Re: Tacacs and OpenSSH

On Thu, Jul 27, 2006 at 09:25:58AM -0400, Gary Schlachter wrote:
I know this question has been asked several times over the years
but I have not seen a definitive answer/solution if one exists. If one
does not exist or I need to develop one, then I can stop looking! I am
attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
have the PAM authenticate the User ID as well as the password. Thus the
users do not exist in /etc/passwd. I am not using NIS or any other
system for user ids. The Tacacs server is the only place the user ids
exist. Ultimately when the user authenticates via Tacacs, I will switch
the user to a known user in /etc/passwd and provide the logging in user
with a specific TTY interface via the shell. When attempting this on
linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
correct sshd_config options, I received the infamous "Invalid user"
debug messages. Is this possible with the current OpenSSH and/or some
patch for it?

I'm taking a look at what's involved in making this work (although I'm
not convinced it's worth the risk). There's a patch that may help at

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages

  • Re: Allow password auth for one user with sftp?
    ... A copy of the patch would be appreciated, I'll have to think about using it on my server -- I don' feel very comfortable using a hand-compiled sshd instead of a Debian-packaged one... ... It was just committed so it will be in the next major release of OpenSSH. ... Good judgement comes with experience. ...
  • Re: AIX patch works for Openssh but not Putty
    ... >After applying that patch, I was logged in (using Putty and OpenSSH) ... Good judgement comes with experience. ...
  • openssh3.5p1: new functionality added, modifications done
    ... This is NOT an official or unofficial openssh announcement, patch, release ... secure ftp services for our web content developers. ... there is no server-side control over umask and file permissions. ... I'm running openssh with my patch on my servers, and am quite happy with it. ...
  • SUMMARY: Trouble last after SSH + LDAP
    ... As it turned out this is an issue with OpenSSH 4.3p1. ... Did a make distclean, applied the patch, and rebuilt with no problems. ... authentication against an OpenLDAP server. ... PAM LDAP module 1.80 ...
  • Re: tcsetpgrp()
    ... Which SSH implementation and version thereof are you running? ... On QNX the pty allocation process apparently ... In the next release of OpenSSH, ... Good judgement comes with experience. ...