Date: Tue, 29 Jun 2004 09:13:03 +0300 From: Valentin Nechayev <netch@ivb.nn.kiev.ua> To: Alexey Zagarin <zagarin@emax.ru> Cc: freebsd-hackers@freebsd.org Subject: Re: sshd & pam & getpwnam() Message-ID: <20040629061303.GA37195@lucky.net> In-Reply-To: <40D56C73.8090806@emax.ru> References: <40D56C73.8090806@emax.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()": > Does anybody know, why sshd call getpwnam() even if user is > authenticating via PAM? This broke remote authentication (RADIUS, > TACACS+) when user doesn't exist in local password database. Because you mix two different things - users directory (in modern unixes including 5.* it is implemented as NSS) and authentication (implemented as PAM). To log in with sshd, user must be known in passwd database; if sshd would enable user to log in without account, this won't be sshd, but will be anything another. To allow remote user lists, use NIS; for now it is the only working and well-tested mechanism to spread user list (passwd.*) for many systems. See "YP/NIS INTERACTION" in passwd(5) for details. -netch-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040629061303.GA37195>