PAM_RUSER questions

Jan Pechanec Jan.Pechanec at Sun.COM
Fri Aug 24 05:36:48 EST 2007


On Thu, 23 Aug 2007, Michelizza Arnauld wrote:

>By looking at the code, I saw that PAM_RUSER is not set by sshd.
>Is there a reason why ?
>If I write a patch to add that feature, is there a chance for it to be
>included in the main distrib ?

	speaking for myself - PAM_RUSER is rsh/rlogin stuff and should not 
be used for other apps since its value is not trusted; it's useless for 
audit logs, for example. Aside from hostbased auth (and gss-api maybe, I'm 
not sure now), you can use anything as a value for the remote user client 
field and it can't be verified. For example, Solaris uses PAM_AUSER (audited 
user) for hostbased and for this one auth method a remote user can log in 
directly to a role because as far as the remote host is trusted, the 
information on remote client username is trusted. J.

-- 
Jan Pechanec


More information about the openssh-unix-dev mailing list