SSHD with PAM question

Douglas E. Engert deengert at
Sat Sep 25 01:34:50 EST 2004

Damien Miller wrote:

> Douglas E. Engert wrote:
>>But one of the features of PAM it that the PAM module can change the user.
> I think that this is a bogus misfeature of PAM. One of the only parts of
> the PAM spec that I agree with is where it states that it isn't a
> replacement for NSS.

I don't think that was its intention. It believe it was intened to be
used to get the username if one was not already known, then pass it back
to the application or other PAM routines who would still use NSS.

But the ssh protocol has already passed in the local user name.  So in the
Kerberos PAM case where user at realm is needed and user != local user name
it might be possible to prompt for the user at realm in addition to the password,
ugly but do able.

But this discussion does bring up a point. The user must supply the
local user name to be used on the remote machine even if there is a way to
derive a default local user name from the credentials being used to authenticate.
krb5_aname_to_localname or the Globus GSI gridmap routines can do this.

So not only could the Kerberos PAM auth method benifit from allowing the
auth_method to change the user, the gssapi could too.

> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list