Thanks Matt What I am trying to do is tacacs+ authentication. It should be supported by dropbear, because currently it is like normal user authentication, but instead Of use "/etc/passwd" file it should authenticate it by TACACS+ server request. I tested the dropbear PAM with regular "passwd" authentication and it did work. But when I switched it to work with tacacs, it failed my username "authpriv.warn dropbear[949]: login attempt for nonexistent user from ::ffff:192.168.10.59:56356" And when I open the trace I see "TRACE (951): leave checkusername: user 'avner' doesn't exist" Indeed this user is not exist locally, only in the TACACS server, and it's looks like this rejection is dropbear internally, and not PAM.
Please advice Thanks Avner -----Original Message----- From: Matt Johnston [mailto:m...@ucc.asn.au] Sent: ה 31 מאי 2012 17:11 To: Avner Flesch; dropbear@ucc.asn.au Subject: Re: Dropbear and PAM auth. It should work ok with any module that just prompts for a username and password, which gets mapped to SSH's password authentication mode. It doesn't support more complex challenge/response type modes (which would use SSH's keyboard-interactive mode IIRC). If the username/password prompt doesn't match what's normal, take a look at svr-authpam.c for the comparison strings. The limitation is because PAM doesn't have a way to use it asynchronously without using threads or subprocesses, at least for most modules and implementations I've seen. Matt Avner Flesch <avn...@web-silicon.com> wrote: >Hi, > >According to the note in options.h file, PAM auth. Support only simple >modules. >Is that mean that for example RADIUS authentication can't be supported? > >Thanks > >Avner
