While I realize that 4.0 has PAM'ified SSH, I was wondering if anyone was
planning to extend this in the manner that telnet/rlogin have been.

>From /etc/pam.d/login:
auth sufficient pam_tacplus.so try_first_pass template_user=staffer

Basically this'll grab the "staffer" account and use it as the basis for
other arbitrary users who have been authenticated by TACACS.

Very handy at an ISP where you may wish to allow or disallow access to
many servers to a large number of individuals who tend to come and go.
The people who don't _really_ need to access the machines on a daily basis
just get a TACACS login and they get to live with the "template" user's
dotfiles etc.

Unfortunately, sshd does some explicit checks with getpwnam() that cause
ssh connectins to fail if the user is not in /etc/passwd, and there are
probably other issues as well.  Any ssh hackers looking at this, by any
... Joe

Joe Greco - Systems Administrator                             [EMAIL PROTECTED]
Solaria Public Access UNIX - Milwaukee, WI                         414/342-4847

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to