Mapping username in PAM and OpenSSH
Dan Yefimov
dan at nf15.lightwave.net.ru
Thu Jan 8 18:06:30 UTC 2009
On 08.01.2009 20:55, Francesco Di Natale wrote:
> Hello all,
>
> I have been looking in the archives that somebody talks about changing
> the username by using PAM
> (http://www.redhat.com/archives/pam-list/2008-November/msg00009.html).
>
> I am facing with the same problem. I would like to access using OpenSSH
> another machine in which there is a PAM module that carry out a change
> of user. Let me explain it better. What I am trying to do is:
>
> 1. Through OpenSSH the user inputs as username 'anonymous' and
> password 'anonymous' too.
> 2. The PAM module tries to map 'guest' to 'system' and doesn't mind
> about the password.
> 3. The final result would be to see the prompt showing
> 'system at mycomputer$' and the corresponding folder mounted as the
> working one.
>
> This is the piece of code that is supposed to make the change of user:
>
> int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char
> **argv)
> {
>
> int retval = pam_set_item(pamh, PAM_USER, "system");
>
> return PAM_SUCCESS;
>
> }
>
>
> BUT the log says that 'anonymous' is not a valid user and it doesn't log
> as 'system'. My questions are:
>
> * Despite the fact that I have created 'anonymous' as user, I
> haven't been capable of mapping the user 'system' with PAM.
> * I have taking a look to NSS (which is one of the solutions given
> in the previously mentioned thread) and don't know how does it fit
> in this structure. Am I wrong?
> * Is OpenSSH fault because it seems that doesn't take into account
> the change of user?
> * Is user mapping possible in this structure (OpenSSH + PAM)?
>
That is a feature of OpenSSH. It is OpenSSH that is responsible for setting
UID/GID and supplementary GIDs before starting user session. pam_set_item(pamh,
PAM_USER, "system") sets only user name PAM is authenticating as, but OpenSSH
doesn't check whether PAM_USER was changed during pam_authenticate() or not.
Questions about OpenSSH are more appropriate in their mailing list.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list