[tac_plus] Re: Tac_plus & PAM

Lim Seng limseng at gmail.com
Mon Dec 4 09:56:58 UTC 2006 

Hi,

I am having issues with configuring account lockouts on 3 attempts using
faillog and pam_tally, but I am not sure whether there is a parameter (
a.k.a I didnt RTFM) which has to be added in the configuration for it to
work. I have read through man on AV Pairs, which I thought could solve the
problem, but it didn't seem to help:

My tac_plus file in /etc/pam.d/:

#%PAM-1.0
auth           required     pam_tally.so per_user onerr=fail deny=3
auth           required     pam_env.so
auth           required     pam_unix.so likeauth nullok
account      required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session      required     pam_limits.so

And my tac_plus.cfg

group = admin {
        login = PAM
}

user = netadm {
default service = permit
member = admin
}

The problem that I have encountered, be it a successful or a failed login
attempt, pam_tally counts it as a failure, but the lockout feature works
fine when it reads that faillog has more than 3 "failed" attempts for user
netadm albeit those 3 attempts were successful logins.

My /var/log/secure:

Dec  4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user
netadm (500) tally 4, deny 3
Dec  4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=netadm

I have figured that I have probably configured pam_tally to necessarily do
failed login counting and lockout feature, greatly appreciate your help thus
far but I am sorry I have to approach for your assistance once again.

PS: Sorry if you received 2 copies of this mail. It was a re-send

Cheers,
Lim Seng

On 12/1/06, Lim Seng <limseng at gmail.com> wrote:
>
> Thanks, that worked too, but the logs are complaining a lot about
> deprecated pam_stack calls. I firgured that just a simple line,
>
> #%PAM-1.0
> auth            include         system-auth
>
> allows PAM to work just fine with tac_plus. It doesn't lockout userids
> after 3 failed attempts though I have configured system-auth to do so, guess
> I'll look that up in PAM. However, thanks for the help though =)
>
> Cheers,
> Lim Seng
>
> On 11/30/06, john heasley <heas at shrubbery.net> wrote:
> >
> > Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng:
> > > Hi,
> > >
> > > I have edited the configuration to the following:
> > >
> > > group = admin {
> > >        login = PAM
> > > }
> > >
> > > user = testuser1 {
> > > default service = permit
> > > member = admin
> > >
> > > }
> > >
> > > When I type in the username, immediately I get "% Authentication
> > Failure",
> > > wihtout it even prompting me for a password, is there a certain
> > mandatory
> > > parameter that should have been inside? I manned through
> > tac_plus.conf.5,
> > > and it looks like simply this configuration will just work.
> > >
> > > Appreciate any advice once again, thanks a lot
> >
> > Did you configure PAM itself?  This is what I used to test:
> >
> > linucks [2] cat /etc/pam.d/tac_plus
> > #%PAM-1.0
> > auth       required     pam_stack.so service=system-auth
> > account    required     pam_stack.so service=system-auth
> > password   required     pam_stack.so service=system-auth
> > session    required     pam_limits.so
> >
> >
> > > Cheers,
> > > Lim Seng
> > >
> > >
> > > On 11/25/06, tac_plus at shrubbery.net <tac_plus at shrubbery.net> wrote:
> > > >
> > > >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng:
> > > >> Dear Sir,
> > > >>
> > > >> I have found RANCID to be a very interesting and useful software,
> > and I
> > > >am
> > > >> currently using it to backup my network devices. Due to my positive
> > > >> experience with RANCID, I decided to try out tac_plus by Shrubbery
> > too,
> > > >> seeing that your version comes with PAM authentication support as
> > well.
> > > >I am
> > > >> glad to say everything works fine, but I'll like advice on the
> > > >particular
> > > >> issue between tac_plus and PAM if possible.
> > > >>
> > > >> I am currently using:
> > > >>
> > > >> Fedora Core 6
> > > >> uname -r : 2.6.18-1.2849.fc6
> > > >>
> > > >> I have compiled and installed tacacs+-F4.0.4.13, authenticating
> > > >primarily
> > > >> from /etc/passwd.  What I'll like to achieve is to set a system
> > wide
> > > >login
> > > >> attempts of 3, and lockout any user account except root in PAM. My
> > > >system
> > > >> already has that policy set, but I'll like to apply this policy to
> > > >tacacs as
> > > >> well. I have tried to set the authentication method to pam but it
> > > >doesn't
> > > >> work, please see my config:
> > > >>
> > > >> ---------------------------------Start of
> > > >> Config-------------------------------------------
> > > >> key = examplekey
> > > >>
> > > >> # Use /etc/passwd file to do authentication
> > > >>
> > > >> default authentication = file /etc/passwd
> > > >>
> > > >> # Now tacacs+ also use default PAM authentication
> > > >> #default authentication = pam system-auth ####Tried to set to PAM
> > > >> authentication method but no go here.
> > > >>
> > > >> # Accounting records log file
> > > >>
> > > >> accounting file = /var/log/tac_acc.log
> > > >>
> > > >> #All services are alowed..
> > > >>
> > > >> user = $enable$ {
> > > >> login = cleartext "iamenabled"
> > > >> }
> > > >>
> > > >> group = admin {
> > > >> service = exec {
> > > >>        default attribute = permit
> > > >>        priv-lvl = 1
> > > >> }
> > > >> }
> > > >>
> > > >> user = tester1 {
> > > >> name = "tester1"
> > > >> member = testadmin
> > > >> }
> > > >>
> > > >> ---------------------------------End of
> > > >> Config-------------------------------------------
> > > >>
> > > >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h
> > in
> > > >the
> > > >> source code for further clues but I still can't get it right. I did
> > not
> > > >> input any special configuration prefixes during compilation phase:
> > > >
> > > >In order for tac_plus to query/use PAM, you must configure those
> > users or
> > > >groups to do so.  See tac_plus.conf(5) top-level directive user and
> > follow
> > > >the relationship to user_attr, to login, then password_spec.  eg:
> > > >
> > > >group = admin {
> > > >        login = PAM
> > > >....
> > > >
> > > >> ./configure --prefix=/usr/local/tacplus
> > > >>
> > > >> If the information provided is not sufficient I'll be glad to
> > provide
> > > >more,
> > > >> looking forward to your advice.
> > > >>
> > > >> Cheers,
> > > >> Lim Seng
> > > >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061204/8672783b/attachment.html

More information about the tac_plus mailing list