From owner-freebsd-current Sun Apr 16 14: 4:46 2000 Delivered-To: freebsd-current@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 13C0937B953 for ; Sun, 16 Apr 2000 14:04:31 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id VAA10488 for current@freebsd.org; Wed, 19 Apr 2000 21:40:44 -0500 (CDT) From: Joe Greco Message-Id: <200004200240.VAA10488@aurora.sol.net> Subject: OpenSSH and PAM To: current@freebsd.org Date: Wed, 19 Apr 2000 21:40:44 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG While I realize that 4.0 has PAM'ified SSH, I was wondering if anyone was planning to extend this in the manner that telnet/rlogin have been. From /etc/pam.d/login: auth sufficient pam_tacplus.so try_first_pass template_user=staffer Basically this'll grab the "staffer" account and use it as the basis for other arbitrary users who have been authenticated by TACACS. Very handy at an ISP where you may wish to allow or disallow access to many servers to a large number of individuals who tend to come and go. The people who don't _really_ need to access the machines on a daily basis just get a TACACS login and they get to live with the "template" user's dotfiles etc. Unfortunately, sshd does some explicit checks with getpwnam() that cause ssh connectins to fail if the user is not in /etc/passwd, and there are probably other issues as well. Any ssh hackers looking at this, by any chance? -- ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message