Greetings All, I am trying to get sshd to authenticate using PAM in a situation where there is no password entry (as found by getpwent et. al.) for a user. Setting: AllowUsers * UsePAM yes causes the right PAM stuff to be invoked, but as soon as the PAM module tries to have a conversation with the (illegal) user (in order to get the password) sshd throws out the authentication context. Is this necessary? Or is it just that no one in their right mind ought to be trying to do this anyway? If I have done my homework correctly: - a user is "illegal" if getpwnamallow says so - this will happen, in particular, if getpwnam returns NULL - an "illegal" user results in a non-valid authctxt - MUCH later, when the PAM auth module is running, it calls back into the sshd function input_userauth_info_response as part of the attempt to get a password from the user - input_userauth_info_response will only invoke the kbdinitctxt->device->response function if the authctxt is valid - at this point, since the whole process stalls out, the "next" auth method is tried, and the PAM context is destroyed. If one were to fix input_userauth_info_response to be a little more forgiving would that cause any grief, open any security holes, or whatever? Would anyone like to suggest a suitable approach to a fix? Does this sound like a good idea? Constructive criticism appreciated. Cheers, Bob. -- Bob Bramwell Jasomi Networks (Canada) | This space Ph: 403 269 2938 x155 #310 602 11th Ave SW | intentionally FX: 403 269 2993 Calgary, AB, T2R 1J8 | left blank.
On Wed, 22 Sep 2004, Bob Bramwell wrote:> Greetings All, > > I am trying to get sshd to authenticate using PAM in a situation where there is > no password entry (as found by getpwent et. al.) for a user. Setting:^^^^^^^^^^^^^^^^^^^^^^^^^ If getpwent() doesn't find a user.. Then you can forget about using that user. [..]> > If one were to fix input_userauth_info_response to be a little more forgiving > would that cause any grief, open any security holes, or whatever? >Would anyone > like to suggest a suitable approach to a fix? Does this sound like a > good idea? >The correct fix is to teach your NSS code to look in the same place your PAM code is looking. That way "getpwent" and friends return real information. - Ben
OK, I'll buy that. However, fixing getpwent may not be practical on a system where I would like this to work, so I guess I have to do it right, or not do it. Which brings up another question: if I can't do anything useful when getpwent() doesn't find the user in question, why doesn't sshd simply abandon all attempts at authentication at that point? Perhaps it should, in which case I would not be tempted even to try. It seems pointless to invoke the PAM module and then prohibit it from talking to the user. Tnx, Bob.> Date: Wed, 22 Sep 2004 16:48:19 -0500 (CDT) > From: Ben Lindstrom <mouring at etoh.eviladmin.org> > Subject: Re: SSHD with PAM question> On Wed, 22 Sep 2004, Bob Bramwell wrote: > >>> Greetings All, >>> >>> I am trying to get sshd to authenticate using PAM in a situation where there is >>> no password entry (as found by getpwent et. al.) for a user. Setting: > ^^^^^^^^^^^^^^^^^^^^^^^^^ > If getpwent() doesn't find a user.. Then you can forget about using that > user. > ... > The correct fix is to teach your NSS code to look in the same place your > PAM code is looking. That way "getpwent" and friends return real > information. > > - Ben-- Bob Bramwell Jasomi Networks (Canada) | This space Ph: 403 269 2938 x155 #310 602 11th Ave SW | intentionally FX: 403 269 2993 Calgary, AB, T2R 1J8 | left blank.
Possibly Parallel Threads
- SSHD with PAM question
- [Bug 702] dont call userauth_finish after auth2_challenge_stop
- Dovecot User Listing Error - getpwent() failed: Invalid Argument
- Dovecot User Listing Error - getpwent() failed: Invalid Argument
- Dovecot User Listing Error - getpwent() failed: Invalid Argument