Puzzled about PAM support in OpenSSH-3.7.1p2
Tom Pavel
pavel at NetworkPhysics.COM
Sun Jan 25 19:38:08 EST 2004
I'm trying to understand the code around PAM support in auth2.c and
auth2-chall.c. I'm working with the OpenSSH 3.7.1p2 sources on
FreeBSD 4.x. The scenario I'm trying to make work is SSH login to a
captive accout for users in a RADIUS database but whose login does not
appear in /etc/passwd or getpwnam().
I understand that if the username is not found in getpwnam(), then the
fakepw() routine is called to create the user credentials (and, of
course, I'll need to modify this to point to my captive acct that I
want to use). In auth2.c, there is code to start the PAM
authentication in this fakepw case which all seems to make sense:
authctxt->pw = PRIVSEP(getpwnamallow(user));
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
#ifdef USE_PAM
if (options.use_pam)
PRIVSEP(start_pam(authctxt->pw->pw_name));
#endif
} else {
authctxt->pw = fakepw();
#ifdef USE_PAM
if (options.use_pam)
PRIVSEP(start_pam(user));
#endif
}
However, in auth2-chall.c the code that actually verifies the passwd
returned by the remote user with the PAM module seems only to treat
the authctxt->valid case (i.e. when the getpwnam() returns a real
acct). This seems to make the fakepw() case above pointless (and
prevents my captive acct scenario from working).
if (authctxt->valid) {
res = kbdintctxt->device->respond(kbdintctxt->ctxt,
nresp, response);
} else {
res = -1;
}
My question is how is the !valid case supposed to work? Is this just
an oversight in the OpenSSH code, or am I missing some other piece of
the puzzle (perhaps somewhere where valid is supposed to be set)? If
this is just a bug, I'll be happy to submit a problem report and a
patch.
Thanks for any insights,
Tom Pavel
Network Physics
pavel at networkphysics.com / pavel at alum.mit.edu
More information about the openssh-unix-dev
mailing list