openssh bugs - Jul 2012 - [Bug 1215] sshd requires entry from getpwnam for PAM accounts

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

Matt Joyce <matt.joyce at cloudscaling.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |matt.joyce at cloudscaling.com

--- Comment #13 from Matt Joyce <matt.joyce at cloudscaling.com> ---
So can we fix this?

It's been around causing damage for several years.  And technically
openssh is responsible for this bug breaking a ton of stuff for no
particularly good reason.

So...  I've seen probably 20 or so proposed patches to address the
issue here.  Can we just select one?  Or allow people to selectively
remove the pwnam check in sshd_config?

This is very annoying.  And the reality is working around this or
patching ssh willy nilly is not an acceptable way for engineering
infrastructure.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #14 from Damien Miller <djm at mindrot.org> ---
I never seen the point in duplicating functionality already in nsswitch
and similar mechanisms just for PAM.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #15 from Matt Joyce <matt.joyce at cloudscaling.com> ---
(In reply to comment #14)
> I never seen the point in duplicating functionality already in
> nsswitch and similar mechanisms just for PAM.
Well not everyone has a full posix data set in their authentication /
identity management backend.  Also not all of them have an NSS module.

I direct your attention to the 3000 some odd emails on google
pertaining to the pam module for radius and people who can no longer
use it without obscene work arounds.

In my case I am authenticating against a REST API in a cloud
environment so I can pass cloud API credentials to a VM for tight
integration to that API.  I feel like that sort of authentication is
pretty likely to occur in a number of areas.  And making the solution
portable has values.

Requiring patched ssh or an nss module that all but breaks the hell out
of getpwnam is pretty much terrible.

The way I see it OpenSSH broke a bunch of stuff 6 years ago has
received chronic complaints and has basically ignored it.  And that's
not very cool or responsible.  This fix should never have gone in the
way it was written, and that speaks volumes as to the level of quality
control currently being held to.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #16 from Tomas Mraz <t8m at centrum.cz> ---
Are you really talking about this bug? This newer worked with OpenSSH
afaik.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #17 from Matt Joyce <matt.joyce at cloudscaling.com> ---
I am talking about this bug.  It is still an issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #18 from Damien Miller <djm at mindrot.org> ---
It didn't break six years ago. It never worked from day one (i.e.
1999). This was largely by design, since I've never liked PAM's adding
an unnecessary layer of username indirection when better alternatives
(NSS) exist.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #19 from Matt Joyce <matt.joyce at cloudscaling.com> ---
NSS is not a 'better alternative'.

It's not actually an alternative at all.  It is in fact some other
thing entirely that is not PAM or OpenSSH. A thing that has no bearing
on the authentication chain as far as openssh is concerned.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.