login about faq

How to make Tectia Server use only PAM for account validation? Now it seems the server does some checks also outside of PAM.

asked Jan 17 '11 at 10:48

SSH%20KB's gravatar image


The default behavior of Tectia Server is to always run checks for account validity, for example to see if the password is expired or if the account is locked. In some cases the account may appear to be locked when checking the status using standard system calls, but PAM would still let the user log in.

This kind of situation can typically arise when the users have entries in local files and in a directory service such as LDAP or NIS+. For example, if the password field in the local files shows the account to be locked, the Tectia Server can prevent the user from logging in even though the user would have a working password in LDAP. To allow login for these users, the server can be configured to use only PAM for account checking.

The configuration option for this is pam-account-checking-only. There are a couple of things to keep in mind when using this option:

  • The option is only effective when PAM account checking is used. This means that the system needs to have a PAM library that is compatible with the Tectia Server. For example, if we are running a 32 bit version of Tectia Server on a 64 bit system, the system needs to have 32 bit PAM libraries.
  • The default service name of the Tectia Server is ssh-server-g3, this can be changed in Tectia Server configuration with the service-name attribute in the pluggable-authentication-modules element. There must be a PAM configuration for this service name.
  • If other authentication methods than keyboard-interactive/PAM are used, the Tectia server should be configured to use PAM account management with all authentication methods. This is done with the pam-calls-with-commands option.

The pam-account-checking-only option can be used in the settings element in the params block:

  <!-- Possible crypto-lib element as the first element in the params block -->
  <settings pam-account-checking-only="yes" />
  <!-- Possible other elements in the params block -->
  <pluggable-authentication-modules pam-calls-with-commands="yes" />

Note that the pam-account-checking-only and pam-calls-with-commands are available from version 6.0.4 forward.


answered Jan 17 '11 at 10:51

SSH%20KB's gravatar image


Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Jan 17 '11 at 10:48

Seen: 4,576 times

Last updated: Mar 14 '11 at 13:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.