Date: Mon, 28 Jun 2004 16:23:31 -0700 From: Gordon Tetlow <gordon@freebsd.org> To: Alexey Zagarin <zagarin@emax.ru> Cc: freebsd-hackers@freebsd.org Subject: Re: sshd & pam & getpwnam() Message-ID: <20040628232331.GH10016@spiff.melthusia.org> In-Reply-To: <40D56C73.8090806@emax.ru> References: <40D56C73.8090806@emax.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--fwblGvOBo7NCOYks Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 20, 2004 at 02:52:35PM +0400, Alexey Zagarin wrote: > Hello! >=20 > Does anybody know, why sshd call getpwnam() even if user is=20 > authenticating via PAM? This broke remote authentication (RADIUS,=20 > TACACS+) when user doesn't exist in local password database. The user must exist in some sort of directory service in order to log in. Services like krb5 (possibly RADIUS (I can't be bothered to look it up)) don't have fields for assigning critical user information like uid, gid, home directory, shell, .... What you are interested is nsswitch against a remote directory service like NIS or LDAP. -gordon --fwblGvOBo7NCOYks Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA4KhzRu2t9DV9ZfsRAlYxAJ4kqUjZCxdCvtHKi9DcDCFOYcTzLgCeJE5t +DzT82+GSBmVxFe4qdQ2Az4= =aAY2 -----END PGP SIGNATURE----- --fwblGvOBo7NCOYks--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040628232331.GH10016>