On 7/27/06, Gary Schlachter wrote:
> I know this question has been asked several times over the years
> but I have not seen a definitive answer/solution if one exists. If one
> does not exist or I need to develop one, then I can stop looking! I am
> attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
> have the PAM authenticate the User ID as well as the password. Thus the
> users do not exist in /etc/passwd. I am not using NIS or any other
> system for user ids. The Tacacs server is the only place the user ids
> exist. Ultimately when the user authenticates via Tacacs, I will switch
> the user to a known user in /etc/passwd and provide the logging in user
> with a specific TTY interface via the shell. When attempting this on
> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
> correct sshd_config options, I received the infamous

This is how I test

Make sure ldd to sshd shows pam library in the list

Modify the sshd_config file with the following two parameters

Syslog Fascility auth
Loglevel Debug

restart OpenSSH

touch a file /var/log/sshd.log.

modify the syslog.conf with auth.debug point to /var/log/sshd.log and
restart syslog.

Now ssh with your tacacs account and see if your tacacs server
receiving any connection logs from you as well as your
/var/log/sshd.log file.

If all fails I would ask the tacacs pam module developer about the issue.

> Thanks in advance,
> Gary

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu