Hi, A simple question with perhaps a not so simple answer. :) Does portable OpenSSH support that a PAM module changes the user during login? That is, what we would like to achieve is that if user "foo" stored in an AA server like LDAP provides correct credentials (username + password) that user should end up in a shell process running as local user "bar" instead (and not be able to escape out to a process running as "foo"). Or is PAM the wrong tool for this? Should this be done using NSS instead? /John