erik at math.uu.se
2001-Aug-15 20:40 UTC
PAM and getpwnam [ struct passwd *getpwnam(const char * name) ]
Hello! I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a netware server. pam_ncp_auth can create local UNIX user accounts from information in NDS, and it works perfect with login, gdm and telnet. But not with openssh (2.5 and 2.9). It works perfect if the user already is in /etc/passwd, but the first time he logs on he doesn't exist there. In that case openssh call the function getpwnam to see if the user exist at all, and if he doesn't the sshd refuse the user to login. Aaarg, I have tried one whole day to make some simple patch, but I am to stupid. Hence, I want pam_ncp_auth to add the user's line in /etc/passwd before openssh make the call to getpwnam. Perhaps that is the prefered order for other PAM-modules also? Please, any suggestions... regards /Erik S Erik Starb?ck KTH Syd, S?dert?lje, Sweden
Darren Moffat
2001-Aug-15 20:57 UTC
PAM and getpwnam [ struct passwd *getpwnam(const char * name) ]
>I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a >netware server. > >pam_ncp_auth can create local UNIX user accounts from information in NDS, >and it works perfect with login, gdm and telnet. But not with openssh (2.5 >and 2.9).This module is broken. This is completely the wrong thing to do, a PAM module should not be adding entries into /etc/passwd. What you should have is a PAM module for the authentication to NDS and an NSS (nsswitch.conf) module (nss_nds.so) for the lookups so that getpwnam() will actually get the data from NDS. I believe this is how Novell's NDS for Solaris actually works.>It works perfect if the user already is in /etc/passwd, but the first time >he logs on he doesn't exist there. In that case openssh call the function >getpwnam to see if the user exist at all, and if he doesn't the sshd >refuse the user to login.Correct behaviour. I don't think OpenSSH should be patched to fix a very broken solution like you have. -- Darren J Moffat
Damien Miller
2001-Aug-16 00:17 UTC
PAM and getpwnam [ struct passwd *getpwnam(const char * name) ]
On Wed, 15 Aug 2001 erik at math.uu.se wrote:> Hello! > > I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a > netware server. > > pam_ncp_auth can create local UNIX user accounts from information in NDS, > and it works perfect with login, gdm and telnet. But not with openssh (2.5 > and 2.9).This query has come up in various forms a couple of times. My position is that, if you want to use alternate stores of account information, you should emulate the standard Unix APIs for accessing them. This means that your NDS must implement getpwnam, getpwuid, etc. Typically this is done through nsswitch libraries. PAM is an authentication API, it shouldn't try to be a "authentication and fiddle with account information" API. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer