Asif,

Thank you for your offer. However, I fear you just answered my
question. Your comment:

"Also make sure you do have a local user account and it is not
locked.
You must need a local account even though the authentication is
done
thru tacacs server. "

is exactly what is was trying to avoid. I was wanting to NOT
have a local account on the server. I am trying to have sshd use the
local account as defined on the TACACS server. I was hoping there was a
way to configure OpenSSH to not look for a local account. I am able to
authenticate perfectly if the local account is created on the server.

Gary


Asif Iqbal wrote:
> On 8/2/06, Gary Schlachter wrote:
>> Since I am told OpenSSH works with radius, it should work with TACACS as
>> well. I believe I have the /etc/pam.d/sshd setup correctly as below:
>>
>> #%PAM-1.0
>> auth required pam_stack.so service=tacacs
>> auth required pam_nologin.so
>> account sufficient pam_stack.so service=tacacs
>> password required pam_stack.so service=tacacs
>> session sufficient pam_stack.so service=tacacs
>> session required pam_limits.so
>> session optional pam_console.so
>>
>> So my TACACS pam is getting called with the incoming user. OpenSSH
>> complains that the incoming user is not found but continues processing.
>> My pam authenticates the incoming user and sends back the response to
>> OpenSSH to prompt for the password. I enter the password. Now the
>> incoming request to my pam does not have the password that was entered
>> but the hardcorded value in OpenSSH of "****INCORRECT" which indicates
>> that sshpam_authctxt->valid is 0. Obviously this fails from the TACACS
>> server

>
> You want to make sure UsePAM is set to `yes' and you are using
> keyboard interactive for protocol 2 and challenge response for
> protocol 1.
>
> There are couple of log files that you can send me, if it exceeds the
> attachment size restriction of this mailing list, to take a look at.
>
> Change the loglevel to debug in sshd_config file. Then restart sshd.
> Now try to ssh in from a remote client. Collect all the logs related
> to `auth.*' (assuming your syslog fasciliy on sshd_config is set to
> auth) and post it here. You may also post the ssh_config of the remote
> client and sshd_config of the sshd server. I can use those test on my
> side.
>
> Also make sure you do have a local user account and it is not locked.
> You must need a local account even though the authentication is done
> thru tacacs server.
>
>>
>> I am wondering if I am missing something in the sshd_config
>> configuration. Or is the interaction between the pam and sshd
>> incorrect?
>>
>> Gary
>>
>> Asif Iqbal wrote:
>> > On 8/1/06, Gary Schlachter wrote:
>> >> Thank you for your reply. The PAM is getting called which in turn
>> >> contacts the TACACS server. However, my problem is that OpenSSH is
>> >> authenticating the user against /etc/passwd instead of letting the

>> user
>> >> be authenticated by the TACACS server. I am looking for a way to
>> >> configure SSH to stop the /etc/passwd authentication. When the

>> user is
>> >> in /etc/passwd a but does not have a local password and is defined on
>> >> the TACACS server, TACACS authenticates the user correctly. I am
>> >> looking for a way to not have to configure the same user id on

>> both the
>> >> TACACS server and the local system.
>> >
>> > I am using PAM with Radius Server Auth. So we should have similar

>> setup.
>> >
>> > This is all I have in /etc/pam.conf (Solaris) for sshd to use only one
>> > pam_radius module and no other pam libraries.
>> >
>> > sshd auth required pam_radius_auth.so debug
>> >
>> > You may be using other pam libraries--specially the library that talks
>> > to /etc/passwd.
>> >
>> >> BTW, I am the PAM developer.
>> >>
>> >> Thanks,
>> >> Gary
>> >>
>> >> Asif Iqbal wrote:
>> >> > On 7/27/06, Gary Schlachter wrote:
>> >> >> I know this question has been asked several times over the
>> >> years
>> >> >> but I have not seen a definitive answer/solution if one exists.
>> >> If one
>> >> >> does not exist or I need to develop one, then I can stop looking!
>> >> I am
>> >> >> attempting to integrate a Tacacs+ PAM with OpenSSH. I would

>> like to
>> >> >> have the PAM authenticate the User ID as well as the password.
>> >> Thus the
>> >> >> users do not exist in /etc/passwd. I am not using NIS or any

>> other
>> >> >> system for user ids. The Tacacs server is the only place the user
>> >> ids
>> >> >> exist. Ultimately when the user authenticates via Tacacs, I will
>> >> switch
>> >> >> the user to a known user in /etc/passwd and provide the logging in
>> >> user
>> >> >> with a specific TTY interface via the shell. When attempting

>> this on
>> >> >> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
>> >> >> correct sshd_config options, I received the infamous
>> >> >
>> >> > This is how I test
>> >> >
>> >> > Make sure ldd to sshd shows pam library in the list
>> >> >
>> >> > Modify the sshd_config file with the following two parameters
>> >> >
>> >> > Syslog Fascility auth
>> >> > Loglevel Debug
>> >> >
>> >> > restart OpenSSH
>> >> >
>> >> > touch a file /var/log/sshd.log.
>> >> >
>> >> > modify the syslog.conf with auth.debug point to

>> /var/log/sshd.log and
>> >> > restart syslog.
>> >> >
>> >> > Now ssh with your tacacs account and see if your tacacs server
>> >> > receiving any connection logs from you as well as your
>> >> > /var/log/sshd.log file.
>> >> >
>> >> > If all fails I would ask the tacacs pam module developer about the
>> >> issue.
>> >> >
>> >> >
>> >> >>
>> >> >> Thanks in advance,
>> >> >> Gary
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >

>>
>>

>
>