[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH with PAM and Tacacs+/Radius authentication

On Wed, 18 Jul 2001, Shila Ofek wrote:

> Hi,
> I'm working with FreeBSD 4.3, with the OpenSSH which supports PAM.
> What I need to do is the following:
> When the SSH user authentication is a password authentication, I want to
> authenticate through PAM.  The reason for that is that I want to
> authenticate through TACACS+ and Radius servers.
> Users that authenticate through these servers, are identified in the local
> OS as the template user that was specified in pam.conf.
> Now to the actual problem..
> The code of the OpenSSH deamon first looks for the user in the passwd files.
> In case the user is a TACACS/Radius user, he is not found there, of
> course.  If the user is not found, the authentication with PAM is not called
> at all!  This is a problem.  The code in SSH should work similarly to that
> in the login program, where after the authentication takes place, the
> template user is looked up in the master.passwd file.
> Does anyone know of a patch for this, or any other solution?

OpenSSH uses the standard getpw...() routines to look up account
information. If you want to use an alternate store of account information,
you should use an alternate set of getpw... routines (e.g. nssswitch).


| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []