SSH authentication via PAM

• Previous message: Jim Conner: "RE: SSH with OpenSSH and Putty - Please Help!"
• Next in thread: Gerald C.: "Re: SSH authentication via PAM"
• Maybe reply: Gerald C.: "Re: SSH authentication via PAM"
• Maybe reply: Cook, Garry: "RE: SSH authentication via PAM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 1 Mar 2004 10:57:25 -0700
To: <secureshell@securityfocus.com>

I'm attempting to integrate SSH with Pluggable Authentication Modules on
a Linux host. Specifically, I'm using pam_tacplus to authenticate users
via a Cisco ACS server. My problem is that the ACS has usernames
different from those on the Linux host. I've setup the sshd config in
/etc/pam.d/ to call the pam_tacplus module for authentication, although
it appears as though SSH first checks the username against /etc/passwd
or /etc/shadow to verify that I am a legitimate user. Debug output from
/var/log/secure shows this:

Feb 29 23:49:04 netmon2 sshd[7158]: Illegal user foo.bar from
172.16.100.40
Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: called
(pam_tacplus v1.2.9)
Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: user [NOUSER]
obtained

SSH tests the username against legitimate users on localhost and reports
that my username is illegal, so it then passes 'NOUSER' to the ACS via
pam_sm_authenticate.

Is there any way to disable this test and have a username correctly
passed to pam_sm_authenticate? I've read all the man pages and FAQs that
I can get my hands on, and googled quite extensively. I'm either missing
something or else there is very little information out there pertaining
to this issue.

Perhaps there is a better way than attempting to disable this test?

Any insight would be greatly appreciated.

Garry W. Cook, CCNA
Network Infrastructure Manager
MACTEC, Inc. - http://www.mactec.com/
303.308.6228 (Office) - 720.220.1862 (Mobile)

• Previous message: Jim Conner: "RE: SSH with OpenSSH and Putty - Please Help!"
• Next in thread: Gerald C.: "Re: SSH authentication via PAM"
• Maybe reply: Gerald C.: "Re: SSH authentication via PAM"
• Maybe reply: Cook, Garry: "RE: SSH authentication via PAM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ssh on pix 506e - login name ... Configuring Local SSH (No AAA Authentication) ... authentication and no AAA server; ... The username is always "pix." ... (comp.dcom.sys.cisco) ASA na local users ... How to disable SSH access or enable access for selected users on ... username vpnuser1 password ... ... aaa authentication serial console LOCAL ... (comp.dcom.sys.cisco) RE: Web Forms Auth fails when rfValidator triggered ... © 2002 Microsoft Corporation. ... | Content-Type: text/plain ... | | basically has a username field, ... | | If I enter garbage text in BOTH fields, the authentication ... (microsoft.public.dotnet.framework.aspnet.security) RE: Adding a virtual FTP folder to IIS ... I think we can follow the Form Authentication modal. ... application will use the ASPNET account. ... If we change the username ... Windows identity different from that of the default process identity. ... (microsoft.public.dotnet.framework) Re: OWA login problems ... But anyway, since just using USERNAME works from the desktop, this indicates ... Maybe one of the authentication ... Outlook Web Access For PDA, ... the Virtual Directory named Exchange and select properties. ... (microsoft.public.exchange.connectivity)