openssh unix dev - Sep 2004 - SSHD with PAM question

Greetings All,

I am trying to get sshd to authenticate using PAM in a situation where there is 
no password entry (as found by getpwent et. al.) for a user.  Setting:

	AllowUsers *
	UsePAM yes

causes the right PAM stuff to be invoked, but as soon as the PAM module tries to
have a conversation with the (illegal) user (in order to get the password) sshd 
throws out the authentication context.  Is this necessary?  Or is it just that 
no one in their right mind ought to be trying to do this anyway?

If I have done my homework correctly:

- a user is "illegal" if getpwnamallow says so
- this will happen, in particular, if getpwnam returns NULL
- an "illegal" user results in a non-valid authctxt
- MUCH later, when the PAM auth module is running, it calls back into the
   sshd function input_userauth_info_response as part of the attempt
   to get a password from the user
- input_userauth_info_response will only invoke the
   kbdinitctxt->device->response function if the authctxt is valid
- at this point, since the whole process stalls out, the "next" auth
method
   is tried, and the PAM context is destroyed.

If one were to fix input_userauth_info_response to be a little more forgiving 
would that cause any grief, open any security holes, or whatever?  Would anyone 
like to suggest a suitable approach to a fix?  Does this sound like a good idea?

Constructive criticism appreciated.

Cheers,
	Bob.

-- 
Bob Bramwell            Jasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th Ave SW     | intentionally
FX: 403 269 2993        Calgary, AB, T2R 1J8     | left blank.

On Wed, 22 Sep 2004, Bob Bramwell wrote:
> Greetings All,
>
> I am trying to get sshd to authenticate using PAM in a situation where
there is
> no password entry (as found by getpwent et. al.) for a user.  Setting:
			^^^^^^^^^^^^^^^^^^^^^^^^^
If getpwent() doesn't find a user.. Then you can forget about using that
user.

[..]
>
> If one were to fix input_userauth_info_response to be a little more
forgiving
> would that cause any grief, open any security holes, or whatever?
>Would anyone
> like to suggest a suitable approach to a fix?  Does this sound like a
> good idea?
>
The correct fix is to teach your NSS code to look in the same place your
PAM code is looking. That way "getpwent" and friends return real
information.

- Ben

OK, I'll buy that.  However, fixing getpwent may not be practical on a
system
where I would like this to work, so I guess I have to do it right, or not do it.
  Which brings up another question:  if I can't do anything useful when 
getpwent() doesn't find the user in question, why doesn't sshd simply
abandon
all attempts at authentication at that point?  Perhaps it should, in which case 
I would not be tempted even to try.  It seems pointless to invoke the PAM module
and then prohibit it from talking to the user.

Tnx,
	Bob.
> Date: Wed, 22 Sep 2004 16:48:19 -0500 (CDT)
> From: Ben Lindstrom <mouring at etoh.eviladmin.org>
> Subject: Re: SSHD with PAM question
> On Wed, 22 Sep 2004, Bob Bramwell wrote:
> 
>>> Greetings All,
>>>
>>> I am trying to get sshd to authenticate using PAM in a situation
where there is
>>> no password entry (as found by getpwent et. al.) for a user. 
Setting:
> 			^^^^^^^^^^^^^^^^^^^^^^^^^
> If getpwent() doesn't find a user.. Then you can forget about using
that
> user.
> ...
> The correct fix is to teach your NSS code to look in the same place your
> PAM code is looking. That way "getpwent" and friends return real
> information.
> 
> - Ben

-- 
Bob Bramwell            Jasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th Ave SW     | intentionally
FX: 403 269 2993        Calgary, AB, T2R 1J8     | left blank.