[PATCH] Optionally allow pam_setcred to override gid
ryan_cox at byu.edu
Tue Apr 14 03:54:50 AEST 2015
I would like to allow pam_setcred/pam_sm_setcred to override the gid
that is normally set for a user. Currently the openssh code calls
do_pam_setcred then it sets the gid to the user's gid as listed in
/etc/passwd, LDAP, or whatever regardless of what the pam module set it
to. I would instead like a pam module to be able to set the gid with
setgid() and not have it overwritten by openssh.
I wrote a patch that does just that by comparing getgid() before and
after calling do_pam_setcred. If the gid changes it sets pw->gid to the
new gid, which is used in later functions. I don't know if this is
considered the proper way to achieve that behavior in a safe way but it
seemed logical to me. The behavior is optional; PermitGidOverride=no is
As for the reasoning, this is for a scheduled environment using Slurm.
I am developing a pam module that "adopts" ssh processes into the
appropriate batch job on the node. Users can launch jobs via Slurm that
run with their gid as one of their supplementary groups. As part of the
adoption of the ssh process, I would like to set the ssh process's gid
equal to that of the job it is being adopted into.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 8651 bytes
Desc: not available
More information about the openssh-unix-dev