SSH PAM authentication/login with a new user DB (through NSS)

[Hosung Song]

Hello,

I'm a novice system programmer and I need some knowledge about how 
sshd/PAM/NSS work together. The email may be long and unclear, but I 
would greatly appreciate if any one could give me some info. TIA.

I'm developing a new authentication module for Linux login service. I'm 
like a novice developer in this area, so I had to study this and that. I 
started with PAM naively, and the example PAM application seemed 
authenticating the user all right. When I tried my PAM module on ssh 
server, it always returned "  INCORRECT" as the entered password, even 
though a correct password was entered. I admit that that led me to look 
into sshd's source code, and realized that sshd require that every user 
attempting to login should be valid in the sense that getpwnam() returns 
a correct passwd struct. So, I realized again that I needed to implement 
a new NSS (Name Service Switch) module myself for this additional 
authentication method. I tested my NSS module with example queries of 
getpwnam() and getpwuid(), so I tried to integrate and test everything 
with sshd. Now, sshd recognizes the users and entered passwords are 
accepted, so the PAM module successfully authenticate. It can be 
confirmed through the following /var/log/auth.log line:

Feb  3 14:54:11 dharma sshd[7843]: Accepted keyboard-interactive/pam for 
hosungs at gmail.com from 127.0.0.1 port 48748 ssh2

However, before the login prompt is granted, the connection is closed. 
The corresponding debug log is as follows:

...
Feb  3 14:54:11 dharma sshd[7863]: debug1: Allocating pty.
Feb  3 14:54:11 dharma sshd[7863]: debug3: mm_request_send entering: type 26
Feb  3 14:54:11 dharma sshd[7863]: debug3: mm_pty_allocate: waiting for 
MONITOR_ANS_PTY
Feb  3 14:54:11 dharma sshd[7863]: debug3: mm_request_receive_expect 
entering: type 27
Feb  3 14:54:11 dharma sshd[7863]: debug3: mm_request_receive entering
Feb  3 14:54:11 dharma sshd[7843]: debug2: User child is on pid 7863
Feb  3 14:54:11 dharma sshd[7843]: debug3: mm_request_receive entering
Feb  3 14:54:11 dharma sshd[7843]: debug3: monitor_read: checking request 26
Feb  3 14:54:11 dharma sshd[7843]: debug3: mm_answer_pty entering
Feb  3 14:54:11 dharma sshd[7843]: debug1: session_new: init
Feb  3 14:54:11 dharma sshd[7843]: debug1: session_new: session 0
Feb  3 14:54:11 dharma sshd[7843]: debug1: SELinux support disabled
Feb  3 14:54:11 dharma sshd[7843]: fatal: login_init_entry: Cannot find 
user ""
Feb  3 14:54:11 dharma sshd[7843]: debug1: do_cleanup
Feb  3 14:54:11 dharma sshd[7843]: debug1: PAM: cleanup
Feb  3 14:54:11 dharma sshd[7843]: debug3: PAM: sshpam_thread_cleanup 
entering
Feb  3 14:54:11 dharma sshd[7843]: debug1: session_pty_cleanup: session 
0 release /dev/pts/4
Feb  3 14:54:11 dharma sshd[7843]: fatal: login_init_entry: Cannot find 
user ""
Feb  3 14:54:11 dharma sshd[7843]: debug1: do_cleanup
Feb  3 14:54:11 dharma sshd[7863]: debug1: do_cleanup
Feb  3 14:54:11 dharma sshd[7863]: debug1: PAM: cleanup
Feb  3 14:54:11 dharma sshd[7863]: debug3: PAM: sshpam_thread_cleanup 
entering
...

It looks like login_init_entry()'s username parameter (which is passed 
through login_alloc_entry(), record_login(), and do_login(), where the 
passwd struct is assigned s->pw of the Session parameter s), and this 
passwd struct is somehow different (blank?) from the one filled earlier 
by my NSS module at the time of authentication.

I tried to analyze the sshd source code as much as possible to figure 
out how the passwd structs are related (noticed that PAM authentication 
is done by a separate thread, and I'm not sure how the getpwnam() result 
obtained in the sshpam thread is passed back to the parent thread), but 
my lack of patience or expertise keeps me from making any further 
progress. I think I may be missing something in my PAM module, but that 
isn't very clear either.

Any of your expert comments would be greatly appreciated. I'm not yet a 
subscriber of this mailing list, so I may need to be CC'ed in your response.

Thanks,

Hosung Song