mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Nodet <gno...@gmail.com>
Subject Re: Apache SSHD Query
Date Mon, 08 Feb 2010 19:42:40 GMT
I suppose you've configured your sshd server to launch a unix shell
such as the sh one.
This means when you run the whoami command, this unix executable will
return the current unix user.
Unfortunately, sshd is not integrated with the unix security layer at
this point, so the user will be the
one that launched the sshd server and not the user of the ssh session.

For sshd to be fully integrated, we need to use the unix PAM
mechanism.  There is a maven module which
has been started some time ago which contain a basic authenticator
using PAM, which means that users
authentication can actually be delegated to the unix system.
Unfortunately this integration is not complete
and the shell is not started with the proper credentials, so that even
in this case, whoami would still
return the user that started the sshd process (I think).
The problem is that I haven't found any java pam library which is
apache licensed compatible and sufficiently
low level to allow the full integration we need.

So if you really want to behave like a real sshd server, we need to
  * find/write a better pam library (or enhanced the existing one)
  * write a pam shell factory that would login with the pam api and
start the correct shell

Hopes this helps.

On Mon, Feb 8, 2010 at 17:49,  <prashant.ghotikar@nomura.com> wrote:
> HI,
>
> I am using Apache MINA SSHD code. I am able to start the Sshd Server. I
> have one query.
>
> I am starting the server using a user say "xyz".
> I have added my authentication mechanism. Now when a user say "abc"
> login successfully on the sshd server.
> When I typed whoami ..its gives me "xyz" (the user which is used to
> start the sshd server ) rather than "abc" the actual user.
>
> Can anybody help me on this. Any help will be appreciated.
>
> Thanks
>
> Prashant
>
>
> This e-mail (including any attachments) is confidential, may contain proprietary or privileged
information and is intended for the named recipient(s) only. Unintended recipients are prohibited
from taking action on the basis of information in this e-mail and must delete all copies.
Nomura will not accept responsibility or liability for the accuracy or completeness of, or
the presence of any virus or disabling code in, this e-mail. If verification is sought please
request a hard copy. Any reference to the terms of executed transactions should be treated
as preliminary only and subject to formal written confirmation by Nomura. Nomura reserves
the right to monitor e-mail communications through its networks (in accordance with applicable
laws). No confidentiality or privilege is waived or lost by Nomura by any mistransmission
of this e-mail. Any reference to "Nomura" is a reference to any entity in the Nomura Holdings,
Inc. group. Please read our Electronic Communications Legal Notice which forms part of this
e-mail: http://www.Nomura.com/email_disclaimer.htm
>



-- 
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
------------------------
Open Source SOA
http://fusesource.com

Mime
View raw message