SSHD and PAM

Sudarshan Soma sudarshan12s at gmail.com
Wed Jan 3 21:07:45 AEDT 2018


Thanks Jakub.   so sshd will check nsswitch.conf before refering to
/etc/passwd file. .

Does sssd/NSS has  a way to fetch user names from sources like
RADIUS/TACACS  server?
We wanted to enable RADIUS/TACACS Authentication using PAM and enabling PAM
in sshd.


Regards,
Ivan

On Wed, Jan 3, 2018 at 2:34 PM, Jakub Jelen <jjelen at redhat.com> wrote:

> On Wed, 2018-01-03 at 13:50 +0530, Sudarshan Soma wrote:
> > HI, I do see some refernce on it: but seems not closed
> > https://marc.info/?l=secure-shell&m=115513863409952&w=2
> >
> > http://bugzilla.mindrot.org/show_bug.cgi?id=1215
> >
> >
> > Is this patch available in latest versions, 7.6?
>
> No. It never was.
>
> The SSSD is using NSS (Name Service Switch) [1] way of getting
> credentials. It allows to get them from many sources.
>
> [1] https://en.wikipedia.org/wiki/Name_Service_Switch
>
> Regards,
> Jakub
>
> > On Wed, Jan 3, 2018 at 1:48 PM, Sudarshan Soma <sudarshan12s at gmail.co
> > m>
> > wrote:
> >
> > > Hi I am trying to write pam_radius module which talks to RADIUS
> > > server for
> > > aaa.
> > >
> > > I see sshd checks /etc/passwd for user list. Since RADIUS server
> > > has user
> > > list, can sshd ignore this check for RADIUS/TACACS+ authentication,
> > > Please
> > > suggest if there are any flags to control it.
> > >
> > > I am using the following versions.
> > > OpenSSH_6.6p1, OpenSSL 1.0.2n  7 Dec 2017
> > >
> > > I see sssd (NAS) being used for such use cases, how does sshd
> > > ignore
> > > /etc/passwd in those cases.
> > > Please suggest
> > >
> > > Regards,
> > > Ivan.
> > >
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> --
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
>


More information about the openssh-unix-dev mailing list