On Apr 1 22:41, Damien Miller wrote: > On Tue, 1 Apr 2014, Corinna Vinschen wrote: > > > I'm not sure I can follow. Do you mean we should make sure that a > > machine account sshd always exists and use that? > > > > The problem is, sshd would still call getpwent("sshd"). This would work > > for machine accounts on non-domain machines and for primary domain > > accounts on domain member machines, but it would fail for a machine > > account on a domain member machine when using the default account naming > > rules. And if the admin changed them to "always prepend domain name", > > there would not be a "sshd" account at all. > > I'm suggesting changing the account that sshd tries to look up. If it > always uses ${machine}\sshd then will it work? (Assuming the host setup > script ensures this account exists) So you're suggesting to change sshd.c to fetch the name of the machine first, then construct the account name in a local buffer and give that to getpwnam? That won't work either in all cases. On non-domain machines the account name will be "sshd", not "${machine}+sshd". Except if the admin specifies that the domain is always prepended, which makes it "${machine}+sshd" again. And if the admin specifies the separator char to be not '+' but, for instance '#', the account name will be "${machine}#sshd". All that knowledge would have to go into sshd.c. Isn't it much easier and less convoluted to allow specifying the account name in sshd_config? Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat
Attachment:
pgpXxW2SkuDj2.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev