-
Fallback to Radius authentication if local user is not present, but in that case, the user will be logged in as root. Change-Id: I0d9030f04bc0acfdf24d0403127c97935a5c7607
Fallback to Radius authentication if local user is not present, but in that case, the user will be logged in as root. Change-Id: I0d9030f04bc0acfdf24d0403127c97935a5c7607
0001_allow_non_local_users_ssh.patch 1.36 KiB
diff --git a/auth-pam.c b/auth-pam.c
index 8323821..b7a750d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -522,6 +522,12 @@ sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+ // set user to root otherwise account/session management
+ // fails in case radius is used to authenticate
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
@@ -1090,6 +1096,11 @@ do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err));
if (init) {
debug("PAM: establishing credentials");
+ // credential might not be present in case radius is used
+ // so, set user to root
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ debug("PAM: could not set user to root");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
diff --git a/monitor.c b/monitor.c
index 4cf79df..8875890 100644
--- a/monitor.c
+++ b/monitor.c
@@ -723,6 +723,10 @@
pwent = getpwnamallow(ssh, authctxt->user);
+ // to allow fall back to radius if local account is not present
+ if (!pwent)
+ pwent = getpwnamallow(ssh, "root");
+
setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
sshbuf_reset(m);