[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH with PAM and Tacacs+/Radius authentication

I do not want an alternate store of account information. I want the logic of the login procedure in OpenSSH to be like that of login. Meaning, I want authentication to be done first, and after that (the radius and Tacacs libraries replace the user to the template user) I want the SSH to perform the getpw with the new user.
What I'm looking for are patched to this code, or alternate solutions that work right, because the current implementation doesn't allow the proper use of pam authorization with pam_tacacs and pam_radius, it only allows use of authentication with pam_unix, and for that I don't need pam.


From: Damien Miller <djm@mindrot.org>
Reply-To: pam-list@redhat.com
To: <pam-list@redhat.com>
Subject: Re: OpenSSH with PAM and Tacacs+/Radius authentication
Date: Wed, 18 Jul 2001 17:01:17 +1000 (EST)

On Wed, 18 Jul 2001, Shila Ofek wrote:

> Hi,
> I'm working with FreeBSD 4.3, with the OpenSSH which supports PAM.
> What I need to do is the following:
> When the SSH user authentication is a password authentication, I want to
> authenticate through PAM. The reason for that is that I want to
> authenticate through TACACS+ and Radius servers.
> Users that authenticate through these servers, are identified in the local
> OS as the template user that was specified in pam.conf.
> Now to the actual problem..
> The code of the OpenSSH deamon first looks for the user in the passwd files.
> In case the user is a TACACS/Radius user, he is not found there, of
> course. If the user is not found, the authentication with PAM is not called
> at all! This is a problem. The code in SSH should work similarly to that
> in the login program, where after the authentication takes place, the
> template user is looked up in the master.passwd file.
> Does anyone know of a patch for this, or any other solution?

OpenSSH uses the standard getpw...() routines to look up account
information. If you want to use an alternate store of account information,
you should use an alternate set of getpw... routines (e.g. nssswitch).


| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

Pam-list mailing list

_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []