From owner-freebsd-hackers@FreeBSD.ORG  Tue Jun 29 06:13:23 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A22C816A4CE
	for <freebsd-hackers@freebsd.org>;
	Tue, 29 Jun 2004 06:13:23 +0000 (GMT)
Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 43ABF43D46
	for <freebsd-hackers@freebsd.org>;
	Tue, 29 Jun 2004 06:13:22 +0000 (GMT)	(envelope-from netch@lucky.net)
Received: from netch@localhost [127.0.0.1] (netch@localhost [127.0.0.1])
	by burka.carrier.kiev.ua  with ESMTP id i5T6D4sR025637;
	Tue, 29 Jun 2004 09:13:08 +0300 (EEST)
	(envelope-from netch@burka.carrier.kiev.ua)
Received: (from netch@localhost)
	by burka.carrier.kiev.ua (8.12.11/8.12.11/Submit) id i5T6D316025634;
	Tue, 29 Jun 2004 09:13:03 +0300 (EEST)
	(envelope-from netch)
Date: Tue, 29 Jun 2004 09:13:03 +0300
From: Valentin Nechayev <netch@ivb.nn.kiev.ua>
To: Alexey Zagarin <zagarin@emax.ru>
Message-ID: <20040629061303.GA37195@lucky.net>
References: <40D56C73.8090806@emax.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40D56C73.8090806@emax.ru>
X-42: On
X-Verify-Sender: verified
cc: freebsd-hackers@freebsd.org
Subject: Re: sshd & pam & getpwnam()
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2004 06:13:23 -0000

 Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()": 

> Does anybody know, why sshd call getpwnam() even if user is 
> authenticating via PAM? This broke remote authentication (RADIUS, 
> TACACS+) when user doesn't exist in local password database.

Because you mix two different things - users directory (in modern unixes
including 5.* it is implemented as NSS) and authentication (implemented as PAM).
To log in with sshd, user must be known in passwd database; if sshd would
enable user to log in without account, this won't be sshd, but will be
anything another.

To allow remote user lists, use NIS; for now it is the only working
and well-tested mechanism to spread user list (passwd.*) for many systems.
See "YP/NIS INTERACTION" in passwd(5) for details.


-netch-