On 8/1/06, Gary Schlachter wrote:
> Thank you for your reply. The PAM is getting called which in turn
> contacts the TACACS server. However, my problem is that OpenSSH is
> authenticating the user against /etc/passwd instead of letting the user
> be authenticated by the TACACS server. I am looking for a way to
> configure SSH to stop the /etc/passwd authentication. When the user is
> in /etc/passwd a but does not have a local password and is defined on
> the TACACS server, TACACS authenticates the user correctly. I am
> looking for a way to not have to configure the same user id on both the
> TACACS server and the local system.


I am using PAM with Radius Server Auth. So we should have similar setup.

This is all I have in /etc/pam.conf (Solaris) for sshd to use only one
pam_radius module and no other pam libraries.

sshd auth required pam_radius_auth.so debug

You may be using other pam libraries--specially the library that talks
to /etc/passwd.

> BTW, I am the PAM developer.
>
> Thanks,
> Gary
>
> Asif Iqbal wrote:
> > On 7/27/06, Gary Schlachter wrote:
> >> I know this question has been asked several times over the years
> >> but I have not seen a definitive answer/solution if one exists. If one
> >> does not exist or I need to develop one, then I can stop looking! I am
> >> attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
> >> have the PAM authenticate the User ID as well as the password. Thus the
> >> users do not exist in /etc/passwd. I am not using NIS or any other
> >> system for user ids. The Tacacs server is the only place the user ids
> >> exist. Ultimately when the user authenticates via Tacacs, I will switch
> >> the user to a known user in /etc/passwd and provide the logging in user
> >> with a specific TTY interface via the shell. When attempting this on
> >> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
> >> correct sshd_config options, I received the infamous

> >
> > This is how I test
> >
> > Make sure ldd to sshd shows pam library in the list
> >
> > Modify the sshd_config file with the following two parameters
> >
> > Syslog Fascility auth
> > Loglevel Debug
> >
> > restart OpenSSH
> >
> > touch a file /var/log/sshd.log.
> >
> > modify the syslog.conf with auth.debug point to /var/log/sshd.log and
> > restart syslog.
> >
> > Now ssh with your tacacs account and see if your tacacs server
> > receiving any connection logs from you as well as your
> > /var/log/sshd.log file.
> >
> > If all fails I would ask the tacacs pam module developer about the issue.
> >
> >
> >>
> >> Thanks in advance,
> >> Gary
> >>
> >>

> >
> >

>
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu