Mapping username in PAM and OpenSSH
Steve Langasek
vorlon at debian.org
Thu Jan 8 22:45:41 UTC 2009
On Thu, Jan 08, 2009 at 09:06:30PM +0300, Dan Yefimov wrote:
>> BUT the log says that 'anonymous' is not a valid user and it doesn't log
>> as 'system'. My questions are:
>> * Despite the fact that I have created 'anonymous' as user, I
>> haven't been capable of mapping the user 'system' with PAM.
>> * I have taking a look to NSS (which is one of the solutions given
>> in the previously mentioned thread) and don't know how does it fit
>> in this structure. Am I wrong?
>> * Is OpenSSH fault because it seems that doesn't take into account
>> the change of user?
>> * Is user mapping possible in this structure (OpenSSH + PAM)?
> That is a feature of OpenSSH. It is OpenSSH that is responsible for
> setting UID/GID and supplementary GIDs before starting user session.
> pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
> authenticating as, but OpenSSH doesn't check whether PAM_USER was changed
> during pam_authenticate() or not. Questions about OpenSSH are more
> appropriate in their mailing list.
This is true that OpenSSH is responsible for setting the ids; I would,
however, note that I think it's a (low-priority) bug in the PAM
implementation of OpenSSH that it doesn't honor username mappings from
the PAM stack.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pam-list
mailing list