Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
diff --git a/auth-pam.c b/auth-pam.c
index 8323821..b7a750d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -522,6 +522,12 @@ sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+ // set user to root otherwise account/session management
+ // fails in case radius is used to authenticate
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
@@ -1090,6 +1096,11 @@ do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err));
if (init) {
debug("PAM: establishing credentials");
+ // credential might not be present in case radius is used
+ // so, set user to root
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ debug("PAM: could not set user to root");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
diff --git a/monitor.c b/monitor.c
index 4cf79df..8875890 100644
--- a/monitor.c
+++ b/monitor.c
@@ -723,6 +723,10 @@
pwent = getpwnamallow(ssh, authctxt->user);
+ // to allow fall back to radius if local account is not present
+ if (!pwent)
+ pwent = getpwnamallow(ssh, "root");
+
setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
sshbuf_reset(m);