ssh and tacacs+

Nico Kadel-Garcia nkadel at gmail.com
Sun Aug 23 22:23:15 AEST 2015


On Sun, Aug 23, 2015 at 1:17 AM, ali rezaee <nlndipi at hotmail.com> wrote:
> Hi,I'm trying to use TACACS+ authentication for ssh, but up to now, have been unsuccessful. I can login or telnet using TACACS, but apparently, ssh uses some kind of encryption, that my tacacs server cannot read. Therefore, it is unable to authenticate the user. The weird thing is that if the user has been created locally on the client system, i won't have such a problem and it authenticates just fine. I was wondering if there is a way to have ssh, not encrypt the password or if i can find a source code in the openssh library, where i can add the user locally, before authentication (I did the second one for login). I've been reading the openssh source codes and haven't yet been able to figure this out. Any help would be appreciated.Thanks,Ali Rezaee

Oh, brother. sounds like you are in it deep, or having some language
problems. This doesn't sound like an "OpenSSH source code" problem,
but more like an authentication layer problem, and a lot of that is
done with PAM on Linux and some other systems.

TACACS+ is an *authentication* standard, and can handle authorization
as well. Much like Active Directory, you have to keep the
authentication separate from the account management in debugging. So
one problem at a time: when you "created a local account", did you
create that account with a local password? Or did you create just the
account with a locked password, and TACACS+ is handling
authentication?

If you created an account with a local password, I bet your OpenSSH
server is not correctly configured to authenticate against the TACACS+
server. I do see plenty of Google references to "linux tacacs+ SSH'
providing hints on how to activate this with the PAM configuration, so
it does seem to be supportable.

It's also unclear what your server operating system or version of
OpenSSH are. Please post them if you need more help.


More information about the openssh-unix-dev mailing list