SSHD with PAM question
Bob Bramwell
bob at jasomi.com
Thu Sep 23 07:27:38 EST 2004
Greetings All,
I am trying to get sshd to authenticate using PAM in a situation where there is
no password entry (as found by getpwent et. al.) for a user. Setting:
AllowUsers *
UsePAM yes
causes the right PAM stuff to be invoked, but as soon as the PAM module tries to
have a conversation with the (illegal) user (in order to get the password) sshd
throws out the authentication context. Is this necessary? Or is it just that
no one in their right mind ought to be trying to do this anyway?
If I have done my homework correctly:
- a user is "illegal" if getpwnamallow says so
- this will happen, in particular, if getpwnam returns NULL
- an "illegal" user results in a non-valid authctxt
- MUCH later, when the PAM auth module is running, it calls back into the
sshd function input_userauth_info_response as part of the attempt
to get a password from the user
- input_userauth_info_response will only invoke the
kbdinitctxt->device->response function if the authctxt is valid
- at this point, since the whole process stalls out, the "next" auth method
is tried, and the PAM context is destroyed.
If one were to fix input_userauth_info_response to be a little more forgiving
would that cause any grief, open any security holes, or whatever? Would anyone
like to suggest a suitable approach to a fix? Does this sound like a good idea?
Constructive criticism appreciated.
Cheers,
Bob.
--
Bob Bramwell Jasomi Networks (Canada) | This space
Ph: 403 269 2938 x155 #310 602 11th Ave SW | intentionally
FX: 403 269 2993 Calgary, AB, T2R 1J8 | left blank.
More information about the openssh-unix-dev
mailing list