badpw[] = "\b\n\r\177INCORRECT"

Darren Tucker dtucker at zip.com.au
Wed Feb 1 00:01:49 EST 2006


On Tue, Jan 31, 2006 at 11:22:38AM -0000, Le Gal Philippe wrote:
> Thank you for your prompt answer Darren,
> 
> Unfortunately, it seems that nss_radius project looks like a dead-end
> as I can't find any module already written for it. I'm failty new to
> all this and I don't want to spend my time writing a nss_radius module.
> 
> Do you know if such a module exists somewhere ?

Sorry, no.  I've seen references to it but not the code itself.  It may
not be publicly available (if it even exists).

The other alternative is to modify sshd so that it does not require the
user to be resolvable via getpwnam() (ie the "invalid user" check and
still attempts to authenticate the user anyway.  If you do this you will
need to figure out how you'll map the RADIUS user to a Unix uid (all to
one uid, from the RADIUS DV, generated on the fly, or some other scheme).

Yhe things to watch for are a) which uid do you use for, eg, public-key
authentication checks since you don't know a Unix uid for the user in
question during authentication, and b) that (AFAIK) PAM_USER may change
at any point during the authentication process.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list