SSHD with PAM question

[Douglas E. Engert]

Ben Lindstrom wrote:

> 
> On Wed, 22 Sep 2004, Bob Bramwell wrote:
> 
> 
>>Greetings All,
>>
>>I am trying to get sshd to authenticate using PAM in a situation where there is
>>no password entry (as found by getpwent et. al.) for a user.  Setting:
> 
> 			^^^^^^^^^^^^^^^^^^^^^^^^^
> If getpwent() doesn't find a user.. Then you can forget about using that
> user.

But one of the features of PAM it that the PAM module can change the user.

An example of one of these is with Kerberos where the user enters
a principal name user at realm, and PAM can use the krb5_aname_to_localname
to determine what is the local username.

But sshd does the getpwnamallow before any of the auth methods, so even if
ssh was passed -l user at realm, it would never call the PAM module. Thus
all Kerberos uses must be in the default realm.

In effect sshd is doing the authorization check before the authentication.
Is there any reason that the getpwnameallow has to be called so early,
rather then after the authmethods?

There is also an information leak (i.e. descovery of existance of a local
acount) if the check is done before the authentication and used to shorten
any of the authmethods.

> 
> [..]
> 
>>If one were to fix input_userauth_info_response to be a little more forgiving
>>would that cause any grief, open any security holes, or whatever?
>>Would anyone
>>like to suggest a suitable approach to a fix?  Does this sound like a
>>good idea?
>>
> 
> 
> The correct fix is to teach your NSS code to look in the same place your
> PAM code is looking. That way "getpwent" and friends return real
> information.
> 
> - Ben
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444