skipping local passwd check - SSH

This is a discussion on skipping local passwd check - SSH ; I want to skip password checking and pass all authentication to a PAM module I'm writing. I'll have users logging in that don't have a local account. However, it is not obvious to me from looking at the SSH code ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: skipping local passwd check

  1. skipping local passwd check

    I want to skip password checking and pass all authentication to a PAM
    module I'm writing. I'll have users logging in that don't have a local
    account.

    However, it is not obvious to me from looking at the SSH code how to
    get around the getwwnam(3) call. It appears one has to go through that
    path before PAM gets kicked off. So even though my module's
    'pam_sm_authenticate()' method does get called, and does return
    PAM_SUCCESS, auth-pam::sshpam_auth_passwd() will still fail because
    authctxt-valid was not set.

    Are there sshd flags to skip the local /etc/passwd from being checked?
    Is the Authctxt struct somehow available for my PAM module to access
    and set the valid field? How should all this be performed? I would
    appreciate any advice.

    T.


  2. Re: skipping local passwd check

    I hate to reply to my own posting, but I really would like to find out
    from those much more knowlegable than me exactly how SSH and PAM are
    supposed to operate.

    How does one configure things so that a user, that does not have a
    local account, get past the (what appears to be) mandatory SSH check
    of getpwnam()? I would like my PAM module to handle everything.

  3. Re: skipping local passwd check

    In article
    <1ee1ce88-1023-4e11-b78d-ee8d09960013@l64g2000hse.googlegroups.com>
    cube.384@gmail.com writes:
    >I hate to reply to my own posting, but I really would like to find out
    >from those much more knowlegable than me exactly how SSH and PAM are
    >supposed to operate.
    >
    >How does one configure things so that a user, that does not have a
    >local account, get past the (what appears to be) mandatory SSH check
    >of getpwnam()? I would like my PAM module to handle everything.


    Last I looked (which was admittedly a long time ago, see the thread at
    http://groups.google.com/group/comp....d0dc1a847bb5cb
    ), this wasn't possible without source modifications. The getpwnam()
    check is the simple part, but normally you want your processes to run as
    *some* local user, if nothing else because lots of utilities get upset
    if the uid of a process doesn't exist in passwd, doesn't have a home
    directory etc - and of course OpenSSH needs to find out the user's shell
    to do anything (there's no way for PAM to decide that AFAIK).

    What you want to do for this is to have some sort of "template" user
    that all your non-local users get "mapped to" after authentication - see
    http://www.freebsd.org/cgi/man.cgi?query=pam_radius for an example. And
    the way to do this is for the PAM module to set this user in the PAM
    context (pam_set_item(PAM_USER)) - but OpenSSH ignores this (or again,
    it did back when I needed it), and changing that is non-trivial,
    especially to have it work with privilege separation.

    I did do it back then though (because I had to...), but it was pretty
    kludgy IIRC, and I may have had to give up on privsep. I think the
    getpwnam() check "solved itself" then, since it is done *after* the PAM
    auth, and would thus use the username set by the PAM module. I don't
    have the changes at hand, but if you're really desparate and don't mind
    porting diffs from OpenSSH 3.8-ish to a current version, I may be able
    to dig them up.

    --Per Hedeland
    per@hedeland.org


+ Reply to Thread