On Thu, Jul 27, 2006 at 09:25:58AM -0400, Gary Schlachter wrote: > I know this question has been asked several times over the years > but I have not seen a definitive answer/solution if one exists. If one > does not exist or I need to develop one, then I can stop looking! I am > attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to > have the PAM authenticate the User ID as well as the password. Thus the > users do not exist in /etc/passwd. I am not using NIS or any other > system for user ids. The Tacacs server is the only place the user ids > exist. Ultimately when the user authenticates via Tacacs, I will switch > the user to a known user in /etc/passwd and provide the logging in user > with a specific TTY interface via the shell. When attempting this on > linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the > correct sshd_config options, I received the infamous "Invalid user" > debug messages. Is this possible with the current OpenSSH and/or some > patch for it?
I'm taking a look at what's involved in making this work (although I'm not convinced it's worth the risk). There's a patch that may help at http://bugzilla.mindrot.org/show_bug.cgi?id=1215 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.