Hi Adam,<br><br>I've read your post on getting PAM working under RHEL but have a few more questions about it.<br><br><a href="http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html">http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html</a><br>
<br>For those on Ubuntu I had to install libpam0g-dev first and ./configure again so PAM was detected.<br><br># apt-get install libpam0g-dev<br><br>1/ How does the tac_plus daemon know to look for the PAM authentication in /etc/pam.d/tac_plus. I created the tac_plus file but I notice that when I deleted it and restarted the tac_plus daemon, PAM auth still works with or without it. Not sure if the PAM auth just defaults to using the common-* files in /etc/pam.d/ if it doesn't find the tac_plus file in there.<br>
<br>2/ The tac_plus user guide says that PAM doesn't work if the tac_plus daemon is started as a non-root user (which is how I am running the daemon). So once again to get around this I had to configure the daemon to use the shadow GID.<br>
<br>"Be aware that when the tac_plus daemon runs as a non-root user (as is the<br>default in FreeBSD /usr/ports), it will not be able to authenticate using<br>the pam_unix.so module. This is because the system function getpwnam()<br>
called by pam_unix.so requires root privileges to retrieve the password to<br>validate from the /etc/master.passwd or /etc/shadow file. The symptom will<br>be that for each authentiction that is attempted, the password will appear<br>
to be wrong whether it was typed correctly or not."<br><br>Cheers.<br><br>Andy<br><br><br><br><br><div class="gmail_quote">On Mon, Nov 30, 2009 at 2:48 PM, adam <span dir="ltr"><<a href="mailto:prozaconstilts@gmail.com">prozaconstilts@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="h5">Andy Saykao wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Adam,<br>
<br>
I came across that post but it was for RHEL so I just skimmed through it bc I'm working on a Ubuntu box. I really just want to use the users in /etc/passwd for now (maybe LDAP further down the track) - nevertheless thank you for your suggestion.<br>
<br>
So my question is that if I just want to authenticate against /etc/passwd, is it worth me reading up more about PAM and try to get this going or do I just compile is using the GID of the shadow group as per this guide.<br>
<br>
<a href="http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs" target="_blank">http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs</a><br>
<br>
Thanks.<br>
<br>
Andy<br>
<br>
For Number 2, these instructions use pam_ldap for tac_plus as an<br>
example, but you can configure the pam stack for tac_plus to be<br>
whatever suits you.<br>
<br>
Instructions for RHEL5:<br>
<br>
1. install the pam-devel package from your repository<br>
<br>
2. compile the source for tacacs+, making sure that -lpam was<br>
discovered in the configure script<br>
<br>
3. define users in the conf file as such:<br>
<br>
user = <username> {<br>
login = PAM<br>
}<br>
<br>
4. Place a pam stack configuration in /etc/pam.d/tac_plus that has<br>
whatever mechanisms you require for authentication (see below)<br>
<br>
5. celebrate<br>
<br>
The pam stack I use looks like this:<br>
<br>
#cat /etc/pam.d/tac_plus:<br>
<br>
#%PAM-1.0<br>
auth include system-auth<br>
account required pam_nologin.so<br>
account include system-auth<br>
password include system-auth<br>
session optional pam_keyinit.so force revoke<br>
session include system-auth<br>
session required pam_loginuid.so<br>
<br>
It's not very obvious in that file, but I include system-auth, which<br>
looks like this:<br>
<br>
#%PAM-1.0<br>
# This file is auto-generated.<br>
# User changes will be destroyed the next time authconfig is run.<br>
auth required pam_env.so<br>
auth sufficient pam_unix.so nullok try_first_pass<br>
auth requisite pam_succeed_if.so uid >= 500 quiet<br>
auth sufficient pam_ldap.so use_first_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so broken_shadow<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 500 quiet<br>
account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br>
account required pam_permit.so<br>
<br>
password requisite pam_cracklib.so try_first_pass retry=3<br>
password sufficient pam_unix.so md5 shadow nullok try_first_pass<br>
use_authtok<br>
password sufficient pam_ldap.so use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
session [success=1 default=ignore] pam_succeed_if.so service in<br>
crond quiet use_uid<br>
session required pam_unix.so<br>
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077<br>
session optional pam_ldap.so<br>
<br>
So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can<br>
authenticate a user with ldap-based credentials. Of course, you can<br>
use whatever you like in terms of pam modules.<br>
<br>
Thanks,<br>
<br>
Adam<br>
<br>
<br>
</blockquote>
<br></div></div>
These instructions for RHEL should work 95% for ubuntu. Note that the pam_unix module in use in the system-auth file is /etc/passwd and /etc/shadow...so using pam_unix in your tac_plus pam conf should be sufficient. As I recall, while RHEL uses a single system-auth, debian and ubuntu use system auth broken out into common-auth common-password common-account, and common-session in the pam.d directory. You'll need to translate the pam conf files for ubuntu, but the compilation and configuration of tac_plus should remain the same.<br>
<font color="#888888">
<br>
Adam<br>
</font></blockquote></div><br>