Bugzilla – Bug 6839
enable PAM user switching in GSI-OpenSSH (for MyProxy-enabled PAM module)
Last modified: 2009-10-01 07:29:29
You need to
before you can comment on or make changes to this bug.
We've developed a LinuxPAM module which, in conjunction with a minor patch to
GSI-OpenSSH, allows a user to connect using *any* SSH-enabled client as long as
the user has previously uploaded a credential to a MyProxy server. The user
simply uses the username and password to this credential to gain access.
More details on the implementation are available here:
Feel free to contact me if you need any more information.
Thanks Kevin. I'll review the patch for inclusion in gsi_openssh_4.7.
Specifically the task is to integrate one of the patches from
into GSI-OpenSSH for PAM user switching, to allow Kevin's PAM module to switch
usernames according to local DN mappings.
I've updated the summary to reflect this.
Patches committed to CVS trunk:
* Merge to GPT branch.
* Send Kevin a pre-release to test.
Kevin, could you please try installing
and let me know if it works with KGSISSHD?
If you already have v4.6 installed, you'll need to do 'gpt-build -force' to
This version incorporates the PAM user switching patch.
I plan to release it as v4.7 once you give the OK.
Thanks, I'll build and test tomorrow or Monday.
(In reply to comment #5)
> Thanks, I'll build and test tomorrow or Monday.
Excellent. Be sure to set "PermitPAMUserChange yes" in
I had to do a couple of tweaks to get it to compile (see below) but otherwise -
it works fine, thanks!
servconf.c:402 needs a comma on the end of the line.
Can I also suggest the following change to monitor.c. When PAM changes the
username under control of the MyProxy PAM module, the name of the MyProxy
credential is visible in a 'ps' listing. This patch is a little rough, but will
hide the supplied credential name when PermitPAMUserChange is set to Yes (might
it be better to have a dedicated option for this e.g. HidePAMUserChange?).
setproctitle("%s [priv]", pwent ? "pam_chgd" : "unknown");
Thanks Kevin. I committed the changes to CVS:
I'll release v4.7 next week.
GSI-OpenSSH 4.7 released today.
I've tested the release on RH4, 64 bit - works like a charm ;-)
Excellent. Thanks Kevin for the confirmation.