Mapping username in PAM and OpenSSH

Dan Yefimov dan at nf15.lightwave.net.ru
Thu Jan 8 18:06:30 UTC 2009 

On 08.01.2009 20:55, Francesco Di Natale wrote:
> Hello all,
>
> I have been looking in the archives that somebody talks about changing
> the username by using PAM
> (http://www.redhat.com/archives/pam-list/2008-November/msg00009.html).
>
> I am facing with the same problem. I would like to access using OpenSSH
> another machine in which there is a PAM module that carry out a change
> of user. Let me explain it better. What I am trying to do is:
>
>    1. Through OpenSSH the user inputs as username 'anonymous' and
>       password 'anonymous' too.
>    2. The PAM module tries to map 'guest' to 'system' and doesn't mind
>       about the password.
>    3. The final result would be to see the prompt showing
>       'system at mycomputer$' and the corresponding folder mounted as the
>       working one.
>
> This is the piece of code that is supposed to make the change of user:
>
> int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char
> **argv)
> {
>
> int retval = pam_set_item(pamh, PAM_USER, "system");
>
> return PAM_SUCCESS;
>
> }
>
>
> BUT the log says that 'anonymous' is not a valid user and it doesn't log
> as 'system'. My questions are:
>
>     * Despite the fact that I have created 'anonymous' as user, I
>       haven't been capable of mapping the user 'system' with PAM.
>     * I have taking a look to NSS (which is one of the solutions given
>       in the previously mentioned thread) and don't know how does it fit
>       in this structure. Am I wrong?
>     * Is OpenSSH fault because it seems that doesn't take into account
>       the change of user?
>     * Is user mapping possible in this structure (OpenSSH + PAM)?
>
That is a feature of OpenSSH. It is OpenSSH that is responsible for setting 
UID/GID and supplementary GIDs before starting user session. pam_set_item(pamh, 
PAM_USER, "system") sets only user name PAM is authenticating as, but OpenSSH 
doesn't check whether PAM_USER was changed during pam_authenticate() or not. 
Questions about OpenSSH are more appropriate in their mailing list.
-- 

Sincerely Your, Dan.

More information about the Pam-list mailing list