[RFC][PATCH] Detect and handle PAM changing user name

Darren Tucker dtucker at zip.com.au
Fri May 25 08:24:13 EST 2007


James R. Leu wrote:
> I've implemented a patch to openssh which allows the PAM auth layer
> to detect if the PAM stack has changed the user name and then adjusts
> its internal data structures accordingly.  (imagine a PAM stack that
> uses individual credentials to authenticate, but assigns the user to
> a role account).
> 
> First, is the openssh community interested in this patch?

Maybe.  I'm not convinced it's the right thing to do, though.

> Second, if there is interest in the patch, how do I go about
> submitting the patch for formal review?

Attach it to http://bugzilla.mindrot.org/show_bug.cgi?id=1215, but from
a brief look it appears your patch is a subset of the one already there
(which also handles the case where the user doesn't exist on the system,
normally this would get the login marked as invalid).

> Third, regardless of interest by the openssh community, is there
> anyone willing to review this code for me?
> 
> PS I've tested the code path going through sshpam_auth_passwd(),
> but do know how to test the code path that goes through sshpam_thread().

Use ChallengeResponseAuthentication.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list