Re: PAM changing user name

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 08/18/05

Next message: Namit: "Client can't connect to the default port, but can connect to other ports"
Previous message: Darren Tucker: "Re: Premature termination of SSH connection attempts"
In reply to: Per Hedeland: "PAM changing user name"
Next in thread: Per Hedeland: "Re: PAM changing user name"
Reply: Per Hedeland: "Re: PAM changing user name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 18 Aug 2005 14:29:38 GMT

On 2005-08-17, Per Hedeland <per@hedeland.org> wrote:
> I've run into the problem described in
> http://mail-index.netbsd.org/netbsd-bugs/2005/06/27/0005.html - i.e.
> "sshd doesn't honour PAM modules changing PAM_USER" (this is not on
> NetBSD though). The specific case matches the Radius example pretty well
> - i.e. the user should be allowed to login with any username that gives
> sucessful authentication with a Radius server, and the PAM module will
> map them all to a single user that exists in the local passwd file.
>
> I'm running OpenSSH 3.8.1p1 with Darren Tucker's fix to make password
> authentication work with PAM backported - no problem upgrading to a more
> current version, but I'm wondering if this has been addressed in newer
> versions of Portable OpenSSH? I couldn't find anything about it in the
> ChangeLog. If not, is it "hard" to fix? If needed, I'll probably have a
> go at it, so any advice is welcome.

Having PAM map the username is not supported on any version. I'm not sure
how much effort it would be to change (and I'm not sure how it would
interact with privsep either).

> Somewhat surprisingly, it seems keyboard-interactive doesn't even try
> PAM in this case, while password does try it, but then rejects the login
> anyway ("illegal user" for the original username in both cases). I would
> rather have expected the opposite...

I think that has been fixed in the newer versions.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Next message: Namit: "Client can't connect to the default port, but can connect to other ports"
Previous message: Darren Tucker: "Re: Premature termination of SSH connection attempts"
In reply to: Per Hedeland: "PAM changing user name"
Next in thread: Per Hedeland: "Re: PAM changing user name"
Reply: Per Hedeland: "Re: PAM changing user name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: configure password prompt in SSH
... > and keyboard-interactive authentications? ... PAM, which is why the two are often used together). ... Darren Tucker ... Good judgement comes with experience. ...
(SSH)
Re: PAM changing user name
... The specific case matches the Radius example pretty well ... >> I'm running OpenSSH 3.8.1p1 with Darren Tucker's fix to make password ... >Having PAM map the username is not supported on any version. ... some more or less ugly "local hack" (excluding privsep if that's "too ...
(comp.security.ssh)
Re: Forcing new password at login (w/o requiring an old password) (sudo related)
... >> If you're using PAM then the user will be forced to set a new password ... >> when the existing one expires regardless of the authentication method. ... Darren Tucker ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: OpenSSH 3.8p1 on Solaris with PAM/krb5
... Will that still use password auth ... it will use whatever PAM is configured for. ... Darren Tucker ... Good judgement comes with experience. ...
(SSH)
Re: OpenSSH 3.8p1 on Solaris with PAM/krb5
... > What do I need to do to get sshd to try to use PAM ... Set "PasswordAuthentication no" in sshd_config. ... Darren Tucker ... Good judgement comes with experience. ...
(SSH)