On 8/1/06, Gary Schlachter wrote:
> Thank you for your reply. The PAM is getting called which in turn
> contacts the TACACS server. However, my problem is that OpenSSH is
> authenticating the user against /etc/passwd instead of letting the user
> be authenticated by the TACACS server. I am looking for a way to
> configure SSH to stop the /etc/passwd authentication. When the user is
> in /etc/passwd a but does not have a local password and is defined on
> the TACACS server, TACACS authenticates the user correctly. I am
> looking for a way to not have to configure the same user id on both the
> TACACS server and the local system.
> BTW, I am the PAM developer.
>
hey,

You will see in /etc/pam.d/sshd(on redhat) following lines

auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

and in /etc/pam.d/login you will see these lines

auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open


/etc/pam.d/login is used when you want to login into the system and
it also depends what type of authentication is there on your system by
default /etc/passwd (with shadow)

so you have to change the settings in /etc/pam.d/sshd to make it work
with TACACS server.

Regards

Ankush Grover
~
~
~
~