Hmm - su is defensible, since mapping of usernames in su by a PAM module is a bit bizarre, to say the least. I take it you mean the IMAP/POP servers - they should *definitely* be calling getpwnam after the pam authentication, as should proftpd, although it's more likely that username mapping would happen in the latter rather than the former. It's most annoying for login apps, but generally in any application that does a setuid to implement security, mapping multiple usernames to one username is tricksy because of kernel race conditions, which is why people don't do things the right way. But having kerberos template users not work on a password-changing-only-shell-machine is *very* irritating. I don't know what to say about the patches not being rolled back - it concerns me that PAM patches are apparently ignored by a lot of developers. Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Chris Jaeger [mailto:cjaeger@ensim.com] Sent: 12 June 2001 18:41 To: Mayers, Philip J Cc: 'pam-list@redhat.com' Subject: Re: PAM and the pwd.h interface Hi Phil, The imap and ipop clients from the imap-2000 rpm; su from sh-utils (and I believe others too), various utilities in util-linux, proftpd... The format that everyone seems to be following is: pw = getpwnam(name); if(pw) { pam_start("...", pw->pw_name, ...); pam_authenticate(...); ... } login from login-utils is one of the apps that seems to do it right. Part of the problem in some of these utilities is that they attempt to decide if the operation is disallowed for reasons other than lack of authentication before trying to authenticate. For example, chsh will try to determine if an account is being managed locally or by NIS prior to authentication; if it is being managed by NIS, then it won't proceed and suggests ypchsh instead. It checks this by using getpwnam. This particular example is an attribute-write, so this may fall into the case that Mark and Nicolas are debating over. I've tried to contact the various maintainers of these packages to determine if they would accept a patch that uses PAM to determine user-existence, but in general I've simply encountered silence. I'm also a little bit concerned because while PAM can be used to check for user existence (via pam_authenticate()), this may have more side- effects than desired (e.g. the need to actually authenticate, etc.). Regards, Chris "Mayers, Philip J" wrote: > > I believe, strictly speaking, that's an application error - the application > should call PAM *before* any NSS calls if at all possible, exactly for this > reason. Last I checked, most didn't - which breaks Kerberos template users > (and any other username-rewriting) > > The "correct" solution here is to fix the app, if at all possible - which > applications are you using? > > Regards, > Phil > > +----------------------------------+ > | Phil Mayers, Network Support | > | Centre for Computing Services | > | Imperial College | > +----------------------------------+ >