On 8/1/06, Gary Schlachter <[EMAIL PROTECTED]> wrote:
Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system. BTW, I am the PAM developer.
hey, You will see in /etc/pam.d/sshd(on redhat) following lines auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth and in /etc/pam.d/login you will see these lines auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so multiple open /etc/pam.d/login is used when you want to login into the system and it also depends what type of authentication is there on your system by default /etc/passwd (with shadow) so you have to change the settings in /etc/pam.d/sshd to make it work with TACACS server. Regards Ankush Grover ~ ~ ~ ~