Date: Tue, 17 Jul 2001 14:52:53 +0300 From: "Shila Ofek" <shila_ofek@hotmail.com> To: security@freebsd.org Subject: SSH with PAM and TACACS+/Radius (was: OpenSSH UseLogin parameter) Message-ID: <F192t3cew8k69RKLpgT00003722@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hi, Thanks for all the answers about my previous question. Well, now I've got the right version - FreeBSD4.3, but I still can't do what I need. What I need to do is the following: When the SSH user authentication is a password authentication, I want to authenticate through PAM. The reason for that is that I want to authenticate through TACACS+ and Radius servers. Users that authenticate through these servers, usually don't have local accounts in the master.passwd files. Instead a parameter named "template user" is given in the pam.conf file, and the pam_radius and pam_tacplus libraries return this user after authenticating the real user. The template user must have a local account. Now to the actual problem.. The code of the OpenSSH deamon first looks for the user in the passwd files. In case the user is a TACACS/Radius user, he is not found there, of course. If the user is not fount, the authentication with PAM is not called at all! This is a problem. The code in SSH should work similarly to that in the login program, where after the authentication takes place, the template user is looked up in the master.passwd file. Does anyone know of a patch for this, or any other solution? Thanks, Shila. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F192t3cew8k69RKLpgT00003722>