Puzzled about PAM support in OpenSSH-3.7.1p2

Darren Tucker dtucker at zip.com.au
Sun Jan 25 20:11:26 EST 2004

Tom Pavel wrote:
> This seems to make the fakepw() case above pointless (and
> prevents my captive acct scenario from working).
> My question is how is the !valid case supposed to work?  Is this just
> an oversight in the OpenSSH code, or am I missing some other piece of
> the puzzle (perhaps somewhere where valid is supposed to be set)?

fakepw() is there so you can do exactly the same sets of operations for 
a real user and a non-existant user, to prevent leaking information 
about the validity of the account by returning faster or behaving 
differently in one case.

For example, in 3.5p1, auth-passwd.c had code roughly like the following:
         /* deny if no user. */
         if (pw == NULL)
                 return 0;
	if (some_other_test(pw->pw_name))
		return 0;
	encrypted_password = crypt(.....);
	return (strcmp(encrypted_password, pw->pw_passwd) == 0)

Obviously, the earlier it fails the faster it returns.

For 3.6.1p2 (?) a change ("owl-always-auth") was added, the equivalent 
code became something like:

	if (pw == NULL)
		pw = fakepw();
	ok = authctxt->valid;
	if (some_other_test(pw->pw_name))
		ok = 0;
	encrypted_password = crypt(.....);
	return (strcmp(encrypted_password, pw->pw_passwd) == 0 && ok)

Now all of the same tests will be done in either case.

For a discussion of authctxt->valid and its relationship to PAM, see:

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list