On Sun, 20 Jun 2004, Alexey Zagarin wrote:
Hello!
Does anybody know, why sshd call getpwnam() even if user is
authenticating via PAM? This broke remote authentication (RADIUS,
TACACS+) when user doesn't exist in local password database.
This is typical behavior for most account based PAM applications
I've seen.
sshd in particular expects the user to have an system account,
even if the user has already been auth'd via PAM. It makes sense
from sshd's standpoint because it must read information from the
users home directory (which it gets from getpwnam).
On another note, I've yet to understand why PAM aware applications
don't do a pam_get_user (or equivalent) after PAM authentication
has been accepted as the PAM module. This would allow the PAM
module to say "user 'bob' you are authenticated, but your REAL
username should be 'id02345'". Sort of a username substitution.
I've had to patch the stock FTP server and c-client to do
this exact thing on our servers at work.
Nick Rogness <[EMAIL PROTECTED]>
-
How many people here have telekenetic powers? Raise my hand.
-Emo Philips
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
