sshd & pam & getpwnam()
Valentin Nechayev
netch at ivb.nn.kiev.ua
Mon Jun 28 23:13:23 PDT 2004
Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()":
> Does anybody know, why sshd call getpwnam() even if user is
> authenticating via PAM? This broke remote authentication (RADIUS,
> TACACS+) when user doesn't exist in local password database.
Because you mix two different things - users directory (in modern unixes
including 5.* it is implemented as NSS) and authentication (implemented as PAM).
To log in with sshd, user must be known in passwd database; if sshd would
enable user to log in without account, this won't be sshd, but will be
anything another.
To allow remote user lists, use NIS; for now it is the only working
and well-tested mechanism to spread user list (passwd.*) for many systems.
See "YP/NIS INTERACTION" in passwd(5) for details.
-netch-
More information about the freebsd-hackers
mailing list