ssh daemon fails to call pam when user does not exist in /etc/passwd
Damien Miller
djm at mindrot.org
Tue Jun 15 19:44:19 EST 2004
Damien Miller wrote:
> Jayarama Vijay Kumar wrote:
>
>>Hi
>> We recenlty ugraded to openssh-3.7.1p2. Our architecture is
>> ssh daemon uses pam module which sends request to remote
>>radius/tacacs+ servers based on configuration.
>> Now if I create the user in /etc/passwd, then ssh daemon calls pam and
>>everthing works fine.
>> But if the user is not present in /etc/passwd, then ssh daemon is not
>>calling pam. The debug log is given below. All these were working in
>>prior versions. Any idea why there is dependency on local user accounts
>>? I have also given sshd's pam file
>
>
> This behaviour is by-design and we don't have any intentions of changing
> it.
I should clarify: if we don't go through all the motions (calling into
PAM, etc) for non-existent accounts then that is a bug. This is done
to defeat timing attacks, not to provide support for systems where
accounts aren't visible to getpw*
-d
More information about the openssh-unix-dev
mailing list