Re: Tacacs and OpenSSH
- From: Gary Schlachter <Gary.Schlachter@xxxxxxxxx>
- Date: Tue, 01 Aug 2006 08:15:39 -0400
Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system.
BTW, I am the PAM developer.
Asif Iqbal wrote:
On 7/27/06, Gary Schlachter <Gary.Schlachter@xxxxxxxxx> wrote:I know this question has been asked several times over the years
but I have not seen a definitive answer/solution if one exists. If one
does not exist or I need to develop one, then I can stop looking! I am
attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
have the PAM authenticate the User ID as well as the password. Thus the
users do not exist in /etc/passwd. I am not using NIS or any other
system for user ids. The Tacacs server is the only place the user ids
exist. Ultimately when the user authenticates via Tacacs, I will switch
the user to a known user in /etc/passwd and provide the logging in user
with a specific TTY interface via the shell. When attempting this on
linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
correct sshd_config options, I received the infamous
This is how I test
Make sure ldd to sshd shows pam library in the list
Modify the sshd_config file with the following two parameters
Syslog Fascility auth
touch a file /var/log/sshd.log.
modify the syslog.conf with auth.debug point to /var/log/sshd.log and
Now ssh with your tacacs account and see if your tacacs server
receiving any connection logs from you as well as your
If all fails I would ask the tacacs pam module developer about the issue.
Thanks in advance,
- Prev by Date: Re: How do I silence the banner?
- Next by Date: Re: How do I silence the banner?
- Previous by thread: Incremental delay in ssh
- Next by thread: Re: Tacacs and OpenSSH