sshd & pam & getpwnam()

Danny Braniss danny at cs.huji.ac.il
Mon Jun 28 23:39:37 PDT 2004


>  Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()": 
> 
> > Does anybody know, why sshd call getpwnam() even if user is 
> > authenticating via PAM? This broke remote authentication (RADIUS, 
> > TACACS+) when user doesn't exist in local password database.
> 
> Because you mix two different things - users directory (in modern unixes
> including 5.* it is implemented as NSS) and authentication (implemented as PAM).
> To log in with sshd, user must be known in passwd database; if sshd would
> enable user to log in without account, this won't be sshd, but will be
> anything another.
> 
> To allow remote user lists, use NIS; for now it is the only working
> and well-tested mechanism to spread user list (passwd.*) for many systems.
> See "YP/NIS INTERACTION" in passwd(5) for details.
> 

not 100% true, dns/hesiod works great.

my 5 cents,
	danny



More information about the freebsd-hackers mailing list