SSH, PAM and FR authentication
Hi, My question perhaps is crossing boundaries of Openssh, PAM and FR. I did some Google search but can't seem to find an answer. It seems if I don't have a user prior configured in a "datastore" e.g. /etc/passwd, mysql or ldap, then my attempt to login using ssh as the user would just fail even if I have the user set up in FR server. Several posts on the Internet suggested that there might be a need for a "libnss-radius" like package to allow ssh to look up the user in FR. I am wondering if there are some security reasons that no such package has been developed so far. People must have thought about this I guess. Besides configuring the user id in a separate datastore prior to authentication, is there any other way to solve this issue. Best, David
David Li wrote:
It seems if I don't have a user prior configured in a "datastore" e.g. /etc/passwd, mysql or ldap, then my attempt to login using ssh as the user would just fail even if I have the user set up in FR server.
If you're using PAM, yes. Because PAM does username/password authentication. It doesn't do uid/gid/etc. store.
Several posts on the Internet suggested that there might be a need for a "libnss-radius" like package to allow ssh to look up the user in FR.
Yes,
I am wondering if there are some security reasons that no such package has been developed so far. People must have thought about this I guess.
I've looked into the Linux nss code... and ran away screaming. PAM is ridiculously complicated. NSS makes PAM look simple.
Besides configuring the user id in a separate datastore prior to authentication, is there any other way to solve this issue.
Nope. Use libnss-ldap. That's pretty much the only way. Alan DeKok.
participants (2)
-
Alan DeKok -
David Li