[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Mapping username in PAM and OpenSSH

From: Dan Yefimov <dan nf15 lightwave net ru>
To: Pluggable Authentication Modules <pam-list redhat com>
Subject: Re: Mapping username in PAM and OpenSSH
Date: Fri, 09 Jan 2009 01:58:49 +0300

On 09.01.2009 1:45, Steve Langasek wrote:

That is a feature of OpenSSH. It is OpenSSH that is responsible for
setting UID/GID and supplementary GIDs before starting user session.
pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
authenticating as, but OpenSSH doesn't check whether PAM_USER was changed
during pam_authenticate() or not. Questions about OpenSSH are more
appropriate in their mailing list.


This is true that OpenSSH is responsible for setting the ids; I would,
however, note that I think it's a (low-priority) bug in the PAM
implementation of OpenSSH that it doesn't honor username mappings from
the PAM stack.

Be it bug or not, anyway, any questions about OpenSSH are appropriate in theirmailing list. As a member of that list, however, I'd meantion, that that exactissue was raised there previously, but OpenSSH developers for the reason, Idon't remember currently, refused to deal with it. Please refer to that mailinglist archive for details. My personal opinion about the issue in question isthat your setup is unreasonably complex.

--

Sincerely Your, Dan.

Follow-Ups:
- Re: Mapping username in PAM and OpenSSH
  - From: Dan Yefimov

References:
- Mapping username in PAM and OpenSSH
  - From: Francesco Di Natale
- Re: Mapping username in PAM and OpenSSH
  - From: Dan Yefimov
- Re: Mapping username in PAM and OpenSSH
  - From: Steve Langasek

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]