Date: Tue, 29 Jun 2004 09:39:28 +0300 From: Danny Braniss <danny@cs.huji.ac.il> To: Valentin Nechayev <netch@ivb.nn.kiev.ua> Cc: freebsd-hackers@freebsd.org Subject: Re: sshd & pam & getpwnam() Message-ID: <20040629063937.4D16843D31@mx1.FreeBSD.org> In-Reply-To: Your message of Tue, 29 Jun 2004 09:13:03 %2B0300 .
next in thread | raw e-mail | index | archive | help
> Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()": > > > Does anybody know, why sshd call getpwnam() even if user is > > authenticating via PAM? This broke remote authentication (RADIUS, > > TACACS+) when user doesn't exist in local password database. > > Because you mix two different things - users directory (in modern unixes > including 5.* it is implemented as NSS) and authentication (implemented as PAM). > To log in with sshd, user must be known in passwd database; if sshd would > enable user to log in without account, this won't be sshd, but will be > anything another. > > To allow remote user lists, use NIS; for now it is the only working > and well-tested mechanism to spread user list (passwd.*) for many systems. > See "YP/NIS INTERACTION" in passwd(5) for details. > not 100% true, dns/hesiod works great. my 5 cents, danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040629063937.4D16843D31>