From owner-freebsd-security  Tue Jul 17  4:53: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hotmail.com (f192.law10.hotmail.com [64.4.15.192])
	by hub.freebsd.org (Postfix) with ESMTP id 5963537B401
	for <security@freebsd.org>; Tue, 17 Jul 2001 04:52:54 -0700 (PDT)
	(envelope-from shila_ofek@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Tue, 17 Jul 2001 04:52:54 -0700
Received: from 212.25.110.131 by lw10fd.law10.hotmail.msn.com with HTTP;	Tue, 17 Jul 2001 11:52:53 GMT
X-Originating-IP: [212.25.110.131]
From: "Shila Ofek" <shila_ofek@hotmail.com>
To: security@freebsd.org
Subject: SSH with PAM and TACACS+/Radius (was: OpenSSH UseLogin parameter)
Date: Tue, 17 Jul 2001 14:52:53 +0300
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F192t3cew8k69RKLpgT00003722@hotmail.com>
X-OriginalArrivalTime: 17 Jul 2001 11:52:54.0271 (UTC) FILETIME=[037248F0:01C10EB7]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,
Thanks for all the answers about my previous question.
Well, now I've got the right version - FreeBSD4.3, but I still can't do what 
I need.

What I need to do is the following:
When the SSH user authentication is a password authentication, I want to 
authenticate through PAM.  The reason for that is that I want to 
authenticate through TACACS+ and Radius servers.
Users that authenticate through these servers, usually don't have local 
accounts in the master.passwd files.  Instead a parameter named "template 
user" is given in the pam.conf file, and the pam_radius and pam_tacplus 
libraries return this user after authenticating the real user.  The template 
user must have a local account.
Now to the actual problem..
The code of the OpenSSH deamon first looks for the user in the passwd files. 
  In case the user is a TACACS/Radius user, he is not found there, of 
course.  If the user is not fount, the authentication with PAM is not called 
at all!  This is a problem.  The code in SSH should work similarly to that 
in the login program, where after the authentication takes place, the 
template user is looked up in the master.passwd file.
Does anyone know of a patch for this, or any other solution?

Thanks,
   Shila.

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message