Bug 2877

Summary:	Setting pam_set_item(PAM_USER, value) not honoured in ssh PAM
Product:	Portable OpenSSH	Reporter:	Martin <bugs>
Component:	PAM support	Assignee:	Assigned to nobody <unassigned-bugs>
Status:	CLOSED WONTFIX
Severity:	enhancement	CC:	djm
Priority:	P5
Version:	7.7p1
Hardware:	Other
OS:	Linux

Description Martin 2018-06-12 19:05:21 AEST

My PAM module is user agnostic and knows about the authenticated user on success. It is not necessary or even appreciated to supply the username at login time and nss_ldap will take care of setting pwent on success. openssh however, does not honour the new username that is set using pam_set_item(PAM_USER, value) on success.

Comment 1 Martin 2018-06-12 21:09:40 AEST

To be more precise: with "not supplying username" at login time, I mean supplying a placeholder username that triggers the PAM module to initiate external authentication configured as sufficient.

Comment 2 Damien Miller 2018-06-13 11:25:50 AEST

OpenSSH doesn't support PAM changing the username used for authentication. We don't have any intention to change this, sorry.

Comment 3 Martin 2018-06-13 17:04:25 AEST

With all due respect, these are the first-page search results for 'openssh pam_set_item PAM_USER':

https://www.redhat.com/archives/pam-list/2009-January/msg00002.html
https://github.com/globus/gsi-openssh
https://lists.mindrot.org/pipermail/openssh-unix-dev/2002-August/015217.html
https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-nulluser-6.7p1.patch?version=1&modificationDate=1487091061000&api=v2
https://unix.stackexchange.com/questions/362510/unable-to-smuggle-data-in-username-using-custom-pam-module-input-userauth-requ/362697#362697
https://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html

Reconsidering your decisions is not a shame.

And yes, I'm free to maintain a fork, I know ;)

Comment 4 Damien Miller 2021-04-23 14:53:13 AEST

closing resolved bugs as of 8.6p1 release