In 1.2.1 there's:
passdb-pam.c:230 status = pam_get_item(pamh, PAM_USER, &item);
passdb-pam.c:237 auth_request_set_field(request, "user", item, NULL);
so "item" is PAM_USER, which is then checked by auth_request_set_field:
1022 if (strcmp(request->user, value) != 0) {
1023 auth_request_log_debug(request, "auth",
1024 "username changed %s -> %s",
1025 request->user, value);
that it hasn't changed.
You're not allowed to assume that PAM_USER doesn't change. See, for
example, http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-security-user-identity.html
to say nothing of the fact that Rutgers has PAM modules that do exactly
that (change PAM_USER). This check needs to be relaxed (or, perhaps if you
want a config directive for DontComplyWithThePAMSpec = true, you can have
a tunable). Can this be as simple as ditching the call to
auth_request_set_field, or is there concern over interactions between PAM
and other auth features?
