On 09.01.2009 1:45, Steve Langasek wrote:
That is a feature of OpenSSH. It is OpenSSH that is responsible for
setting UID/GID and supplementary GIDs before starting user session.
pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
authenticating as, but OpenSSH doesn't check whether PAM_USER was changed
during pam_authenticate() or not. Questions about OpenSSH are more
appropriate in their mailing list.
This is true that OpenSSH is responsible for setting the ids; I would,
however, note that I think it's a (low-priority) bug in the PAM
implementation of OpenSSH that it doesn't honor username mappings from
the PAM stack.
Be it bug or not, anyway, any questions about OpenSSH are appropriate in their
mailing list. As a member of that list, however, I'd meantion, that that exact
issue was raised there previously, but OpenSSH developers for the reason, I
don't remember currently, refused to deal with it. Please refer to that mailing
list archive for details. My personal opinion about the issue in question is
that your setup is unreasonably complex.
--
Sincerely Your, Dan.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list