On 09.01.2009 1:58, Dan Yefimov wrote:
On 09.01.2009 1:45, Steve Langasek wrote:
That is a feature of OpenSSH. It is OpenSSH that is responsible for
setting UID/GID and supplementary GIDs before starting user session.
pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
authenticating as, but OpenSSH doesn't check whether PAM_USER was
changed
during pam_authenticate() or not. Questions about OpenSSH are more
appropriate in their mailing list.
This is true that OpenSSH is responsible for setting the ids; I would,
however, note that I think it's a (low-priority) bug in the PAM
implementation of OpenSSH that it doesn't honor username mappings from
the PAM stack.
Be it bug or not, anyway, any questions about OpenSSH are appropriate in
their mailing list. As a member of that list, however, I'd meantion,
that that exact issue was raised there previously, but OpenSSH
developers for the reason, I don't remember currently, refused to deal
with it. Please refer to that mailing list archive for details. My
personal opinion about the issue in question is that your setup is
unreasonably complex.
BTW, most PAM-aware applications don't check whether PAM_USER was changed during
pam_authenticate() too.
--
Sincerely Your, Dan.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
