Mapping username in PAM and OpenSSH
Dan Yefimov
dan at nf15.lightwave.net.ru
Thu Jan 8 23:03:14 UTC 2009
On 09.01.2009 1:58, Dan Yefimov wrote:
> On 09.01.2009 1:45, Steve Langasek wrote:
>>> That is a feature of OpenSSH. It is OpenSSH that is responsible for
>>> setting UID/GID and supplementary GIDs before starting user session.
>>> pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
>>> authenticating as, but OpenSSH doesn't check whether PAM_USER was
>>> changed
>>> during pam_authenticate() or not. Questions about OpenSSH are more
>>> appropriate in their mailing list.
>>
>> This is true that OpenSSH is responsible for setting the ids; I would,
>> however, note that I think it's a (low-priority) bug in the PAM
>> implementation of OpenSSH that it doesn't honor username mappings from
>> the PAM stack.
>>
> Be it bug or not, anyway, any questions about OpenSSH are appropriate in
> their mailing list. As a member of that list, however, I'd meantion,
> that that exact issue was raised there previously, but OpenSSH
> developers for the reason, I don't remember currently, refused to deal
> with it. Please refer to that mailing list archive for details. My
> personal opinion about the issue in question is that your setup is
> unreasonably complex.
BTW, most PAM-aware applications don't check whether PAM_USER was changed during
pam_authenticate() too.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list