Sudarshan Soma wrote:> Does sssd/NSS has a way to fetch user names from sources like > RADIUS/TACACS server?My impression is that while this might be theoretically possible, nobody does this. Especially it's not clear to me how you would push group membership to the system. And AFAICS in case of TACACS+ there's also only a single "role" available (translate this to single group). So the usual answer is: Use LDAP.> We wanted to enable RADIUS/TACACS Authentication using PAM and enabling PAM > in sshd.You could implement password authc for sshd (to be on-topic here) via pam_radius and let LDAP serve the NSS part. Not sure whether it's worth the effort though. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180103/d9aea1af/attachment.p7s>
Hi, On Wed, Jan 03, 2018 at 04:03:39PM +0100, Michael Str?der wrote:> Sudarshan Soma wrote: > > Does sssd/NSS has a way to fetch user names from sources like > > RADIUS/TACACS server? > My impression is that while this might be theoretically possible, nobody > does this. Especially it's not clear to me how you would push group > membership to the system. And AFAICS in case of TACACS+ there's also > only a single "role" available (translate this to single group).Just for the sake of completeness: TACACS+ can return arbitrary key-value pairs, so you can build whatever authorization / grouping scheme on top of TACACS+ that you want. Not sure anyone has done that before, so this advice is still valid:> So the usual answer is: Use LDAP.... as more people have done it, thus more software supports it, and things are more likely to "just work". gert -- now what should I write here... Gert Doering - Munich, Germany gert at greenie.muc.de -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180103/78e64aec/attachment.asc>
Thanks so much for the inputs. Yes Let me try to use NSS for getting just the username and keep RADIUS/TACACS server to authenticate. Regards, Ivan. On Wed, Jan 3, 2018 at 8:50 PM, Gert Doering <gert at greenie.muc.de> wrote:> Hi, > > On Wed, Jan 03, 2018 at 04:03:39PM +0100, Michael Str?der wrote: > > Sudarshan Soma wrote: > > > Does sssd/NSS has a way to fetch user names from sources like > > > RADIUS/TACACS server? > > My impression is that while this might be theoretically possible, nobody > > does this. Especially it's not clear to me how you would push group > > membership to the system. And AFAICS in case of TACACS+ there's also > > only a single "role" available (translate this to single group). > > Just for the sake of completeness: TACACS+ can return arbitrary > key-value pairs, so you can build whatever authorization / grouping > scheme on top of TACACS+ that you want. > > Not sure anyone has done that before, so this advice is still valid: > > > So the usual answer is: Use LDAP. > > ... as more people have done it, thus more software supports it, and > things are more likely to "just work". > > gert > -- > now what should I write here... > > Gert Doering - Munich, Germany > gert at greenie.muc.de >