I am writing an ssh module that gets username and password from ab ssh user, authenticates them with remote server, and then remaps every remote user to the same local user using pam_set_item. I have pam_module that does all of it.
But, the sshd still calls getpwnam for the original username (that is locally unknown), and fails the login.
What am I missing?
I run across a mechanism to enable this behavior through a custom extension of libnss https://github.com/donapieppo/libnss-ato - it will map all users to some predefined one. However, (1) you have to use some external authentication mechanism or your own pam module to do authentication, (2) all user management operations would not work while this mechanism is configured, (3) if you have more than one interactive login sessions there is no security between the sessions. It worked fine for me because I do not need interactive logins.
Also if you change /etc/nsswitch you may need to reboot your system for it to take effect. The way around it is to install nscd and restart it together with sshd after nsswithch changes. It is additional hassle but it simplifies debugging.