On Apr 1 22:41, Damien Miller wrote:
> On Tue, 1 Apr 2014, Corinna Vinschen wrote:
>
> > I'm not sure I can follow. Do you mean we should make sure that a
> > machine account sshd always exists and use that?
> >
> > The problem is, sshd would still call getpwent("sshd"). This would work
> > for machine accounts on non-domain machines and for primary domain
> > accounts on domain member machines, but it would fail for a machine
> > account on a domain member machine when using the default account naming
> > rules. And if the admin changed them to "always prepend domain name",
> > there would not be a "sshd" account at all.
>
> I'm suggesting changing the account that sshd tries to look up. If it
> always uses ${machine}\sshd then will it work? (Assuming the host setup
> script ensures this account exists)
So you're suggesting to change sshd.c to fetch the name of the machine
first, then construct the account name in a local buffer and give that
to getpwnam?
That won't work either in all cases. On non-domain machines the account
name will be "sshd", not "${machine}+sshd". Except if the admin
specifies that the domain is always prepended, which makes it
"${machine}+sshd" again. And if the admin specifies the separator char
to be not '+' but, for instance '#', the account name will be
"${machine}#sshd".
All that knowledge would have to go into sshd.c. Isn't it much easier
and less convoluted to allow specifying the account name in sshd_config?
Corinna
--
Corinna Vinschen
Cygwin Maintainer
Red Hat
Attachment:
pgpXxW2SkuDj2.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
