Re: Pam-list Digest, Vol 38, Issue 6

["Roberto Dud" <roberto.dud@xxxxxxxxx>]

Hi Andreas,

I´m usind the site http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/ to configure pam_tacplus in my Red Hat 4, but isn´t work.

My /etc/pam.d/tacacs:


#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \
secret=MySecret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \
secret=MySecret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \
secret=MySecret encrypt service=shell protocol=ssh

My /etc/pam.d/sshd:

#%PAM-1.0
auth       required   pam_stack.so service=tacacs
#auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_stack.so service=tacacs
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    sufficient   pam_stack.so service=tacacs
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

Im my tacacs server my secret keys pass, but my user do not pass. See my log on tacacs server:


Mon Apr 16 17:31:11 2007 [26137]: db_get_host: getting hkey from nas(IP)
Mon Apr 16 17:31:11 2007 [26137]: Error verify: failed - could not authenticate for user 'root' on NAS 'IP'
Mon Apr 16 17:31:11 2007 [26137]: default_fn: pap-login query for 'root' ssh from IP rejected


Thanks,

Dud.

On 4/14/07, Andreas Schindler <schindler@xxxxxx> wrote:

pam-list-request@xxxxxxxxxx wrote:

Subject:

Tacacs +PAM

From:

"Roberto Dud" <roberto.dud@xxxxxxxxx>

Date:

Thu, 12 Apr 2007 16:56:22 -0300

To:

pam-list@xxxxxxxxxx

To:

pam-list@xxxxxxxxxx

Precedence:

junk

MIME-Version:

1.0

Reply-To:

Pluggable Authentication Modules <pam-list@xxxxxxxxxx>

Message-ID:

<93b73b230704121256h30d2ebd0t2a939e92edae5d3a@xxxxxxxxxxxxxx>

Content-Type:

multipart/alternative; boundary="----=_Part_21615_5006272.1176407782942"

Message:

7

Hi Mrs,

I have a Tacacs server to centralize autentication in my routers, switchs, cmts ... And I think I will use this infraestructure to centralize my authentication on my Linux Servers.

I found on my seachs on google a PAM module to tacacs.

Anyone know about or use this module?

Thanks,

Dud.

Dud,

i suppose you're talking of the tacacs+ client package published by some Polish guy (don't remember the name
right now). The pam_tacacs module works quite fine. Soem quirks when using tacacs 'accounting' (not to be confused
with PAM accounting, which is the equivalent to tacacs 'authorize'). There is a drawback in that the module supports only
one tacacs server. The workaround i took, was to stack the module twice, each one with a different tacacs server.
Don't forget to switch on encryption. My configuration was:

    auth        sufficient   pam_tacplus.so encrypt secret=FarAway server=10.13.0.22
    auth        sufficient   pam_tacplus.so encrypt secret=FarAway server=10.14.1.69

BTW the above package includes 'tacc', a small  line-mode tacacs client. A fine tool when debugging the tacacs environment.

Andreas

-- 
Dr.-Ing. Andreas Schindler
 
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
 
Telefon 06103-57187-21
Telefax 06103-373245
 

schindler@xxxxxx
www.az1.de

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list