Re: PAM changing user name

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 08/18/05


Date: 18 Aug 2005 14:29:38 GMT

On 2005-08-17, Per Hedeland <per@hedeland.org> wrote:
> I've run into the problem described in
> http://mail-index.netbsd.org/netbsd-bugs/2005/06/27/0005.html - i.e.
> "sshd doesn't honour PAM modules changing PAM_USER" (this is not on
> NetBSD though). The specific case matches the Radius example pretty well
> - i.e. the user should be allowed to login with any username that gives
> sucessful authentication with a Radius server, and the PAM module will
> map them all to a single user that exists in the local passwd file.
>
> I'm running OpenSSH 3.8.1p1 with Darren Tucker's fix to make password
> authentication work with PAM backported - no problem upgrading to a more
> current version, but I'm wondering if this has been addressed in newer
> versions of Portable OpenSSH? I couldn't find anything about it in the
> ChangeLog. If not, is it "hard" to fix? If needed, I'll probably have a
> go at it, so any advice is welcome.

Having PAM map the username is not supported on any version. I'm not sure
how much effort it would be to change (and I'm not sure how it would
interact with privsep either).

> Somewhat surprisingly, it seems keyboard-interactive doesn't even try
> PAM in this case, while password does try it, but then rejects the login
> anyway ("illegal user" for the original username in both cases). I would
> rather have expected the opposite...

I think that has been fixed in the newer versions.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.