On Wed, Aug 20, 2014 at 01:25:21PM +0000, DELOGET, Emmanuel wrote: > Hello, > > Yet in my use case I have to authenticate users whose login/password > information is stored in a distant database. Everytime I try to log in with > such a user, dropear answers me that the user is unknown - and that's true : > the user is unknown, because the whole point is to not have him/her in > /etc/passwd but on a distant database. > > That's where things break : dropbear seems to assume that the user must be > known on the system where it runs - that's one of the purpose of > checkusername() in svr-auth.c. If the user is not found in /etc/passwd then > it's not a valid user and login fails.
Hi Emmanuel, Is this a normal Unix type system or something more embedded? From what I've seen the normal approach for remote DB auth (LDAP etc) is to have nsswitch.conf set up to know about the users, then optionally a PAM module if there isn't a straightforward mapping to Unix password crypts. Would that work for your situation? The benefit there is that all programs know about the user using the standard user APIs. Dropbear's PAM currently only allows username/password, though there's a dev branch that should allow kind of authentication conversation. It doesn't handle user remapping though since that seems out of PAM's scope. Note that the branch also needs some attention in terms of setting up PAM login sessions properly. Cheers, Matt
