SSHD with PAM question

Bob Bramwell bob at
Thu Sep 23 07:27:38 EST 2004

Greetings All,

I am trying to get sshd to authenticate using PAM in a situation where there is 
no password entry (as found by getpwent et. al.) for a user.  Setting:

	AllowUsers *
	UsePAM yes

causes the right PAM stuff to be invoked, but as soon as the PAM module tries to 
have a conversation with the (illegal) user (in order to get the password) sshd 
throws out the authentication context.  Is this necessary?  Or is it just that 
no one in their right mind ought to be trying to do this anyway?

If I have done my homework correctly:

- a user is "illegal" if getpwnamallow says so
- this will happen, in particular, if getpwnam returns NULL
- an "illegal" user results in a non-valid authctxt
- MUCH later, when the PAM auth module is running, it calls back into the
   sshd function input_userauth_info_response as part of the attempt
   to get a password from the user
- input_userauth_info_response will only invoke the
   kbdinitctxt->device->response function if the authctxt is valid
- at this point, since the whole process stalls out, the "next" auth method
   is tried, and the PAM context is destroyed.

If one were to fix input_userauth_info_response to be a little more forgiving 
would that cause any grief, open any security holes, or whatever?  Would anyone 
like to suggest a suitable approach to a fix?  Does this sound like a good idea?

Constructive criticism appreciated.


Bob Bramwell            Jasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th Ave SW     | intentionally
FX: 403 269 2993        Calgary, AB, T2R 1J8     | left blank.

More information about the openssh-unix-dev mailing list