Puzzled about PAM support in OpenSSH-3.7.1p2

Tom Pavel pavel at NetworkPhysics.COM
Sun Jan 25 19:38:08 EST 2004

I'm trying to understand the code around PAM support in auth2.c and
auth2-chall.c.  I'm working with the OpenSSH 3.7.1p2 sources on
FreeBSD 4.x.  The scenario I'm trying to make work is SSH login to a
captive accout for users in a RADIUS database but whose login does not
appear in /etc/passwd or getpwnam().

I understand that if the username is not found in getpwnam(), then the
fakepw() routine is called to create the user credentials (and, of
course, I'll need to modify this to point to my captive acct that I
want to use).  In auth2.c, there is code to start the PAM
authentication in this fakepw case which all seems to make sense:

        authctxt->pw = PRIVSEP(getpwnamallow(user));
        if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                authctxt->valid = 1;
#ifdef USE_PAM
                if (options.use_pam)
        } else {
                authctxt->pw = fakepw();
#ifdef USE_PAM
                if (options.use_pam)

However, in auth2-chall.c the code that actually verifies the passwd
returned by the remote user with the PAM module seems only to treat
the authctxt->valid case (i.e. when the getpwnam() returns a real
acct).  This seems to make the fakepw() case above pointless (and
prevents my captive acct scenario from working).

        if (authctxt->valid) {
                res = kbdintctxt->device->respond(kbdintctxt->ctxt,
                    nresp, response);
        } else {
                res = -1;

My question is how is the !valid case supposed to work?  Is this just
an oversight in the OpenSSH code, or am I missing some other piece of
the puzzle (perhaps somewhere where valid is supposed to be set)?  If
this is just a bug, I'll be happy to submit a problem report and a

Thanks for any insights,

Tom Pavel

Network Physics
pavel at networkphysics.com / pavel at alum.mit.edu 

More information about the openssh-unix-dev mailing list