On 8/1/06, Gary Schlachter <[EMAIL PROTECTED]> wrote:
Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system.
I am using PAM with Radius Server Auth. So we should have similar setup. This is all I have in /etc/pam.conf (Solaris) for sshd to use only one pam_radius module and no other pam libraries. sshd auth required pam_radius_auth.so debug You may be using other pam libraries--specially the library that talks to /etc/passwd.
BTW, I am the PAM developer. Thanks, Gary Asif Iqbal wrote: > On 7/27/06, Gary Schlachter <[EMAIL PROTECTED]> wrote: >> I know this question has been asked several times over the years >> but I have not seen a definitive answer/solution if one exists. If one >> does not exist or I need to develop one, then I can stop looking! I am >> attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to >> have the PAM authenticate the User ID as well as the password. Thus the >> users do not exist in /etc/passwd. I am not using NIS or any other >> system for user ids. The Tacacs server is the only place the user ids >> exist. Ultimately when the user authenticates via Tacacs, I will switch >> the user to a known user in /etc/passwd and provide the logging in user >> with a specific TTY interface via the shell. When attempting this on >> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the >> correct sshd_config options, I received the infamous > > This is how I test > > Make sure ldd to sshd shows pam library in the list > > Modify the sshd_config file with the following two parameters > > Syslog Fascility auth > Loglevel Debug > > restart OpenSSH > > touch a file /var/log/sshd.log. > > modify the syslog.conf with auth.debug point to /var/log/sshd.log and > restart syslog. > > Now ssh with your tacacs account and see if your tacacs server > receiving any connection logs from you as well as your > /var/log/sshd.log file. > > If all fails I would ask the tacacs pam module developer about the issue. > > >> >> Thanks in advance, >> Gary >> >> > >
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
