SSHD with PAM question

Damien Miller djm at mindrot.org
Fri Sep 24 12:00:16 EST 2004


Douglas E. Engert wrote:
> But one of the features of PAM it that the PAM module can change the user.

I think that this is a bogus misfeature of PAM. One of the only parts of
the PAM spec that I agree with is where it states that it isn't a
replacement for NSS.

Beyond the above, other reasons why we don't support this:

- It uglifies and complexifies the code, which would have to cope with
the username changing partway through authentication.

- By deciding early that a given username is invalid, we can prevent
bogus junk from reaching authentication code (especially dodgy PAM
libs/modules)

> There is also an information leak (i.e. descovery of existance of a local
> acount) if the check is done before the authentication and used to shorten
> any of the authmethods.

We are quite careful to avoid this, we try to go through all the motions
of authentication when we are presented with an invalid user (using
sanitised data)

-d




More information about the openssh-unix-dev mailing list