PAM Module:Openssh and Tacacs+ Question

TCPWave Customer Care customercare at
Thu Jul 1 05:05:56 EST 2010


I am trying to get Openssh 5.5p1 to work with TACACS+. I have the TACACS
+ PAM module compiled on Ubuntu. I have compiled SSH --with-pam.

When the user is defined in /etc/passwd, the SSH authentication to the
TACACS+ server takes place successfully.

If I REMOVE the user from /etc/passwd OpenSSH sends a string called
INCORRECT to the TACACS+ server and it denies authentication.

I am trying not to have a local definition of the user in /etc/passwd. 

I have the following lines in my /etc/pam.d/sshd

auth	sufficient	/lib/security/ debug server=x.x.x.x
secret=xxxxxx encrypt login=chap prompt=Enter_TACACS_Password: first_hit
auth	required	/lib/security/ use_first_pass

I looked at the source code of openssh 5.5p1.

auth-pam.c has this:
badpw[] = "\b\n\r\177INCORRECT";

When the user is deleted from /etc/passwd SSH complains saying:

sshd: error: PAM: user not known to the underlying authentication module for illegal user **** from *****
sshd: Failed Keyboard-interactive/pam for invalid user ***** from ***** poer ***** sh2
sshd: PAM_SM_authenticate: called pam_tacplis v1.3.2
sshd: pam_SM_authenticate: user [******] obtained
sshd: tacacs_get_password: called --> debugging revealed that it sent "\b\n\r\177INCORRECT" to TACACS+

How can I make SSH use the pam_tacplus module and not look at /etc/passwd or LDAP? has the TACACS+ module source.

Thanks in advance.


More information about the openssh-unix-dev mailing list