Hello. I have a linux-based system that acts as a cvs-server on an
NT-domain. The cvs-repository is reached whith ssh.
My comments are for version 1.2.2 (debian distribution 1.2.2-1).
I made a pam-module for adding users automatically when they have been
authorized by the pam_smb_auth. Problem is that sshd checks if the user
exists in passwd before going to pam for authorization. I made a very nasty
hack to sshd that changed the behaviour so that the pw-struct got some
defaults instead of pw from getpwnam() if allowed_user() returns false.
However, I would rather use a real version of sshd, so I suggest there be
some changes made to allow for better PAM-usage. For that, the (or a) call
to getpwnam() must be run AFTER pam has checked authorization and account
(my pam_useradd is an account module).
First, pw is sent by to start_pam(). start_pam() only uses pw->pw_name
though, so I suggest sending in user instead of pw.
Second, pw is used to compare uid if not running as root. This check I
suppose could be done after auth_pam_password() ?
If these changes aren't good for non-pam situations, maybe considering
splitting it up more so that pam-users have a totally separate procedure?
I haven't looked at it yet, but I guess RSA-authentication could be made a
pam-module also?
Regards, EOF
PS: Please cc all replies to me, since I am not yet in the list (I
subscribed another of my adresses and it had to go and ask the list
administrator etc etc). DS.
NT-domain. The cvs-repository is reached whith ssh.
My comments are for version 1.2.2 (debian distribution 1.2.2-1).
I made a pam-module for adding users automatically when they have been
authorized by the pam_smb_auth. Problem is that sshd checks if the user
exists in passwd before going to pam for authorization. I made a very nasty
hack to sshd that changed the behaviour so that the pw-struct got some
defaults instead of pw from getpwnam() if allowed_user() returns false.
However, I would rather use a real version of sshd, so I suggest there be
some changes made to allow for better PAM-usage. For that, the (or a) call
to getpwnam() must be run AFTER pam has checked authorization and account
(my pam_useradd is an account module).
First, pw is sent by to start_pam(). start_pam() only uses pw->pw_name
though, so I suggest sending in user instead of pw.
Second, pw is used to compare uid if not running as root. This check I
suppose could be done after auth_pam_password() ?
If these changes aren't good for non-pam situations, maybe considering
splitting it up more so that pam-users have a totally separate procedure?
I haven't looked at it yet, but I guess RSA-authentication could be made a
pam-module also?
Regards, EOF
PS: Please cc all replies to me, since I am not yet in the list (I
subscribed another of my adresses and it had to go and ask the list
administrator etc etc). DS.