SSH, PAM and FR authentication

Alan DeKok aland at
Wed May 14 02:19:38 CEST 2014

David Li wrote:
> It seems if I don't have a user prior configured in a "datastore" e.g.
> /etc/passwd, mysql or ldap, then my attempt to login using ssh as the
> user would just fail even if I have the user set up in FR server.

  If you're using PAM, yes.  Because PAM does username/password
authentication.  It doesn't do uid/gid/etc. store.

> Several posts on the Internet suggested that there might be a need for a
> "libnss-radius" like package to allow ssh to look up the user in FR. 


> I am wondering if there are some security reasons that no such package
> has been developed so far. People must have thought about this I guess.

  I've looked into the Linux nss code... and ran away screaming.  PAM is
ridiculously complicated.  NSS makes PAM look simple.

> Besides configuring the user id in a separate datastore prior to
> authentication, is there any other way to solve this issue.

  Nope.  Use libnss-ldap.  That's pretty much the only way.

  Alan DeKok.

More information about the Freeradius-Users mailing list