PAM changing user name

From: Per Hedeland (per_at_hedeland.org)
Date: 08/18/05 

Date: Wed, 17 Aug 2005 22:51:16 +0000 (UTC)

Hi,

I've run into the problem described in
http://mail-index.netbsd.org/netbsd-bugs/2005/06/27/0005.html - i.e.
"sshd doesn't honour PAM modules changing PAM_USER" (this is not on
NetBSD though). The specific case matches the Radius example pretty well
- i.e. the user should be allowed to login with any username that gives
sucessful authentication with a Radius server, and the PAM module will
map them all to a single user that exists in the local passwd file.

I'm running OpenSSH 3.8.1p1 with Darren Tucker's fix to make password
authentication work with PAM backported - no problem upgrading to a more
current version, but I'm wondering if this has been addressed in newer
versions of Portable OpenSSH? I couldn't find anything about it in the
ChangeLog. If not, is it "hard" to fix? If needed, I'll probably have a
go at it, so any advice is welcome.

Somewhat surprisingly, it seems keyboard-interactive doesn't even try
PAM in this case, while password does try it, but then rejects the login
anyway ("illegal user" for the original username in both cases). I would
rather have expected the opposite...

--Per Hedeland
per@hedeland.org

PS I think the "How-To-Repeat" clause in the above report was
misformulated - of course the PAM module must map to an existing local
user. Or at least that's the only case I'm interested in.