Thanks Matt
What I am trying to do is tacacs+ authentication.
It should be supported by dropbear, because currently it is like normal user
authentication, but instead
Of use /etc/passwd file it should authenticate it by TACACS+ server request.
I tested the dropbear PAM with regular passwd authentication and it did work.
But when I switched it to work with tacacs, it failed my username
authpriv.warn dropbear[949]: login attempt for nonexistent user from
:::192.168.10.59:56356
And when I open the trace I see TRACE (951): leave checkusername: user 'avner'
doesn't exist
Indeed this user is not exist locally, only in the TACACS server, and it's
looks like this rejection is dropbear internally, and not PAM.
Please advice
Thanks
Avner
-Original Message-
From: Matt Johnston [mailto:m...@ucc.asn.au]
Sent: ה 31 מאי 2012 17:11
To: Avner Flesch; dropbear@ucc.asn.au
Subject: Re: Dropbear and PAM auth.
It should work ok with any module that just prompts for a username and
password, which gets mapped to SSH's password authentication mode. It doesn't
support more complex challenge/response type modes (which would use SSH's
keyboard-interactive mode IIRC). If the username/password prompt doesn't match
what's normal, take a look at svr-authpam.c for the comparison strings.
The limitation is because PAM doesn't have a way to use it asynchronously
without using threads or subprocesses, at least for most modules and
implementations I've seen.
Matt
Avner Flesch avn...@web-silicon.com wrote:
Hi,
According to the note in options.h file, PAM auth. Support only simple
modules.
Is that mean that for example RADIUS authentication can't be supported?
Thanks
Avner