PAM_RUSER questions
Jan Pechanec
Jan.Pechanec at Sun.COM
Fri Aug 24 05:36:48 EST 2007
On Thu, 23 Aug 2007, Michelizza Arnauld wrote:
>By looking at the code, I saw that PAM_RUSER is not set by sshd.
>Is there a reason why ?
>If I write a patch to add that feature, is there a chance for it to be
>included in the main distrib ?
speaking for myself - PAM_RUSER is rsh/rlogin stuff and should not
be used for other apps since its value is not trusted; it's useless for
audit logs, for example. Aside from hostbased auth (and gss-api maybe, I'm
not sure now), you can use anything as a value for the remote user client
field and it can't be verified. For example, Solaris uses PAM_AUSER (audited
user) for hostbased and for this one auth method a remote user can log in
directly to a role because as far as the remote host is trusted, the
information on remote client username is trusted. J.
--
Jan Pechanec
More information about the openssh-unix-dev
mailing list