Re: PAM changing user name
From: Per Hedeland (per_at_hedeland.org)
Date: Thu, 18 Aug 2005 20:21:50 +0000 (UTC)
Tucker <firstname.lastname@example.org> writes:
>On 2005-08-17, Per Hedeland <email@example.com> wrote:
>> I've run into the problem described in
>> http://mail-index.netbsd.org/netbsd-bugs/2005/06/27/0005.html - i.e.
>> "sshd doesn't honour PAM modules changing PAM_USER" (this is not on
>> NetBSD though). The specific case matches the Radius example pretty well
>> - i.e. the user should be allowed to login with any username that gives
>> sucessful authentication with a Radius server, and the PAM module will
>> map them all to a single user that exists in the local passwd file.
>> I'm running OpenSSH 3.8.1p1 with Darren Tucker's fix to make password
>> authentication work with PAM backported - no problem upgrading to a more
>> current version, but I'm wondering if this has been addressed in newer
>> versions of Portable OpenSSH? I couldn't find anything about it in the
>> ChangeLog. If not, is it "hard" to fix? If needed, I'll probably have a
>> go at it, so any advice is welcome.
>Having PAM map the username is not supported on any version. I'm not sure
>how much effort it would be to change (and I'm not sure how it would
>interact with privsep either).
Thanks for the quick reply - I tried 4.1p1 and it was essentially the
same. Since I need it working and have limited time, I'll probably do
some more or less ugly "local hack" (excluding privsep if that's "too
hard") for now. At least you didn't say "it can't possibly be done".:-)
>> Somewhat surprisingly, it seems keyboard-interactive doesn't even try
>> PAM in this case, while password does try it, but then rejects the login
>> anyway ("illegal user" for the original username in both cases). I would
>> rather have expected the opposite...
>I think that has been fixed in the newer versions.
Yes, they seem to work the same in 4.1p1 - both "try" PAM, but
(intentionally) replace the password to make sure it fails.:-)