sshd & pam & getpwnam()
Danny Braniss
danny at cs.huji.ac.il
Mon Jun 28 23:39:37 PDT 2004
> Sun, Jun 20, 2004 at 14:52:35, zagarin wrote about "sshd & pam & getpwnam()":
>
> > Does anybody know, why sshd call getpwnam() even if user is
> > authenticating via PAM? This broke remote authentication (RADIUS,
> > TACACS+) when user doesn't exist in local password database.
>
> Because you mix two different things - users directory (in modern unixes
> including 5.* it is implemented as NSS) and authentication (implemented as PAM).
> To log in with sshd, user must be known in passwd database; if sshd would
> enable user to log in without account, this won't be sshd, but will be
> anything another.
>
> To allow remote user lists, use NIS; for now it is the only working
> and well-tested mechanism to spread user list (passwd.*) for many systems.
> See "YP/NIS INTERACTION" in passwd(5) for details.
>
not 100% true, dns/hesiod works great.
my 5 cents,
danny
More information about the freebsd-hackers
mailing list