Thank you for your reply. The PAM is getting called which in turn
contacts the TACACS server. However, my problem is that OpenSSH is
authenticating the user against /etc/passwd instead of letting the user
be authenticated by the TACACS server. I am looking for a way to
configure SSH to stop the /etc/passwd authentication. When the user is
in /etc/passwd a but does not have a local password and is defined on
the TACACS server, TACACS authenticates the user correctly. I am
looking for a way to not have to configure the same user id on both the
TACACS server and the local system.
BTW, I am the PAM developer.


Asif Iqbal wrote:
> On 7/27/06, Gary Schlachter wrote:
>> I know this question has been asked several times over the years
>> but I have not seen a definitive answer/solution if one exists. If one
>> does not exist or I need to develop one, then I can stop looking! I am
>> attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
>> have the PAM authenticate the User ID as well as the password. Thus the
>> users do not exist in /etc/passwd. I am not using NIS or any other
>> system for user ids. The Tacacs server is the only place the user ids
>> exist. Ultimately when the user authenticates via Tacacs, I will switch
>> the user to a known user in /etc/passwd and provide the logging in user
>> with a specific TTY interface via the shell. When attempting this on
>> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
>> correct sshd_config options, I received the infamous

> This is how I test
> Make sure ldd to sshd shows pam library in the list
> Modify the sshd_config file with the following two parameters
> Syslog Fascility auth
> Loglevel Debug
> restart OpenSSH
> touch a file /var/log/sshd.log.
> modify the syslog.conf with auth.debug point to /var/log/sshd.log and
> restart syslog.
> Now ssh with your tacacs account and see if your tacacs server
> receiving any connection logs from you as well as your
> /var/log/sshd.log file.
> If all fails I would ask the tacacs pam module developer about the issue.
>> Thanks in advance,
>> Gary