Re: OpenSSH with PAM and Tacacs+/Radius authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I do not want an alternate store of account information.  I want the logic 
of the login procedure in OpenSSH to be like that of login.  Meaning, I want 
authentication to be done first, and after that (the radius and Tacacs 
libraries replace the user to the template user) I want the SSH to perform 
the getpw with the new user.
What I'm looking for are patched to this code, or alternate solutions that 
work right, because the current implementation doesn't allow the proper use 
of pam authorization with pam_tacacs and pam_radius, it only allows use of 
authentication with pam_unix, and for that I don't need pam.

Thanks.


>From: Damien Miller <djm@mindrot.org>
>Reply-To: pam-list@redhat.com
>To: <pam-list@redhat.com>
>Subject: Re: OpenSSH with PAM and Tacacs+/Radius authentication
>Date: Wed, 18 Jul 2001 17:01:17 +1000 (EST)
>
>On Wed, 18 Jul 2001, Shila Ofek wrote:
>
> > Hi,
> > I'm working with FreeBSD 4.3, with the OpenSSH which supports PAM.
> > What I need to do is the following:
> > When the SSH user authentication is a password authentication, I want to
> > authenticate through PAM.  The reason for that is that I want to
> > authenticate through TACACS+ and Radius servers.
> > Users that authenticate through these servers, are identified in the 
>local
> > OS as the template user that was specified in pam.conf.
> > Now to the actual problem..
> > The code of the OpenSSH deamon first looks for the user in the passwd 
>files.
> > In case the user is a TACACS/Radius user, he is not found there, of
> > course.  If the user is not found, the authentication with PAM is not 
>called
> > at all!  This is a problem.  The code in SSH should work similarly to 
>that
> > in the login program, where after the authentication takes place, the
> > template user is looked up in the master.passwd file.
> > Does anyone know of a patch for this, or any other solution?
>
>OpenSSH uses the standard getpw...() routines to look up account
>information. If you want to use an alternate store of account information,
>you should use an alternate set of getpw... routines (e.g. nssswitch).
>
>-d
>
>--
>| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
>| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer
>
>
>
>_______________________________________________
>
>Pam-list@redhat.com
>https://listman.redhat.com/mailman/listinfo/pam-list

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux