Johan Rydberg wrote:
> It seems that OpenSSH first tries to authetnicate the user with an
> empty password (""), because if I set an empty password both in the
> local /etc/passwd, and on the RADIUS server, sshd is able to establish
> credentials for the user.PAM does weird things. OpenSSH does weird things. See bugs.freeradius.org. There a number of issues relating to the PAM module, including patches that may help here. I recall something related to "try_first_pass". I haven't spent much time looking at PAM recently. All I recall from using it a few years ago is that I spent a LOT of time fighting with it, and had great difficulty trying to make it do anything. The complete and total lack of debugging information helped, too. > PAM: pam_setcred(): Authentication service cannot retrieve user credentials That likely means that the user doesn't have a UID/GID/etc in /etc/passwd. The PAM RADIUS module doesn't set UID or GID. I tried to see if it was possible, and was told: a) No, it wasn't possible b) Yes, it was possible, and it was documented c) Yes, it was possible, but only the PAM authors knew how to make it work Getting conflicting answers from the same set of people made me unsubscribe from the PAM list. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
