From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 17 11:29:02 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF88116A4B3 for ; Fri, 17 Oct 2003 11:29:02 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 145D243FAF for ; Fri, 17 Oct 2003 11:29:00 -0700 (PDT) (envelope-from AdilK@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id <4CQ6NMNL>; Fri, 17 Oct 2003 14:28:59 -0400 Message-ID: From: Adil Katchi To: "'freebsd-hackers@freebsd.org'" Date: Fri, 17 Oct 2003 14:28:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: sshd, PAM and template_user X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2003 18:29:03 -0000 While I realize that freeBSD has PAM`ified SSH, I was wondering if anyone was planning to extend this in the manner that telnet/rlogin have been. >From /etc/pam.d/login: auth sufficient pam_tacplus.so try_first_pass template_user=staffer Basically this`ll grab the "staffer" account and use it as the basis for other arbitrary users who have been authenticated by TACACS. Very handy at an ISP where you may wish to allow or disallow access to many servers to a large number of individuals who tend to come and go. The people who don`t _really_ need to access the machines on a daily basis just get a TACACS login and they get to live with the "template" user`s dotfiles etc. Unfortunately, sshd does some explicit checks with getpwnam() that cause ssh connectins to fail if the user is not in /etc/passwd. Any ssh hackers looking at this, by any chance? Thanks, Adil