Dropbear and PAM auth.
Avner Flesch
avnerf at web-silicon.com
Sun Jun 3 19:53:35 WST 2012
Thanks Matt
What I am trying to do is tacacs+ authentication.
It should be supported by dropbear, because currently it is like normal user authentication, but instead
Of use "/etc/passwd" file it should authenticate it by TACACS+ server request.
I tested the dropbear PAM with regular "passwd" authentication and it did work.
But when I switched it to work with tacacs, it failed my username "authpriv.warn dropbear[949]: login attempt for nonexistent user from ::ffff:192.168.10.59:56356"
And when I open the trace I see "TRACE (951): leave checkusername: user 'avner' doesn't exist"
Indeed this user is not exist locally, only in the TACACS server, and it's looks like this rejection is dropbear internally, and not PAM.
Please advice
Thanks
Avner
-----Original Message-----
From: Matt Johnston [mailto:matt at ucc.asn.au]
Sent: ה 31 מאי 2012 17:11
To: Avner Flesch; dropbear at ucc.asn.au
Subject: Re: Dropbear and PAM auth.
It should work ok with any module that just prompts for a username and password, which gets mapped to SSH's password authentication mode. It doesn't support more complex challenge/response type modes (which would use SSH's keyboard-interactive mode IIRC). If the username/password prompt doesn't match what's normal, take a look at svr-authpam.c for the comparison strings.
The limitation is because PAM doesn't have a way to use it asynchronously without using threads or subprocesses, at least for most modules and implementations I've seen.
Matt
Avner Flesch <avnerf at web-silicon.com> wrote:
>Hi,
>
>According to the note in options.h file, PAM auth. Support only simple
>modules.
>Is that mean that for example RADIUS authentication can't be supported?
>
>Thanks
>
>Avner
More information about the Dropbear
mailing list