[RFC][PATCH] Detect and handle PAM changing user name
Darren Tucker
dtucker at zip.com.au
Fri May 25 08:24:13 EST 2007
James R. Leu wrote:
> I've implemented a patch to openssh which allows the PAM auth layer
> to detect if the PAM stack has changed the user name and then adjusts
> its internal data structures accordingly. (imagine a PAM stack that
> uses individual credentials to authenticate, but assigns the user to
> a role account).
>
> First, is the openssh community interested in this patch?
Maybe. I'm not convinced it's the right thing to do, though.
> Second, if there is interest in the patch, how do I go about
> submitting the patch for formal review?
Attach it to http://bugzilla.mindrot.org/show_bug.cgi?id=1215, but from
a brief look it appears your patch is a subset of the one already there
(which also handles the case where the user doesn't exist on the system,
normally this would get the login marked as invalid).
> Third, regardless of interest by the openssh community, is there
> anyone willing to review this code for me?
>
> PS I've tested the code path going through sshpam_auth_passwd(),
> but do know how to test the code path that goes through sshpam_thread().
Use ChallengeResponseAuthentication.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list