SSHD and PAM

Jakub Jelen jjelen at redhat.com
Wed Jan 3 22:28:53 AEDT 2018 

On Wed, 2018-01-03 at 15:37 +0530, Sudarshan Soma wrote:
> Thanks Jakub.   so sshd will check nsswitch.conf before refering to
> /etc/passwd file. .

No, SSHD does not read these files directly. It uses standard/high-
level functions such as getpwnam() in Linux to verify existence of the
user.

> Does sssd/NSS has  a way to fetch user names from sources like
> RADIUS/TACACS  server?

Probably. But I do not have a lot of experience with it.

> We wanted to enable RADIUS/TACACS Authentication using PAM and
> enabling PAM
> in sshd.
> 
> 
> Regards,
> Ivan
> 
> On Wed, Jan 3, 2018 at 2:34 PM, Jakub Jelen <jjelen at redhat.com>
> wrote:
> 
> > On Wed, 2018-01-03 at 13:50 +0530, Sudarshan Soma wrote:
> > > HI, I do see some refernce on it: but seems not closed
> > > https://marc.info/?l=secure-shell&m=115513863409952&w=2
> > > 
> > > http://bugzilla.mindrot.org/show_bug.cgi?id=1215
> > > 
> > > 
> > > Is this patch available in latest versions, 7.6?
> > 
> > No. It never was.
> > 
> > The SSSD is using NSS (Name Service Switch) [1] way of getting
> > credentials. It allows to get them from many sources.
> > 
> > [1] https://en.wikipedia.org/wiki/Name_Service_Switch
> > 
> > Regards,
> > Jakub
> > 
> > > On Wed, Jan 3, 2018 at 1:48 PM, Sudarshan Soma <sudarshan12s at gmai
> > > l.co
> > > m>
> > > wrote:
> > > 
> > > > Hi I am trying to write pam_radius module which talks to RADIUS
> > > > server for
> > > > aaa.
> > > > 
> > > > I see sshd checks /etc/passwd for user list. Since RADIUS
> > > > server
> > > > has user
> > > > list, can sshd ignore this check for RADIUS/TACACS+
> > > > authentication,
> > > > Please
> > > > suggest if there are any flags to control it.
> > > > 
> > > > I am using the following versions.
> > > > OpenSSH_6.6p1, OpenSSL 1.0.2n  7 Dec 2017
> > > > 
> > > > I see sssd (NAS) being used for such use cases, how does sshd
> > > > ignore
> > > > /etc/passwd in those cases.
> > > > Please suggest
> > > > 
> > > > Regards,
> > > > Ivan.
> > > > 
> > > 
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev at mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > 
> > --
> > Jakub Jelen
> > Software Engineer
> > Security Technologies
> > Red Hat, Inc.
> > 
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list