Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I want to configure secure shell access to a Linux machine where allowed us
ers are stored in an sqlite3 database and not in the /etc/passwd, /etc/shad
ow and /etc/group. I use PAM for user authentication. In this case I use li
bpam_sqlite which performs PAM actions like auth, account, password, etc on
 user data stored in an sqlite3 database.

I have the following configuration in my /etc/pam.d/sshd

    auth        required    /lib/security/
    account     required    /lib/security/
    password    required    /lib/security/

When I tried to ssh to the box using a userid which is residing in the sqli
te3 database only (and not in /etc/passwd), the authentication failed. The  
problem I found was, when an ssh is attempted, OpenSSH module is trying to  
get the user info from the /etc/passwd file and when it found that the user
 does not exist, it passes "#010#012#015#177INCORRECT" as the password (and
 discards the password entered by the user) to the libpam_sqlite module. Th
en obviously the libpam_sqlite3 denies access to the user because the passw
ord is incorrect!  

When looked into the OpenSSH code, I found that getpwnam() in auth.c::getpw
namallow() sets pw = NULL and so the following message appears!

debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
Invalid user XXXXXX from A.B.C.D

Now, to the questions:

#1. Why does OpenSSH replaces the password entered by the user with the bad
 password - "\b\n\r7INCORRECT" when the user is not present in the /etc/
passwd file?

#2. Is there a way to tell OpenSSH not to override the password entered by  
the user?

#3. Is it really possible to authenticate a user based on an sqlite3 databa
se when the user record is not present in the /etc/passwd, /etc/shadow and  

Thank you,


Re: Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

Here is response:

Site Timeline