Mapping username in PAM and OpenSSH
Dan Yefimov
dan at nf15.lightwave.net.ru
Thu Jan 8 22:58:49 UTC 2009
On 09.01.2009 1:45, Steve Langasek wrote:
>> That is a feature of OpenSSH. It is OpenSSH that is responsible for
>> setting UID/GID and supplementary GIDs before starting user session.
>> pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
>> authenticating as, but OpenSSH doesn't check whether PAM_USER was changed
>> during pam_authenticate() or not. Questions about OpenSSH are more
>> appropriate in their mailing list.
>
> This is true that OpenSSH is responsible for setting the ids; I would,
> however, note that I think it's a (low-priority) bug in the PAM
> implementation of OpenSSH that it doesn't honor username mappings from
> the PAM stack.
>
Be it bug or not, anyway, any questions about OpenSSH are appropriate in their
mailing list. As a member of that list, however, I'd meantion, that that exact
issue was raised there previously, but OpenSSH developers for the reason, I
don't remember currently, refused to deal with it. Please refer to that mailing
list archive for details. My personal opinion about the issue in question is
that your setup is unreasonably complex.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list