PAM Module:Openssh and Tacacs+ Question
TCPWave Customer Care
customercare at tcpwave.com
Thu Jul 1 05:05:56 EST 2010
Hi,
I am trying to get Openssh 5.5p1 to work with TACACS+. I have the TACACS
+ PAM module compiled on Ubuntu. I have compiled SSH --with-pam.
When the user is defined in /etc/passwd, the SSH authentication to the
TACACS+ server takes place successfully.
If I REMOVE the user from /etc/passwd OpenSSH sends a string called
INCORRECT to the TACACS+ server and it denies authentication.
I am trying not to have a local definition of the user in /etc/passwd.
I have the following lines in my /etc/pam.d/sshd
auth sufficient /lib/security/pam_tacplus.so debug server=x.x.x.x
secret=xxxxxx encrypt login=chap prompt=Enter_TACACS_Password: first_hit
auth required /lib/security/pam_unix_auth.so use_first_pass
I looked at the source code of openssh 5.5p1.
auth-pam.c has this:
badpw[] = "\b\n\r\177INCORRECT";
When the user is deleted from /etc/passwd SSH complains saying:
sshd: error: PAM: user not known to the underlying authentication module for illegal user **** from *****
sshd: Failed Keyboard-interactive/pam for invalid user ***** from ***** poer ***** sh2
sshd: PAM_SM_authenticate: called pam_tacplis v1.3.2
sshd: pam_SM_authenticate: user [******] obtained
sshd: tacacs_get_password: called --> debugging revealed that it sent "\b\n\r\177INCORRECT" to TACACS+
How can I make SSH use the pam_tacplus module and not look at /etc/passwd or LDAP?
http://sourceforge.net/projects/tacplus/ has the TACACS+ module source.
Thanks in advance.
Ajay
More information about the openssh-unix-dev
mailing list