OpenSSH uses calls like getpwnam to identify if the user exists. You can not
easily bypass these checks, other than creating your own NIS library (e.g.
nis_tacacs) with dummy functions (e.g. point always to the same user, group,
etc), which shouldn't be to hard to do.


"Gary Schlachter" wrote in message
> I know this question has been asked several times over the years but
> I have not seen a definitive answer/solution if one exists. If one does
> not exist or I need to develop one, then I can stop looking! I am
> attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have
> the PAM authenticate the User ID as well as the password. Thus the users
> do not exist in /etc/passwd. I am not using NIS or any other system for
> user ids. The Tacacs server is the only place the user ids exist.
> Ultimately when the user authenticates via Tacacs, I will switch the user
> to a known user in /etc/passwd and provide the logging in user with a
> specific TTY interface via the shell. When attempting this on linux with
> OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config
> options, I received the infamous "Invalid user" debug messages. Is this
> possible with the current OpenSSH and/or some patch for it?
> Thanks in advance,
> Gary