Failure to use dropbear with PAM
matt at ucc.asn.au
Thu Aug 21 21:28:09 WST 2014
On Wed, Aug 20, 2014 at 01:25:21PM +0000, DELOGET, Emmanuel wrote:
> Yet in my use case I have to authenticate users whose login/password information is stored in a distant database. Everytime I try to log in with such a user, dropear answers me that the user is unknown - and that's true : the user is unknown, because the whole point is to not have him/her in /etc/passwd but on a distant database.
> That's where things break : dropbear seems to assume that the user must be known on the system where it runs - that's one of the purpose of checkusername() in svr-auth.c. If the user is not found in /etc/passwd then it's not a valid user and login fails.
Is this a normal Unix type system or something more
embedded? From what I've seen the normal approach for remote
DB auth (LDAP etc) is to have nsswitch.conf set up to know
about the users, then optionally a PAM module if there isn't
a straightforward mapping to Unix password crypts. Would
that work for your situation? The benefit there is that all
programs know about the user using the standard user APIs.
Dropbear's PAM currently only allows username/password,
though there's a dev branch that should allow kind of
authentication conversation. It doesn't handle user
remapping though since that seems out of PAM's scope. Note
that the branch also needs some attention in terms of setting up PAM
login sessions properly.
More information about the Dropbear