Subject: bin/30608: sshd doesn't honour PAM modules changing PAM_USER
To: None <firstname.lastname@example.org, email@example.com>
From: None <lukem@NetBSD.org>
Date: 06/27/2005 07:17:00
>Synopsis: sshd doesn't honour PAM modules changing PAM_USER
>Arrival-Date: Mon Jun 27 07:17:00 +0000 2005
>Originator: Luke Mewburn
>Release: NetBSD 3.0_BETA
PAM modules may change the value of PAM_USER as part of a
successful authentication. This allows a user to login
with one username but have the PAM module change that to
local username (to be looked up in the system passwd(5)
database) to provide the (traditional) UNIX user auth
* a RADIUS module that accepts "firstname.lastname@example.org"
as the original username and maps that to
a "template" user (e.g, "somedomain").
* a Kerberos module that accepts "user@realm"
and maps that to "user", whilst setting up
the appropriate credential cache for "user@realm".
This behaviour is acceptable in the "PAM way", at least as
far as I have been able to determine, and other users of
PAM (login, libtelnet, ...) correctly cope with this.
sshd (from OpenSSH) doesn't cope with this; it assumes that
the user name passed to PAM is the final one to authenticate
As an aside: this issue in OpenSSH may be the cause of
various problems that people have had in the past using
OpenSSH on systems in conjunction with PAM & RADIUS.
Unfortunately my (brief) research into this didn't reveal
many more helpful details.
Write a simple PAM module that accepts logins as "foo" but
maps that to the user "bar" using:
(void)pam_set_item(pamh, PAM_USER, "bar");
Attempt to ssh login as "foo" when there is not an existing
user "bar". (If there is an existing user "bar" it will
most likely use the incorrect passwd(5) entry)
Modify sshd to support changing the username (et al) of
the authctxt after a successful login (PAM_SUCCESS) to the
result of pam_get_item(..., PAM_USER, &newuser);
This appears non trivial because the change needs to work
with and without privsep.