Re: Tacacs and OpenSSH
- From: "Robert Hajime Lanning" <robert.lanning@xxxxxxxxx>
- Date: Mon, 7 Aug 2006 12:22:21 -0700
You need something like this:
But for TACACS. The problem is, TACACS is an authentication protocol, not
a diretory lookup protocol.
Basically, the user information needs to be able to be looked up at anytime.
Seperate from user authentication.
Think, when I do "ls -l" what translates the UID on the files into an
This is why, even for Microsoft ADS, they have Kerberos for
authentication and LDAP
for user accounts and pretty much everything else.
Even for Kerberos, you can authenticate, but all other account
information needs to
be available to the machine. So, for Kerberos installs, you don't
need the /etc/shadow
file, but you still need the /etc/passwd file. Unless you locate the
information somewhere else, where it is readily availabe, ie. NIS or LDAP.
On 8/4/06, Gary Schlachter <Gary.Schlachter@xxxxxxxxx> wrote:
Thank you for your offer. However, I fear you just answered my
question. Your comment:
"Also make sure you do have a local user account and it is not
You must need a local account even though the authentication is
thru tacacs server. "
is exactly what is was trying to avoid. I was wanting to NOT
have a local account on the server. I am trying to have sshd use the
local account as defined on the TACACS server. I was hoping there was a
way to configure OpenSSH to not look for a local account. I am able to
authenticate perfectly if the local account is created on the server.
And, did Guloka think the Ulus were too ugly to save?
- Prev by Date: Re: Tacacs and OpenSSH
- Next by Date: HPN-SSH
- Previous by thread: Re: Tacacs and OpenSSH
- Next by thread: Re: Tacacs and OpenSSH