In 1.2.1 there's:
passdb-pam.c:230 status = pam_get_item(pamh, PAM_USER, &item); passdb-pam.c:237 auth_request_set_field(request, "user", item, NULL);
so "item" is PAM_USER, which is then checked by auth_request_set_field:
1022 if (strcmp(request->user, value) != 0) { 1023 auth_request_log_debug(request, "auth", 1024 "username changed %s -> %s", 1025 request->user, value);
that it hasn't changed.
You're not allowed to assume that PAM_USER doesn't change. See, for example, http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-security-user-id... to say nothing of the fact that Rutgers has PAM modules that do exactly that (change PAM_USER). This check needs to be relaxed (or, perhaps if you want a config directive for DontComplyWithThePAMSpec = true, you can have a tunable). Can this be as simple as ditching the call to auth_request_set_field, or is there concern over interactions between PAM and other auth features?