From owner-freebsd-hackers@FreeBSD.ORG  Tue Jun 29 06:39:37 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8664916A4CE
	for <freebsd-hackers@freebsd.org>;
	Tue, 29 Jun 2004 06:39:37 +0000 (GMT)
Received: from cs1.cs.huji.ac.il (cs1.cs.huji.ac.il [132.65.16.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4D16843D31
	for <freebsd-hackers@freebsd.org>;
	Tue, 29 Jun 2004 06:39:37 +0000 (GMT)
	(envelope-from danny@cs.huji.ac.il)
Received: from pampa.cs.huji.ac.il ([132.65.80.32] ident=danny)
	by cs1.cs.huji.ac.il with esmtp
	id 1BfCHA-000Ccs-O9; Tue, 29 Jun 2004 09:39:28 +0300
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
To: Valentin Nechayev <netch@ivb.nn.kiev.ua>
In-reply-to: Your message of Tue, 29 Jun 2004 09:13:03 +0300 .
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 29 Jun 2004 09:39:28 +0300
From: Danny Braniss <danny@cs.huji.ac.il>
Message-Id: <20040629063937.4D16843D31@mx1.FreeBSD.org>
cc: freebsd-hackers@freebsd.org
Subject: Re: sshd & pam & getpwnam() 
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2004 06:39:37 -0000

>  Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()": 
> 
> > Does anybody know, why sshd call getpwnam() even if user is 
> > authenticating via PAM? This broke remote authentication (RADIUS, 
> > TACACS+) when user doesn't exist in local password database.
> 
> Because you mix two different things - users directory (in modern unixes
> including 5.* it is implemented as NSS) and authentication (implemented as PAM).
> To log in with sshd, user must be known in passwd database; if sshd would
> enable user to log in without account, this won't be sshd, but will be
> anything another.
> 
> To allow remote user lists, use NIS; for now it is the only working
> and well-tested mechanism to spread user list (passwd.*) for many systems.
> See "YP/NIS INTERACTION" in passwd(5) for details.
> 

not 100% true, dns/hesiod works great.

my 5 cents,
	danny