like to get this from
  a central source (the RADIUS server).  I will admit, on the level of
  "problems" this is minor if 'NOUSER' actually prevents some attack.
- The protocol 1 code path does not call PAM at all for invalid users.
  This would be acceptable for the protocol 2 code path, and better than
  using 'NOUSER', but eliminate the possibility of non-login services.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list