In message <20030828082927.96617A60C@zen.crufty.net>, Simon J. Gerraty writes:
>login, sshd or whatever, collect username/password hand off to radius or 
>tacplus (or whatever) and get back and OK as well as the name of an account
>that actually exists in /etc/passwd that should be used (since username
>does not exist outside of the radius server).

Okay, I'm a bit confused here.

>Oh, and whether _you_ have any need for that functionaility isn't relevant.
>No one is asking you to use it - just explain how BSD Auth can handle it.
>Some of us would like to keep this a useful discussion.

>And finally yes, its a real world requirement - ask anyone who 
>manages more than a few hundred routers.

Hmm.  I'm confused; which machine is *actually* running the login process?
I guess I'm not understanding who needs to authenticate what.

Is the intent here that I get a login prompt, and I *might* log in as a real
user, but I *might* log in as someone else, or is it that I will *always*
log in as "a radius user"?

BSD Auth has no problem at all authorizing people who aren't in /etc/passwd.
If you tell radiusd to authenticate using the login_gzornenplatz, then it'll
do whatever that does, whether or not the user exists in /etc/passwd.

-s