<<pam_user.patch>> Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions, let me know. Thanks, Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_user.patch Type: application/octet-stream Size: 8581 bytes Desc: pam_user.patch Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020830/60be3f21/attachment.obj
On Fri, 30 Aug 2002, Jeremy Ellington wrote:> <<pam_user.patch>> > Hello. I created a patch that causes sshd to take notice of the > value of PAM_USER after calling into the pam_xxx functions. This makes > it possible for a PAM module to effect user mappings by setting the > value of PAM_USER with pam_set_item(). If anyone has comments or > suggestions, let me know.I've not looked at the patch yet. This is the correct behaviour to aim for with respect to PAM. However I think this may be in conflict with the spirit of the SSH protocol, though I can't find anything specific in the userauth draft that confirms this. -- Darren J Moffat
Two things off hand. 1. Your repeating the code over and over. Make it a function call. 2. Look at openbsd's 'style' page. As it sits now it would not be accepted because it does not follow the correct code format. also, one needs to check to see if this is honored by Solaris/hpux or if this is a Linux oddity. - Ben On Fri, 30 Aug 2002, Jeremy Ellington wrote:> <<pam_user.patch>> > Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions, let me know. > > Thanks, > Jeremy >
I've made the requested changes, and I've tested this on Linux 2.4.2 with both auth and account entry points. The new diff (pam_user.diff) is attached. -----Original Message----- From: Darren J Moffat [mailto:Darren.Moffat at Sun.COM] Sent: Friday, August 30, 2002 1:42 PM To: Ben Lindstrom Cc: Jeremy Ellington; jm at ibs.com.au; openssh-unix-dev at mindrot.org Subject: Re: Patch so that sshd makes use of PAM_USER On Fri, 30 Aug 2002, Ben Lindstrom wrote:> > Two things off hand. > > 1. Your repeating the code over and over. Make it a function call. > > 2. Look at openbsd's 'style' page. As it sits now it would not be > accepted because it does not follow the correct code format. > > > also, one needs to check to see if this is honored by Solaris/hpux or if > this is a Linux oddity.This is part of the original PAM spec. There are no modules shipped by Sun for Solaris that actually change the PAM_USER but I know it does work if such a module should be installed. Since the HP code orginally came from Sun it should work there as well. To test this create a PAM module that implements pam_sm_authenticate and in it use pam_set_item to change the value of PAM_USER. The change should be reflected back in the application when it calls pam_get_item.> On Fri, 30 Aug 2002, Jeremy Ellington wrote: > > > <<pam_user.patch>> > > Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions, let me know. > > > > Thanks, > > Jeremy > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Darren J Moffat -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_user.diff Type: application/octet-stream Size: 5285 bytes Desc: pam_user.diff Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020830/065fc8ec/attachment.obj
I think I have it down now. ;-) Thanks. BTW, what do I have to do to actually get this merged? -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Friday, August 30, 2002 11:50 PM To: Jeremy Ellington Subject: RE: Patch so that sshd makes use of PAM_USER You're still not following: http://www.openbsd.org/cgi-bin/man.cgi?query=style Which makes is much harder to read and make all the portable developers less likely to even read the patch much less apply it since we then have to go back and fix it. General rules: * Tab for blocks * If you span two lines 4 spaces are used to indent the second line. * avoid using { } if you don't have two or more clauses or where you are doing multiple if () near each other and the compiler/read could become confused. Also, the rule of thumb for portable is make the least amount of impact on the code. Otherwise it makes my life an utter hell when doing CVS syncs. - Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_user.diff Type: application/octet-stream Size: 4119 bytes Desc: pam_user.diff Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020903/53d610f1/attachment.obj
Maybe Matching Threads
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- [Bug 117] OpenSSH second-guesses PAM
- Fix for USE_POSIX_THREADS in auth-pam.c
- PAM_USER falsely assumed immutable