[tac_plus] [limseng: Re: Tac_plus & PAM]

john heasley heas at shrubbery.net
Fri Dec 1 20:10:10 UTC 2006 

For posterity...

----- Forwarded message from Lim Seng

Thanks, that worked too, but the logs are complaining a lot about deprecated
pam_stack calls. I firgured that just a simple line,

#%PAM-1.0
auth            include         system-auth

allows PAM to work just fine with tac_plus. It doesn't lockout userids after
3 failed attempts though I have configured system-auth to do so, guess I'll
look that up in PAM. However, thanks for the help though =)

Cheers,
Lim Seng

>Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng:
>> Hi,
>>
>> I have edited the configuration to the following:
>>
>> group = admin {
>>        login = PAM
>> }
>>
>> user = testuser1 {
>> default service = permit
>> member = admin
>>
>> }
>>
>> When I type in the username, immediately I get "% Authentication
>Failure",
>> wihtout it even prompting me for a password, is there a certain
>mandatory
>> parameter that should have been inside? I manned through
>tac_plus.conf.5,
>> and it looks like simply this configuration will just work.
>>
>> Appreciate any advice once again, thanks a lot
>
>Did you configure PAM itself?  This is what I used to test:
>
>linucks [2] cat /etc/pam.d/tac_plus
>#%PAM-1.0
>auth       required     pam_stack.so service=system-auth
>account    required     pam_stack.so service=system-auth
>password   required     pam_stack.so service=system-auth
>session    required     pam_limits.so
>
>
>> Cheers,
>> Lim Seng
>>
>>
>> On 11/25/06
>> >
>> >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng:
>> >> Dear Sir,
>> >>
>> >> I have found RANCID to be a very interesting and useful software, and
>I
>> >am
>> >> currently using it to backup my network devices. Due to my positive
>> >> experience with RANCID, I decided to try out tac_plus by Shrubbery
>too,
>> >> seeing that your version comes with PAM authentication support as
>well.
>> >I am
>> >> glad to say everything works fine, but I'll like advice on the
>> >particular
>> >> issue between tac_plus and PAM if possible.
>> >>
>> >> I am currently using:
>> >>
>> >> Fedora Core 6
>> >> uname -r : 2.6.18-1.2849.fc6
>> >>
>> >> I have compiled and installed tacacs+-F4.0.4.13, authenticating
>> >primarily
>> >> from /etc/passwd.  What I'll like to achieve is to set a system wide
>> >login
>> >> attempts of 3, and lockout any user account except root in PAM. My
>> >system
>> >> already has that policy set, but I'll like to apply this policy to
>> >tacacs as
>> >> well. I have tried to set the authentication method to pam but it
>> >doesn't
>> >> work, please see my config:
>> >>
>> >> ---------------------------------Start of
>> >> Config-------------------------------------------
>> >> key = examplekey
>> >>
>> >> # Use /etc/passwd file to do authentication
>> >>
>> >> default authentication = file /etc/passwd
>> >>
>> >> # Now tacacs+ also use default PAM authentication
>> >> #default authentication = pam system-auth ####Tried to set to PAM
>> >> authentication method but no go here.
>> >>
>> >> # Accounting records log file
>> >>
>> >> accounting file = /var/log/tac_acc.log
>> >>
>> >> #All services are alowed..
>> >>
>> >> user = $enable$ {
>> >> login = cleartext "iamenabled"
>> >> }
>> >>
>> >> group = admin {
>> >> service = exec {
>> >>        default attribute = permit
>> >>        priv-lvl = 1
>> >> }
>> >> }
>> >>
>> >> user = tester1 {
>> >> name = "tester1"
>> >> member = testadmin
>> >> }
>> >>
>> >> ---------------------------------End of
>> >> Config-------------------------------------------
>> >>
>> >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h
>in
>> >the
>> >> source code for further clues but I still can't get it right. I did
>not
>> >> input any special configuration prefixes during compilation phase:
>> >
>> >In order for tac_plus to query/use PAM, you must configure those users
>or
>> >groups to do so.  See tac_plus.conf(5) top-level directive user and
>follow
>> >the relationship to user_attr, to login, then password_spec.  eg:
>> >
>> >group = admin {
>> >        login = PAM
>> >....
>> >
>> >> ./configure --prefix=/usr/local/tacplus
>> >>
>> >> If the information provided is not sufficient I'll be glad to provide
>> >more,
>> >> looking forward to your advice.
>> >>
>> >> Cheers,
>> >> Lim Seng

More information about the tac_plus mailing list