Hi Alan,<br><br>1/ So in other words I should be able to run tac_plus using the ID/GID of the tac_plus user I created because /etc/passwd should be world-readable? I intially tried compiling with just the ID/GID of the tac_plus user but was unable to authenticate using /etc/passwd - hence why I compiled it a second time using the GID of the shadow group and was then able to authenticate using /etc/passwd (not sure if this is good or bad but I just followed somebody else's guide). <br>
<br>Sorry if I'm a bit naive on the unix file permission stuff, but here's the permissions on the Ubuntu box I'm testing with.<br><br># ls -la /etc/passwd /etc/shadow<br>-rw-r--r-- 1 root root 1130 2009-11-27 12:48 /etc/passwd<br>
-rw-r----- 1 root shadow 835 2009-11-27 12:48 /etc/shadow<br><br>2/ How do I get tac_plus to authenticate using PAM? I've googled around and re-checked the mailing list but not much to go on. I've got a few PAM modules installed and can see that there's a /etc/pam.conf file and /etc/pam.d/ folder. <br>
<br>Cheers.<br><br>Andy<br><br><br><br><div class="gmail_quote">On Fri, Nov 27, 2009 at 7:37 PM, Alan McKinnon <span dir="ltr"><<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Strictly speaking, that applies to ancient systems not running the shadow<br>
suite - modern systems leave /etc/passwd world-readable and restrict<br>
/etc/shadow to root only:<br>
<br>
Linux:<br>
$ ls -al /etc/passwd /etc/shadow<br>
-rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd<br>
-rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow<br>
<br>
FreeBSD:<br>
$ ls -al /etc/passwd /etc/master.passwd<br>
-rw------- 1 root wheel 5315 Oct 14 10:20 /etc/master.passwd<br>
-rw-r--r-- 1 root wheel 4646 Oct 14 10:20 /etc/passwd<br>
<br>
Solaris-9<br>
$ ls -al /etc/passwd /etc/shadow<br>
-r-------- 1 root sys 3692 Sep 22 17:05 /etc/passwd<br>
-r-------- 1 root other 1138 Nov 2 15:00 /etc/shadow<br>
<br>
All three those boxes run tac_plus. Note that Solaris-9 qualifies as ancient.<br>
Generally, once can adjust group memberships and setuid/setgid so that<br>
tac_plus can read the passwd hashes.<br>
<br>
But in almost all cases, it's simpler and cleaner to just use pam -<br>
<div><div></div><div class="h5"><br>
<br>
On Friday 27 November 2009 03:34:34 Andy Saykao wrote:<br>
> Thanks for that piece of information Alan. Much appreciated.<br>
><br>
> As Alan has explained, here is a ps of my user tac-plus running the<br>
> program.<br>
><br>
> root@tacacs-1:/var/log# ps aux | grep tac<br>
> tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00<br>
> /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg<br>
><br>
> Please be aware that if you want to run it as a different user other than<br>
> root AND also want to login by using the user's password in /etc/passwd<br>
> then you will need to set GID to "shadow". This will allow you to read the<br>
> /etc/passwd file.<br>
><br>
> # grep shadow /etc/group<br>
> shadow:x:42:<br>
><br>
> ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log<br>
> --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=42<br>
><br>
> Now when the program starts up it will show the uid=1001 (tac-plus user)<br>
> and the gid=42 (GID shadow).<br>
><br>
> # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128<br>
> Reading config<br>
> Version F4.0.4.19 Initialized 1<br>
> tac_plus server F4.0.4.19 starting<br>
> uid=1001 euid=1001 gid=42 egid=42 s=5<br>
><br>
> Thanks to this guy's useful post:<br>
><br>
> <a href="http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cis" target="_blank">http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cis</a><br>
> co-howtos-documents-and-notes/cisco-and-tacacs<br>
><br>
> Hope that helps newbies like me out there.<br>
><br>
> Cheers.<br>
><br>
> Andy<br>
><br>
> -----<br>
><br>
> On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon<br>
<<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a>>wrote:<br>
> > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote:<br>
> > > Hi All,<br>
> > ><br>
> > > Is there a way to install the program as a different user other than<br>
> ><br>
> > root??<br>
> ><br>
> > > I'm installing this on Ubuntu Server 8.10.<br>
> > ><br>
> > > For example I've created a user called tac-plus with uid and gid of<br>
> > > 1001.<br>
> > ><br>
> > > /etc/passwd:<br>
> > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash<br>
> > ><br>
> > > /etc/group:<br>
> > > tac-plus:x:1001:<br>
> > ><br>
> > > I then configured it with the userid and groupid:<br>
> > ><br>
> > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log<br>
> > > --with-logfile=/var/log/tac_plus.log --with-userid=1001<br>
> ><br>
> > --with-groupid=1001<br>
> ><br>
> > > But once the program was installed, the files and directories are all<br>
> ><br>
> > still<br>
> ><br>
> > > own by root?<br>
> > ><br>
> > > root@tacacs-1:/tac-plus# ls -la<br>
> > > total 24<br>
> > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 .<br>
> > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 ..<br>
> > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin<br>
> > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include<br>
> > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib<br>
> > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share<br>
> > ><br>
> > > Any ideas how to install it as a different user?<br>
> ><br>
> > It is already correctly installed. The tac-plus user simply needs to read<br>
> > and<br>
> > execute the files, not own them or write to them.<br>
> ><br>
> > Check other daemons that drop privileges at runtime, those files are<br>
> > normally<br>
> > owned by root as well as root is the only user that can write to system<br>
> > areas.<br>
> ><br>
> > tac-plus just needs to be able to write it's pid file<br>
> ><br>
> > --<br>
> > alan dot mckinnon at gmail dot com<br>
> > _______________________________________________<br>
> > tac_plus mailing list<br>
> > <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> > <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
><br>
<br>
</div></div>--<br>
<div><div></div><div class="h5">alan dot mckinnon at gmail dot com<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br>