Re: Tacacs and OpenSSH

Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system.
BTW, I am the PAM developer.

Thanks,
Gary

Asif Iqbal wrote:
On 7/27/06, Gary Schlachter <Gary.Schlachter@xxxxxxxxx> wrote:
I know this question has been asked several times over the years
but I have not seen a definitive answer/solution if one exists. If one
does not exist or I need to develop one, then I can stop looking! I am
attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
have the PAM authenticate the User ID as well as the password. Thus the
users do not exist in /etc/passwd. I am not using NIS or any other
system for user ids. The Tacacs server is the only place the user ids
exist. Ultimately when the user authenticates via Tacacs, I will switch
the user to a known user in /etc/passwd and provide the logging in user
with a specific TTY interface via the shell. When attempting this on
linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
correct sshd_config options, I received the infamous

This is how I test

Make sure ldd to sshd shows pam library in the list

Modify the sshd_config file with the following two parameters

Syslog Fascility auth
Loglevel Debug

restart OpenSSH

touch a file /var/log/sshd.log.

modify the syslog.conf with auth.debug point to /var/log/sshd.log and
restart syslog.

Now ssh with your tacacs account and see if your tacacs server
receiving any connection logs from you as well as your
/var/log/sshd.log file.

If all fails I would ask the tacacs pam module developer about the issue.



Thanks in advance,
Gary





Relevant Pages

  • Re: Tacacs and OpenSSH
    ... be authenticated by the TACACS server. ... You may be using other pam libraries--specially the library that talks ... >> attempting to integrate a Tacacs+ PAM with OpenSSH. ... Ultimately when the user authenticates via Tacacs, ...
    (SSH)
  • Re: Tacacs and OpenSSH
    ... So my TACACS pam is getting called with the incoming user. ... Then restart sshd. ... Also make sure you do have a local user account and it is not locked. ... >> contacts the TACACS server. ...
    (SSH)
  • Re: Tacacs and OpenSSH
    ... "Also make sure you do have a local user account and it is not locked. ... You must need a local account even though the authentication is done ... I am trying to have sshd use the local account as defined on the TACACS server. ... So my TACACS pam is getting called with the incoming user. ...
    (SSH)
  • Re: Tacacs and OpenSSH
    ... So my TACACS pam is getting called with the incoming user. ... OpenSSH complains that the incoming user is not found but continues processing. ... My pam authenticates the incoming user and sends back the response to OpenSSH to prompt for the password. ... Obviously this fails from the TACACS server. ...
    (SSH)