skipping local passwd check

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I want to skip password checking and pass all authentication to a PAM
module I'm writing. I'll have users logging in that don't have a local

However, it is not obvious to me from looking at the SSH code how to
get around the getwwnam(3) call. It appears one has to go through that
path before PAM gets kicked off. So even though my module's
'pam_sm_authenticate()' method does get called, and does return
PAM_SUCCESS, auth-pam::sshpam_auth_passwd() will still fail because
authctxt-valid was not set.

Are there sshd flags to skip the local /etc/passwd from being checked?
Is the Authctxt struct somehow available for my PAM module to access
and set the valid field? How should all this be performed? I would
appreciate any advice.


Re: skipping local passwd check

I hate to reply to my own posting, but I really would like to find out
from those much more knowlegable than me exactly how SSH and PAM are
supposed to operate.

How does one configure things so that a user, that does not have a
local account, get past the (what appears to be) mandatory SSH check
of getpwnam()? I would like my PAM module to handle everything.

Re: skipping local passwd check

In article writes:
Quoted text here. Click to load it

Last I looked (which was admittedly a long time ago, see the thread at
), this wasn't possible without source modifications. The getpwnam()
check is the simple part, but normally you want your processes to run as
*some* local user, if nothing else because lots of utilities get upset
if the uid of a process doesn't exist in passwd, doesn't have a home
directory etc - and of course OpenSSH needs to find out the user's shell
to do anything (there's no way for PAM to decide that AFAIK).

What you want to do for this is to have some sort of "template" user
that all your non-local users get "mapped to" after authentication - see for an example. And
the way to do this is for the PAM module to set this user in the PAM
context (pam_set_item(PAM_USER)) - but OpenSSH ignores this (or again,
it did back when I needed it), and changing that is non-trivial,
especially to have it work with privilege separation.

I did do it back then though (because I had to...), but it was pretty
kludgy IIRC, and I may have had to give up on privsep. I think the
getpwnam() check "solved itself" then, since it is done *after* the PAM
auth, and would thus use the username set by the PAM module. I don't
have the changes at hand, but if you're really desparate and don't mind
porting diffs from OpenSSH 3.8-ish to a current version, I may be able
to dig them up.

--Per Hedeland

Site Timeline