Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts
bugzilla-daemon at mindrot
Jul 20, 2012, 11:30 AM
Post #1 of 7 (1420 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

Matt Joyce <matt.joyce@cloudscaling.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |matt.joyce@cloudscaling.com

--- Comment #13 from Matt Joyce <matt.joyce@cloudscaling.com> ---
So can we fix this?

It's been around causing damage for several years. And technically
openssh is responsible for this bug breaking a ton of stuff for no
particularly good reason.

So... I've seen probably 20 or so proposed patches to address the
issue here. Can we just select one? Or allow people to selectively
remove the pwnam check in sshd_config?

This is very annoying. And the reality is working around this or
patching ssh willy nilly is not an acceptable way for engineering
infrastructure.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts [ In reply to ]
bugzilla-daemon at mindrot
Jul 23, 2012, 1:10 AM
Post #2 of 7 (1344 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #14 from Damien Miller <djm@mindrot.org> ---
I never seen the point in duplicating functionality already in nsswitch
and similar mechanisms just for PAM.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts [ In reply to ]
bugzilla-daemon at mindrot
Jul 23, 2012, 10:42 AM
Post #3 of 7 (1354 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #15 from Matt Joyce <matt.joyce@cloudscaling.com> ---
(In reply to comment #14)
> I never seen the point in duplicating functionality already in
> nsswitch and similar mechanisms just for PAM.

Well not everyone has a full posix data set in their authentication /
identity management backend. Also not all of them have an NSS module.

I direct your attention to the 3000 some odd emails on google
pertaining to the pam module for radius and people who can no longer
use it without obscene work arounds.

In my case I am authenticating against a REST API in a cloud
environment so I can pass cloud API credentials to a VM for tight
integration to that API. I feel like that sort of authentication is
pretty likely to occur in a number of areas. And making the solution
portable has values.

Requiring patched ssh or an nss module that all but breaks the hell out
of getpwnam is pretty much terrible.

The way I see it OpenSSH broke a bunch of stuff 6 years ago has
received chronic complaints and has basically ignored it. And that's
not very cool or responsible. This fix should never have gone in the
way it was written, and that speaks volumes as to the level of quality
control currently being held to.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts [ In reply to ]
bugzilla-daemon at mindrot
Jul 23, 2012, 11:05 AM
Post #4 of 7 (1343 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #16 from Tomas Mraz <t8m@centrum.cz> ---
Are you really talking about this bug? This newer worked with OpenSSH
afaik.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts [ In reply to ]
bugzilla-daemon at mindrot
Jul 23, 2012, 2:31 PM
Post #5 of 7 (1342 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #17 from Matt Joyce <matt.joyce@cloudscaling.com> ---
I am talking about this bug. It is still an issue.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts [ In reply to ]
bugzilla-daemon at mindrot
Jul 23, 2012, 5:50 PM
Post #6 of 7 (1340 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #18 from Damien Miller <djm@mindrot.org> ---
It didn't break six years ago. It never worked from day one (i.e.
1999). This was largely by design, since I've never liked PAM's adding
an unnecessary layer of username indirection when better alternatives
(NSS) exist.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1215] sshd requires entry from getpwnam for PAM accounts [ In reply to ]
bugzilla-daemon at mindrot
Jul 23, 2012, 5:55 PM
Post #7 of 7 (1343 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=1215

--- Comment #19 from Matt Joyce <matt.joyce@cloudscaling.com> ---
NSS is not a 'better alternative'.

It's not actually an alternative at all. It is in fact some other
thing entirely that is not PAM or OpenSSH. A thing that has no bearing
on the authentication chain as far as openssh is concerned.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal