I want to configure secure shell access to a Linux machine where allowed users are stored in an sqlite3 database and not in the /etc/passwd, /etc/shadow and /etc/group. I use PAM for user authentication. In this case I use libpam_sqlite<https://github.com/sangeeths/libpam-sqlite/blob/master/README_pam_sqlite3>which performs PAM actions like auth, account, password, etc on user data stored in an sqlite3 database. I have the following configuration in my /etc/pam.d/sshd auth required /lib/security/pam_sqlite3.so account required /lib/security/pam_sqlite3.so password required /lib/security/pam_sqlite3.so When I tried to ssh to the box using a userid which is residing in the sqlite3 database only (and not in /etc/passwd), the authentication failed. The problem I found was, when an ssh is attempted, OpenSSH module is trying to get the user info from the /etc/passwd file and when it found that the user does not exist, it passes "#010#012#015#177INCORRECT" as the password (and discards the password entered by the user) to the libpam_sqlite module. Then obviously the libpam_sqlite3 denies access to the user because the password is incorrect! When looked into the OpenSSH code, I found that getpwnam() in auth.c::getpwnamallow() sets pw = NULL and so the following message appears! debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0 Invalid user XXXXXX from A.B.C.D Now, to the questions: 1. Why does OpenSSH replaces the password entered by the user with the bad password - "\b\n\r\177INCORRECT" when the user is not present in the /etc/passwd file? 2. Is there a way to tell OpenSSH not to override the password entered by the user? 3. Is it really possible to authenticate a user based on an sqlite3 database when the user record is not present in the /etc/passwd, /etc/shadow and /etc/group? Thank you, Sangeeth _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
