I find it annoying that openssh takes active part in the authentication process when using PAM. Namely, SSH doesn't pass the user's password if the getpwent for the user returns NULL. I use a clever PAM setup that allows nonexisting users to log in if they are succesfully authenticated against a Samba server. When the user logs in for the first time, he's added to the user database and obviously only then will a call to getpwnam be succesful. I propse a configuration option to allow the authentication token to be passed to PAM even if the user has not pwentry. Thoughts? -- S?ren Hansen <sh at warma.dk> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3191 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050415/83c8c343/attachment.bin
On Fri, 15 Apr 2005, [ISO-8859-1] S?renHansen wrote:> > I find it annoying that openssh takes active part in the authentication > process when using PAM. Namely, SSH doesn't pass the user's password if > the getpwent for the user returns NULL.This has been covered many times on this list before. In short: if you want nss-like functionality then use nss, not pam. -d
On Fri, Apr 15, 2005 at 12:01:56PM +0200, S?ren Hansen wrote:> I find it annoying that openssh takes active part in the authentication > process when using PAM. Namely, SSH doesn't pass the user's password if > the getpwent for the user returns NULL. > > I use a clever PAM setup that allows nonexisting users to log in if they > are succesfully authenticated against a Samba server. > When the user logs in for the first time, he's added to the user > database and obviously only then will a call to getpwnam be succesful. > > I propse a configuration option to allow the authentication token to be > passed to PAM even if the user has not pwentry.You'll need to do more work than just passing in the token to PAM to make this work, though. Even if PAM returns success sshd still has authctxt->valid = 0. You do need the getpwnamallow() call before auth though, to allow public key auth to work. You could try passing the token to PAM even if valid = 0, then call getpwnamallow() a second time if PAM auth succeeds to load the new pw entry. -- Ed Maste Sandvine Incorporated