On Thu, Feb 13, 2025 at 05:45:47PM +0100, Marco Trevisan wrote: > From: Marco Trevisan (Treviño) <mail@xxxxxxxxx> > > PAM modules can change the user during their execution, in such case ssh > would still use the user that has been provided giving potentially > access to another user with the credentials of another one. > > So prevent this to happen, by ensuring that the final PAM user is > matching the one that initiated the transaction. > > See also: https://github.com/util-linux/util-linux/pull/3206 Note that linux-pam provides a module called pam_canonicalize_user with the following description: This PAM module uses the name of the user obtained via pam_get_user(3) as a key to query the password database, and replaces PAM_USER with the pw_name value that has been returned.
