Bug 6839 - enable PAM user switching in GSI-OpenSSH (for MyProxy-enabled PAM module)
: enable PAM user switching in GSI-OpenSSH (for MyProxy-enabled PAM module)
: 4.2.0
: All All
: P3 enhancement
: ---
Assigned To:
: http://wiki.ngs.ac.uk/index.php?title...
  Show dependency treegraph
Reported: 2009-08-18 03:54 by
Modified: 2009-10-01 07:29 (History)



You need to log in before you can comment on or make changes to this bug.

Description From 2009-08-18 03:54:28

We've developed a LinuxPAM module which, in conjunction with a minor patch to
GSI-OpenSSH, allows a user to connect using *any* SSH-enabled client as long as
the user has previously uploaded a credential to a MyProxy server. The user
simply uses the username and password to this credential to gain access.

More details on the implementation are available here:


Feel free to contact me if you need any more information.

Kind Regards

Kevin Haines
------- Comment #1 From 2009-08-18 08:54:35 -------
Thanks Kevin. I'll review the patch for inclusion in gsi_openssh_4.7.
------- Comment #2 From 2009-08-18 09:08:05 -------
Specifically the task is to integrate one of the patches from
into GSI-OpenSSH for PAM user switching, to allow Kevin's PAM module to switch
usernames according to local DN mappings.

I've updated the summary to reflect this.
------- Comment #3 From 2009-08-19 15:08:29 -------
Patches committed to CVS trunk:

Next steps:
* Merge to GPT branch.
* Send Kevin a pre-release to test.
------- Comment #4 From 2009-08-31 15:00:21 -------
Kevin, could you please try installing
and let me know if it works with KGSISSHD?
If you already have v4.6 installed, you'll need to do 'gpt-build -force' to
This version incorporates the PAM user switching patch.
I plan to release it as v4.7 once you give the OK.
Thanks. -Jim
------- Comment #5 From 2009-09-03 08:17:19 -------
Hi Jim,

Thanks, I'll build and test tomorrow or Monday.


------- Comment #6 From 2009-09-03 09:02:32 -------
(In reply to comment #5)
> Thanks, I'll build and test tomorrow or Monday.

Excellent. Be sure to set "PermitPAMUserChange yes" in
------- Comment #7 From 2009-09-04 09:24:14 -------
Hi Jim,

I had to do a couple of tweaks to get it to compile (see below) but otherwise -
it works fine, thanks!



servconf.c:402 needs a comma on the end of the line.

gss-serv.c:556: Add:
int ret;

Can I also suggest the following change to monitor.c. When PAM changes the
username under control of the MyProxy PAM module, the name of the MyProxy
credential is visible in a 'ps' listing. This patch is a little rough, but will
hide the supplied credential name when PermitPAMUserChange is set to Yes (might
it be better to have a dedicated option for this e.g. HidePAMUserChange?).

#ifdef USE_PAM
        if (options.permit_pam_user_change)
                setproctitle("%s [priv]", pwent ? "pam_chgd" : "unknown");
------- Comment #9 From 2009-09-11 10:17:29 -------
GSI-OpenSSH 4.7 released today.
------- Comment #10 From 2009-10-01 01:56:59 -------
Hi Jim,

I've tested the release on RH4, 64 bit - works like a charm ;-)

Many thanks

Kevin Haines
------- Comment #11 From 2009-10-01 07:29:29 -------
Excellent. Thanks Kevin for the confirmation.