SSH, PAM and FR authentication
Alan DeKok
aland at deployingradius.com
Wed May 14 02:19:38 CEST 2014
David Li wrote:
> It seems if I don't have a user prior configured in a "datastore" e.g.
> /etc/passwd, mysql or ldap, then my attempt to login using ssh as the
> user would just fail even if I have the user set up in FR server.
If you're using PAM, yes. Because PAM does username/password
authentication. It doesn't do uid/gid/etc. store.
> Several posts on the Internet suggested that there might be a need for a
> "libnss-radius" like package to allow ssh to look up the user in FR.
Yes,
> I am wondering if there are some security reasons that no such package
> has been developed so far. People must have thought about this I guess.
I've looked into the Linux nss code... and ran away screaming. PAM is
ridiculously complicated. NSS makes PAM look simple.
> Besides configuring the user id in a separate datastore prior to
> authentication, is there any other way to solve this issue.
Nope. Use libnss-ldap. That's pretty much the only way.
Alan DeKok.
More information about the Freeradius-Users
mailing list