PAM Module:Openssh and Tacacs+ Question

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jul 1 07:41:58 EST 2010


On 06/30/2010 03:05 PM, TCPWave Customer Care wrote:
> I am trying to get Openssh 5.5p1 to work with TACACS+. I have the TACACS
> + PAM module compiled on Ubuntu. I have compiled SSH --with-pam.

I think you need to consider both PAM (for authentication) and the name
service switch (for directory lookup).

is it possible that your system does not know about the user with the
given name?

for example, if you are trying to log in as "test0", does your system
have a numeric ID to associate with that user?

if not, ssh won't know how to switch to it.

Usually, if you don't want to add the account explicitly to /etc/passwd
(and the other associated UNIX system files) this is done by using a
name service switch (NSS) extension, such as libnss-ldap, NIS+, etc.
But you have said you don't want to use LDAP either.  Is there a libnss
TACACS+ ?  are you using it?

Most modern GNU/Linux systems support getent(1).  What happens if you run:

 getent passwd test0

? (assuming the user you're trying is test0).  this should return a
"virtual" line you'd expect to see in /etc/passwd (though its source
might actually be from some NSS plugin).

If the result is an empty string (and the return code is anything other
than 0), then no such user account is available.  In that case, it
doesn't matter whether PAM authentication works, because sshd has no
account to switch to once the login is completed anyway.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100630/939ef0a7/attachment.bin>


More information about the openssh-unix-dev mailing list