do_authentication() in auth1.c does not call start_pam() for invalid users but auth_pam_password() calls do_pam_set_conv() before it checks user validity. This means pam_set_item() is called will NULL pamh and Linux PAM is unhappy and syslogs a complaint (see http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html).
Created attachment 24 [details] Fake username for invalid ssh protocol 1 users
Does the attached patch help?
It works for me - committing.
Why NOUSER? What is wrong with the user they specified? Why can't we do the full auth for the user - let PAM do its thing and then bail? This would allow users who use pam_unix's 'audit' flag (for example) to get accurate and consistant failed password logs across all deamons on a system. Then, if for some reason PAM still thinks they are perfectly valid (despite no /etc/passwd entry) *then* we kill it off. How does this sound? I'll propose a patch if required.
NOUSER hides disclosure of passwords from users who accidentally type their password into a login prompt. please open another buf if you want to change the functionality.
Well, when a user types his/her password as a login name, it will probably appear in the log anyway (in a message generated by sshd itself: Feb 14 15:07:14 kunhuta sshd[17775]: Failed password for illegal user blabla from 127.0.0.1 port 2995). Nevertheless, the patch appears to solve the problem I reported.
Mass change of RESOLVED bugs to CLOSED