Hello All,
I am using pam_tacplus.so for tacacs+ authentication for Linux client (CentOS) on a small PC based system. I am wondering how could I get Linux groups working. As far as I know, tacplus inherently does not support Linux group at all as it is more designed for CISCO devices.
If we can't support the Linux groups from tacacs+, is there any way that I could pass on some information from tacplus server to the Linux pam_tacplus module either during authorization or authentication phase which could be used by the pam_tacplus do change user info on the fly. I know it won't be the best way to do so, but it may work. I have done similar changes for other pam_radius module and it works pretty well.
it could also be possible that my server configurations are not good.I am sending authorization request from client, but the server does not seems to understand the "service=shell". It says "No identifiable service/protocol in authorization request".
=============================================
=============================================
My server config
group = test {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = shell {
priv-lvl= 15
}
}
user = joe {
member = test
}
group = test {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = shell {
priv-lvl= 15
}
}
user = joe {
member = test
}
Please find below the server side log.
===============================================
Fri Feb 20 11:03:09 2015 [7437]: 0x73 0x73 0x68
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR, priv_lvl=0, authen=2
Fri Feb 20 11:03:09 2015 [7437]: method=tacacs+
Fri Feb 20 11:03:09 2015 [7437]: svc=3 user_len=3 port_len=3 rem_addr_len=12
Fri Feb 20 11:03:09 2015 [7437]: arg_cnt=2
Fri Feb 20 11:03:09 2015 [7437]: User:
Fri Feb 20 11:03:09 2015 [7437]: joe
Fri Feb 20 11:03:09 2015 [7437]: port:
Fri Feb 20 11:03:09 2015 [7437]: ssh
Fri Feb 20 11:03:09 2015 [7437]: rem_addr:
Fri Feb 20 11:03:09 2015 [7437]: 192.168.2.30
Fri Feb 20 11:03:09 2015 [7437]: arg[0]: size=13
Fri Feb 20 11:03:09 2015 [7437]: service=shell
Fri Feb 20 11:03:09 2015 [7437]: arg[1]: size=12
Fri Feb 20 11:03:09 2015 [7437]: protocol=ssh
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: Writing AUTHOR/ERROR size=75
Fri Feb 20 11:03:09 2015 [7437]: PACKET: key=<NULL>
Fri Feb 20 11:03:09 2015 [7437]: version 192 (0xc0), type 2, seq no 2, flags 0x1
Fri Feb 20 11:03:09 2015 [7437]: session_id 0 (0x0), Data length 63 (0x3f)
Fri Feb 20 11:03:09 2015 [7437]: End header
Fri Feb 20 11:03:09 2015 [7437]: Packet body hex dump:
Fri Feb 20 11:03:09 2015 [7437]: 0x11 0x0 0x0 0x0 0x39 0x0 0x4e 0x6f 0x20 0x69 0x64 0x65 0x6e 0x74 0x69 0x66
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x61 0x62 0x6c 0x65 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x2f 0x70 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x6f 0x74 0x6f 0x63 0x6f 0x6c 0x20 0x69 0x6e 0x20 0x61 0x75 0x74 0x68 0x6f 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x7a 0x61 0x74 0x69 0x6f 0x6e 0x20 0x72 0x65 0x71 0x75 0x65 0x73 0x74
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR/REPLY status=17 (AUTHOR/ERROR)
Fri Feb 20 11:03:09 2015 [7437]: msg_len=0, data_len=57 arg_cnt=0
Fri Feb 20 11:03:09 2015 [7437]: msg:
Fri Feb 20 11:03:09 2015 [7437]: data:
Fri Feb 20 11:03:09 2015 [7437]: No identifiable service/protocol in authorization request
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: authorization query for 'joe' ssh from 192.168.2.201 rejected
===============================================
Fri Feb 20 11:03:09 2015 [7437]: 0x73 0x73 0x68
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR, priv_lvl=0, authen=2
Fri Feb 20 11:03:09 2015 [7437]: method=tacacs+
Fri Feb 20 11:03:09 2015 [7437]: svc=3 user_len=3 port_len=3 rem_addr_len=12
Fri Feb 20 11:03:09 2015 [7437]: arg_cnt=2
Fri Feb 20 11:03:09 2015 [7437]: User:
Fri Feb 20 11:03:09 2015 [7437]: joe
Fri Feb 20 11:03:09 2015 [7437]: port:
Fri Feb 20 11:03:09 2015 [7437]: ssh
Fri Feb 20 11:03:09 2015 [7437]: rem_addr:
Fri Feb 20 11:03:09 2015 [7437]: 192.168.2.30
Fri Feb 20 11:03:09 2015 [7437]: arg[0]: size=13
Fri Feb 20 11:03:09 2015 [7437]: service=shell
Fri Feb 20 11:03:09 2015 [7437]: arg[1]: size=12
Fri Feb 20 11:03:09 2015 [7437]: protocol=ssh
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: Writing AUTHOR/ERROR size=75
Fri Feb 20 11:03:09 2015 [7437]: PACKET: key=<NULL>
Fri Feb 20 11:03:09 2015 [7437]: version 192 (0xc0), type 2, seq no 2, flags 0x1
Fri Feb 20 11:03:09 2015 [7437]: session_id 0 (0x0), Data length 63 (0x3f)
Fri Feb 20 11:03:09 2015 [7437]: End header
Fri Feb 20 11:03:09 2015 [7437]: Packet body hex dump:
Fri Feb 20 11:03:09 2015 [7437]: 0x11 0x0 0x0 0x0 0x39 0x0 0x4e 0x6f 0x20 0x69 0x64 0x65 0x6e 0x74 0x69 0x66
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x61 0x62 0x6c 0x65 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x2f 0x70 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x6f 0x74 0x6f 0x63 0x6f 0x6c 0x20 0x69 0x6e 0x20 0x61 0x75 0x74 0x68 0x6f 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x7a 0x61 0x74 0x69 0x6f 0x6e 0x20 0x72 0x65 0x71 0x75 0x65 0x73 0x74
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR/REPLY status=17 (AUTHOR/ERROR)
Fri Feb 20 11:03:09 2015 [7437]: msg_len=0, data_len=57 arg_cnt=0
Fri Feb 20 11:03:09 2015 [7437]: msg:
Fri Feb 20 11:03:09 2015 [7437]: data:
Fri Feb 20 11:03:09 2015 [7437]: No identifiable service/protocol in authorization request
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: authorization query for 'joe' ssh from 192.168.2.201 rejected
Thanks in advance for any help.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
