OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Distributed database
From: Steve Langasek (vorlonnetexpress.net)
Date: Wed Feb 02 2000 - 23:49:12 CST

On Tue, 1 Feb 2000, Mark Volpe wrote:

> Thanks for the response, but it's not exactly what I had in mind.
> I'm pretty much forced to use TACACS :-/

> What I'm trying to do is get a Linux box to act like a Cisco Access
> Server -
> just point it to a TACACS server and anyone who authenticates on it
> can log into the box. Of course Linux requires you to have a uid but
> Cisco
> just uses enable levels.

> So, when somebody tries to log in I'll probably need to:

> - Create a new user on the system if he doesn't exist, or
> - Force everyone to be a generic user ('nobody') regardless of who they
> logged in as
>

> Or is this even PAM's business?

In my opinion, this isn't PAM's business. But that's just my
opinion--implementations speak louder than words, so if you want to create a
pam_user_autogen module (or whatever), and you think that's good enough for
you, then more power to you. :)

The main reason I suggested using LDAP or NIS+ as a directory service was
because, even if you only have one telnet server now, in the future you might
wish to have other machines authenticating against the same TACACS server. At
that point, it would probably be helpful to have a single directory providing
uid lookups and the like for all the machines, greatly facilitating NFS
shares, and so forth.

So in your position, that's what I would probably do. But if you're satisfied
that a PAM module will do what you need, then I don't see any reason why this
wouldn't work.

-Steve Langasek
postmodern programmer 

-- 
To unsubscribe: mail -s unsubscribe pam-list-requestredhat.com < /dev/null