On 8/1/06, Gary Schlachter <Gary.Schlachter@tavve.com> wrote:
Thank you for your reply. The PAM is getting called which in turn
contacts the TACACS server. However, my problem is that OpenSSH is
authenticating the user against /etc/passwd instead of letting the user
be authenticated by the TACACS server. I am looking for a way to
configure SSH to stop the /etc/passwd authentication. When the user is
in /etc/passwd a but does not have a local password and is defined on
the TACACS server, TACACS authenticates the user correctly. I am
looking for a way to not have to configure the same user id on both the
TACACS server and the local system.
BTW, I am the PAM developer.
hey,
You will see in /etc/pam.d/sshd(on redhat) following lines
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
and in /etc/pam.d/login you will see these lines
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
/etc/pam.d/login is used when you want to login into the system and
it also depends what type of authentication is there on your system by
default /etc/passwd (with shadow)
so you have to change the settings in /etc/pam.d/sshd to make it work
with TACACS server.
Regards
Ankush Grover
~
~
~
~
