Authenticating users from proprietary user databases
Yaniv Aknin
yaniv at aknin.name
Tue Oct 6 06:35:20 EST 2009
Hrmf, how simple, I didn't think about patching getpwnam() et al themselves,
I was somehow locked on patching the nsswitch circuitry.
But in this case, why not use LD_PRELOAD and avoid the need to build my own
OpenSSH and have two different OpenSSH builds?
Thanks,
- Yaniv
On Mon, Oct 5, 2009 at 9:23 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> Yaniv Aknin wrote:
> [...]
>
>> I'm not sure how to further handle this. Should I patch OpenSSH itself (oh
>> god, please, no...)? Should I use some dynamic LD_PRELOAD concoction to
>> 'rewrite' nsswitch.conf only for this sshd instance?
>>
>
> You could write those replacement functions for getpwnam() and friends and
> just statically link them into application sshd. This is what we already do
> with libopenbsd-compat when there's a broken native function for which we
> have compat code (eg snprintf).
>
> As long as the replacement functions provide the system-level accounts that
> sshd expects (all I can think of is root and the privsep user) then it
> should work, and should not require any patching (just feed configure
> "--with-ldflags=-lyourlib").
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
More information about the openssh-unix-dev
mailing list