On Wed, 2018-01-03 at 13:50 +0530, Sudarshan Soma wrote:> HI, I do see some refernce on it: but seems not closed > https://marc.info/?l=secure-shell&m=115513863409952&w=2 > > http://bugzilla.mindrot.org/show_bug.cgi?id=1215 > > > Is this patch available in latest versions, 7.6?No. It never was. The SSSD is using NSS (Name Service Switch) [1] way of getting credentials. It allows to get them from many sources. [1] https://en.wikipedia.org/wiki/Name_Service_Switch Regards, Jakub> On Wed, Jan 3, 2018 at 1:48 PM, Sudarshan Soma <sudarshan12s at gmail.co > m> > wrote: > > > Hi I am trying to write pam_radius module which talks to RADIUS > > server for > > aaa. > > > > I see sshd checks /etc/passwd for user list. Since RADIUS server > > has user > > list, can sshd ignore this check for RADIUS/TACACS+ authentication, > > Please > > suggest if there are any flags to control it. > > > > I am using the following versions. > > OpenSSH_6.6p1, OpenSSL 1.0.2n 7 Dec 2017 > > > > I see sssd (NAS) being used for such use cases, how does sshd > > ignore > > /etc/passwd in those cases. > > Please suggest > > > > Regards, > > Ivan. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Thanks Jakub. so sshd will check nsswitch.conf before refering to /etc/passwd file. . Does sssd/NSS has a way to fetch user names from sources like RADIUS/TACACS server? We wanted to enable RADIUS/TACACS Authentication using PAM and enabling PAM in sshd. Regards, Ivan On Wed, Jan 3, 2018 at 2:34 PM, Jakub Jelen <jjelen at redhat.com> wrote:> On Wed, 2018-01-03 at 13:50 +0530, Sudarshan Soma wrote: > > HI, I do see some refernce on it: but seems not closed > > https://marc.info/?l=secure-shell&m=115513863409952&w=2 > > > > http://bugzilla.mindrot.org/show_bug.cgi?id=1215 > > > > > > Is this patch available in latest versions, 7.6? > > No. It never was. > > The SSSD is using NSS (Name Service Switch) [1] way of getting > credentials. It allows to get them from many sources. > > [1] https://en.wikipedia.org/wiki/Name_Service_Switch > > Regards, > Jakub > > > On Wed, Jan 3, 2018 at 1:48 PM, Sudarshan Soma <sudarshan12s at gmail.co > > m> > > wrote: > > > > > Hi I am trying to write pam_radius module which talks to RADIUS > > > server for > > > aaa. > > > > > > I see sshd checks /etc/passwd for user list. Since RADIUS server > > > has user > > > list, can sshd ignore this check for RADIUS/TACACS+ authentication, > > > Please > > > suggest if there are any flags to control it. > > > > > > I am using the following versions. > > > OpenSSH_6.6p1, OpenSSL 1.0.2n 7 Dec 2017 > > > > > > I see sssd (NAS) being used for such use cases, how does sshd > > > ignore > > > /etc/passwd in those cases. > > > Please suggest > > > > > > Regards, > > > Ivan. > > > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc. >
On Wed, 2018-01-03 at 15:37 +0530, Sudarshan Soma wrote:> Thanks Jakub. so sshd will check nsswitch.conf before refering to > /etc/passwd file. .No, SSHD does not read these files directly. It uses standard/high- level functions such as getpwnam() in Linux to verify existence of the user.> Does sssd/NSS has a way to fetch user names from sources like > RADIUS/TACACS server?Probably. But I do not have a lot of experience with it.> We wanted to enable RADIUS/TACACS Authentication using PAM and > enabling PAM > in sshd. > > > Regards, > Ivan > > On Wed, Jan 3, 2018 at 2:34 PM, Jakub Jelen <jjelen at redhat.com> > wrote: > > > On Wed, 2018-01-03 at 13:50 +0530, Sudarshan Soma wrote: > > > HI, I do see some refernce on it: but seems not closed > > > https://marc.info/?l=secure-shell&m=115513863409952&w=2 > > > > > > http://bugzilla.mindrot.org/show_bug.cgi?id=1215 > > > > > > > > > Is this patch available in latest versions, 7.6? > > > > No. It never was. > > > > The SSSD is using NSS (Name Service Switch) [1] way of getting > > credentials. It allows to get them from many sources. > > > > [1] https://en.wikipedia.org/wiki/Name_Service_Switch > > > > Regards, > > Jakub > > > > > On Wed, Jan 3, 2018 at 1:48 PM, Sudarshan Soma <sudarshan12s at gmai > > > l.co > > > m> > > > wrote: > > > > > > > Hi I am trying to write pam_radius module which talks to RADIUS > > > > server for > > > > aaa. > > > > > > > > I see sshd checks /etc/passwd for user list. Since RADIUS > > > > server > > > > has user > > > > list, can sshd ignore this check for RADIUS/TACACS+ > > > > authentication, > > > > Please > > > > suggest if there are any flags to control it. > > > > > > > > I am using the following versions. > > > > OpenSSH_6.6p1, OpenSSL 1.0.2n 7 Dec 2017 > > > > > > > > I see sssd (NAS) being used for such use cases, how does sshd > > > > ignore > > > > /etc/passwd in those cases. > > > > Please suggest > > > > > > > > Regards, > > > > Ivan. > > > > > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- > > Jakub Jelen > > Software Engineer > > Security Technologies > > Red Hat, Inc. > >-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Sudarshan Soma wrote:> Does sssd/NSS has a way to fetch user names from sources like > RADIUS/TACACS server?My impression is that while this might be theoretically possible, nobody does this. Especially it's not clear to me how you would push group membership to the system. And AFAICS in case of TACACS+ there's also only a single "role" available (translate this to single group). So the usual answer is: Use LDAP.> We wanted to enable RADIUS/TACACS Authentication using PAM and enabling PAM > in sshd.You could implement password authc for sshd (to be on-topic here) via pam_radius and let LDAP serve the NSS part. Not sure whether it's worth the effort though. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180103/d9aea1af/attachment.p7s>