Dan Yefimov wrote: > On 02.10.2008 1:52, Nick Owen wrote: >> Greetings: >> >> I am trying to get pam_tacplus 1.2.9 working with pam-0.99.6.2-3.22.fc6. >> I had this working back in the pam_stack days, but can't seem to get it >> quite right using include. >> >> here is my /etc/pam.d/tacacs file: >> >> #%PAM-1.0 >> auth sufficient /lib/security/pam_tacplus.so debug >> server=10.100.0.102 secret=super_secret encrypt >> account sufficient /lib/security/pam_tacplus.so debug >> server=10.100.0.102 secret=super_secret encrypt service=shell >> protocol=ssh >> session sufficient /lib/security/pam_tacplus.so debug >> server=10.100.0.102 secret=super_secret encrypt service=shell >> protocol=ssh >> >> Here's my /etc/pam.d/sshd: >> >> #%PAM-1.0 >> auth include tacacs >> #auth required pam_nologin.so >> account include tacacs >> #account required system-auth >> password required tacacs > ^^^^^^^^ > Here is the root of your problem :-) I had high hopes of that this simple change would prove that I had wasted a great deal of time yesterday, but alas, I have made the change and the result is the same: Oct 2 08:37:23 support sshd[25193]: pam_sm_authenticate: called (pam_tacplus v1.2.9) Oct 2 08:37:23 support sshd[25193]: pam_sm_authenticate: user [nowen] obtained Oct 2 08:37:23 support sshd[25193]: tacacs_get_password: called Oct 2 08:37:23 support sshd[25193]: tacacs_get_password: obtained password [779720] Oct 2 08:37:23 support sshd[25193]: pam_sm_authenticate: pass [779720] obtained Oct 2 08:37:23 support sshd[25193]: pam_sm_authenticate: tty [ssh] obtained Oct 2 08:37:23 support sshd[25193]: pam_sm_authenticate: trying srv 0 Oct 2 08:37:23 support sshd[25193]: pam_sm_authenticate: exit Oct 2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: called (pam_tacplus v1.2.9) Oct 2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: active server is [10.100.0.102] Oct 2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: username obtained [nowen] Oct 2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: tty obtained [ssh] Oct 2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: sent authorization request Oct 2 08:37:24 support sshd[25193]: tac_author_read: inconsistent author reply body, incorrect key? Oct 2 08:37:24 support sshd[25194]: fatal: Access denied for user nowen by PAM account configuration Oct 2 08:37:24 support sshd[25193]: Failed password for nowen from 10.100.0.102 port 35385 ssh2 > >> session include tacacs >> #session required system-auth >> #session required pam_limits.so >> #session optional pam_console.so >> >> And here's the output from /var/log/secure: >> >> Oct 1 17:21:40 vpn sshd[22767]: PAM unable to >> dlopen(/lib/security/tacacs) >> Oct 1 17:21:40 vpn sshd[22767]: PAM [error: /lib/security/tacacs: >> cannot open shared object file: No such file or directory] >> Oct 1 17:21:40 vpn sshd[22767]: PAM adding faulty module: >> /lib/security/tacacs >> > [skip] > >> I can't seem to google up any info on configuring with modules using >> include. The logs seem to point to tacacs being in the wrong place. I >> also wonder if the source for tacplus needs to be updated. >> > You just forgot to replace 'required' with 'include' and didn't notice > that :-) -- Nick Owen WiKID Systems, Inc. 404-962-8983 (desk) http://www.wikidsystems.com Two-factor authentication, without the hassle factor. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
