[tac_plus] Default PAM authentication possible?
David Croft
david at infotrek.co.uk
Sun Jul 8 21:42:11 UTC 2007
Hi,
I'm trying to set up tac_plus so that it authenticates against PAM
without having to configure any users in tac_plus.conf. Is this
possible?
I can authenticate using locally defined usernames fine (e.g. rancid
below) but it doesn't seem to even reach PAM for everything else -
nothing appears in auth.log. My pam.d file is the same for tac_plus as
for my working radiusd.
tac_plus.conf ------------------->
accounting file = /var/log/tac_plus.acct
key = adglajhsas
acl = all {
permit = .*
}
user = DEFAULT {
default service = permit
login = PAM
acl = all
service = exec {
priv-lvl = 15
}
}
user = rancid {
default service = permit
login = cleartext "asd"
acl = all
service = exec {
priv-lvl = 15
}
}
log ------------>
Sun Jul 8 22:38:25 2007 [14066]: session.peerip is 213.12.21.71
Sun Jul 8 22:38:25 2007 [14110]: connect from 213.12.21.71 [213.12.21.71]
Sun Jul 8 22:38:25 2007 [14110]: Authenticating ACLs for user
'DEFAULT' instead of 'david.croft'
Sun Jul 8 22:38:25 2007 [14110]: cfg_acl_check(all, 213.12.21.71)
Sun Jul 8 22:38:25 2007 [14110]: ip 213.12.21.71 matched permit regex
.* of acl filter all
Sun Jul 8 22:38:25 2007 [14110]: login query for 'david.croft' tty1
from 213.12.21.71 rejected
Sun Jul 8 22:38:25 2007 [14110]: login failure: david.croft
213.12.21.71 (213.12.21.71) tty1
Sun Jul 8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71
Sun Jul 8 22:38:30 2007 [14111]: connect from 213.12.21.71 [213.12.21.71]
Sun Jul 8 22:38:30 2007 [14111]: cfg_acl_check(all, 213.12.21.71)
Sun Jul 8 22:38:30 2007 [14111]: ip 213.12.21.71 matched permit regex
.* of acl filter all
Sun Jul 8 22:38:30 2007 [14111]: login query for 'rancid' tty1 from
213.12.21.71 accepted
Sun Jul 8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71
Sun Jul 8 22:38:30 2007 [14112]: connect from 213.12.21.71 [213.12.21.71]
pam.d/tac_plus -------------->
#
# /etc/pam.d/tac_plus - PAM configuration for TACACS+
#
auth sufficient pam_winbind.so require_membership_of=router_admins
account sufficient pam_winbind.so require_membership_of=router_admins
@include common-password
@include common-session
More information about the tac_plus
mailing list