[tac_plus] Default PAM authentication possible?

David Croft david at infotrek.co.uk
Sun Jul 8 21:42:11 UTC 2007 

Hi,

I'm trying to set up tac_plus so that it authenticates against PAM
without having to configure any users in tac_plus.conf. Is this
possible?

I can authenticate using locally defined usernames fine (e.g. rancid
below) but it doesn't seem to even reach PAM for everything else -
nothing appears in auth.log. My pam.d file is the same for tac_plus as
for my working radiusd.

tac_plus.conf ------------------->

accounting file = /var/log/tac_plus.acct
key = adglajhsas

acl = all {
  permit = .*
}

user = DEFAULT {
  default service = permit
  login = PAM
  acl = all
  service = exec {
    priv-lvl = 15
  }
}

user = rancid {
  default service = permit
  login = cleartext "asd"
  acl = all
  service = exec {
    priv-lvl = 15
  }
}

log ------------>

Sun Jul  8 22:38:25 2007 [14066]: session.peerip is 213.12.21.71
Sun Jul  8 22:38:25 2007 [14110]: connect from 213.12.21.71 [213.12.21.71]
Sun Jul  8 22:38:25 2007 [14110]: Authenticating ACLs for user
'DEFAULT' instead of 'david.croft'
Sun Jul  8 22:38:25 2007 [14110]: cfg_acl_check(all, 213.12.21.71)
Sun Jul  8 22:38:25 2007 [14110]: ip 213.12.21.71 matched permit regex
.* of acl filter all
Sun Jul  8 22:38:25 2007 [14110]: login query for 'david.croft' tty1
from 213.12.21.71 rejected
Sun Jul  8 22:38:25 2007 [14110]: login failure: david.croft
213.12.21.71 (213.12.21.71) tty1

Sun Jul  8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71
Sun Jul  8 22:38:30 2007 [14111]: connect from 213.12.21.71 [213.12.21.71]
Sun Jul  8 22:38:30 2007 [14111]: cfg_acl_check(all, 213.12.21.71)
Sun Jul  8 22:38:30 2007 [14111]: ip 213.12.21.71 matched permit regex
.* of acl filter all
Sun Jul  8 22:38:30 2007 [14111]: login query for 'rancid' tty1 from
213.12.21.71 accepted
Sun Jul  8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71
Sun Jul  8 22:38:30 2007 [14112]: connect from 213.12.21.71 [213.12.21.71]


pam.d/tac_plus -------------->

#
# /etc/pam.d/tac_plus - PAM configuration for TACACS+
#

auth    sufficient      pam_winbind.so require_membership_of=router_admins
account sufficient      pam_winbind.so require_membership_of=router_admins
@include common-password
@include common-session

More information about the tac_plus mailing list