<div>Hello,</div>
<div> </div>
<div>I have been reporting a few problems to John Heasley from <a href="http://shubbery.net">shubbery.net</a> who turned out to be a pretty friendly guy, I dont even know if you are him but here is a copy of my e-mail so you might be able to help me out with my problem. To make a long history short, OpenBSD tacacs does not work with SKEY.
</div>
<div> </div>
<div>Thanks in advance</div>
<div><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername">ninjabytes</b> <<a href="mailto:ninjabytes@gmail.com">ninjabytes@gmail.com</a>><br>Date: 04-jun-2007 17:53
<br>Subject: Re: [tac_plus] Error Cannot generate skey prompt for USER<br>To: john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br><br> </span></div>
<div>John:<br><br>Take a quick look at the following debugging line:</div>
<div> </div>
<div># tac_plus -C /etc/tac_plus.conf -d 16 -g<br>Reading config<br>Version F4.0.4.alpha Initialized 1<br>tac_plus server F4.0.4.alpha starting<br>uid=511 euid=511 gid=511 egid=511 s=4<br>login query for 'angel:skey' tty1 from
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://10.254.80.8/" target="_blank">10.254.80.8</a> rejected<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://10.254.80.8/" target="_blank">
10.254.80.8</a> tty1: Login aborted by request -- msg: CTRL-C pressed<br>login query for 'angel:skey' tty1 from <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://10.254.80.8/" target="_blank">
10.254.80.8</a> rejected<br> </div>
<div>When I telnet in one of my routers 1) I dont get a S/Key prompt 2) tac_plus debug message only reports the following message "login query for 'angel:skey' tty1 from <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://10.254.80.8/" target="_blank">
10.254.80.8 </a>rejected" any leads/tips will be truly appreciated.</div>
<div> </div>
<div>Below is a copy of my config file:</div>
<div> </div>
<div># more /etc/tac_plus.conf<br>user = angel {<br>login = skey<br>}<br> </div>
<div><span class="gmail_quote">2007/6/4, john heasley <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>>:</span>
<div><span class="e" id="q_112f883b1f6f84a2_1">
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Mon, Jun 04, 2007 at 01:23:15PM -0300, ninjabytes:<br>> John:<br>><br>> I forgot to ask:<br>><br>
> 1) does my OpenBSD has to have telnet enable in order to have tacacs to<br>> generate the KEY prompt for skey?<br><br>your host should not need anything enabled. I dont recall testing skey<br>with ssh (on the router), but I dont see why it wouldnt work.
<br><br>> 2) do you know how to get tacacs to work with S/Key on OpenBSD?<br><br>It should just work.<br><br>> 3) I tried to compile tacacs manually on my OpenBSD box and also on my<br>> FreeBSD box with the --with-skey configure paramether but it fails when I
<br>> run "make" it gives me a couple libskeyaccess errors.<br><br>what is the error?.<br><br>> 4) Please, let me know the best OS to get tacacs to work with S/Key<br><br>I tested with NetBSD, but the skey libraries should be no different for
<br>any O/S.<br><br>> 5) is it possible to integrate tacacs with OPIE and instead use OPIE than<br>> S/Key?<br><br>Sorry, I'm not familiar with opie.<br><br>> Thanks in advance<br>><br>><br>> 2007/6/2, john heasley <
<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>>:<br>> ><br>> >Fri, Jun 01, 2007 at 06:53:46PM -0300, ninjabytes:<br>> >> Hi folks,
<br>> >><br>> >> I have installed tac_plus version F4.0.4.alpha on my OpenBSD<br>> >4.1-STABLEBOX.<br>> >><br>> >> Below is my /etc/tac_plus.conf config file:<br>> >><br>
> >> user = john {<br>> >> login = skey<br>> >> } <br>> >><br>> >> When i run tac_plus in debug mode and I telnet in my router which uses<br>> >that<br>> >> tacacs server I get the following error message:
<br>> ><br>> >does that mean it works when not in debug mode? <br>> ><br>> >> Jun 1 14:49:51 angor tac_plus[12374]: Error Cannot generate skey prompt<br>> >for<br>> >> angel<br>> >> on the router side I dont get the SKEY chalenge but a regular Login and
<br>> >> Password I think thats why tacacs complains and gives me that error.<br>> >><br>> >> is there any "specifical" config that needs to be done on the router<br>> >side to<br>
> >> tell it to use "skey" with tacacs? What could be causing this?<br>> ><br>> >does skey work outside of tacacs? ie: skeyinfo skey itself does require<br>> >some config/initialization.
<br>> ><br></blockquote></span></div></div><br>