SSHD and PAM
Gert Doering
gert at greenie.muc.de
Thu Jan 4 02:20:33 AEDT 2018
Hi,
On Wed, Jan 03, 2018 at 04:03:39PM +0100, Michael Ströder wrote:
> Sudarshan Soma wrote:
> > Does sssd/NSS has a way to fetch user names from sources like
> > RADIUS/TACACS server?
> My impression is that while this might be theoretically possible, nobody
> does this. Especially it's not clear to me how you would push group
> membership to the system. And AFAICS in case of TACACS+ there's also
> only a single "role" available (translate this to single group).
Just for the sake of completeness: TACACS+ can return arbitrary
key-value pairs, so you can build whatever authorization / grouping
scheme on top of TACACS+ that you want.
Not sure anyone has done that before, so this advice is still valid:
> So the usual answer is: Use LDAP.
... as more people have done it, thus more software supports it, and
things are more likely to "just work".
gert
--
now what should I write here...
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180103/78e64aec/attachment.asc>
More information about the openssh-unix-dev
mailing list