OpenSSH uses calls like getpwnam to identify if the user exists. You can not easily bypass these checks, other than creating your own NIS library (e.g. nis_tacacs) with dummy functions (e.g. point always to the same user, group, etc), which shouldn't be to hard to do.
Markus "Gary Schlachter" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I know this question has been asked several times over the years but > I have not seen a definitive answer/solution if one exists. If one does > not exist or I need to develop one, then I can stop looking! I am > attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have > the PAM authenticate the User ID as well as the password. Thus the users > do not exist in /etc/passwd. I am not using NIS or any other system for > user ids. The Tacacs server is the only place the user ids exist. > Ultimately when the user authenticates via Tacacs, I will switch the user > to a known user in /etc/passwd and provide the logging in user with a > specific TTY interface via the shell. When attempting this on linux with > OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config > options, I received the infamous "Invalid user" debug messages. Is this > possible with the current OpenSSH and/or some patch for it? > > Thanks in advance, > Gary > >