[tac_plus] Re: Default PAM authentication possible?

john heasley heas at shrubbery.net
Mon Jul 9 18:05:57 UTC 2007 

Sun, Jul 08, 2007 at 10:42:11PM +0100, David Croft:
> Hi,
> 
> I'm trying to set up tac_plus so that it authenticates against PAM
> without having to configure any users in tac_plus.conf. Is this
> possible?
> 
> I can authenticate using locally defined usernames fine (e.g. rancid
> below) but it doesn't seem to even reach PAM for everything else -
> nothing appears in auth.log. My pam.d file is the same for tac_plus as
> for my working radiusd.
> 
> tac_plus.conf ------------------->
> 
> accounting file = /var/log/tac_plus.acct
> key = adglajhsas
> 
> acl = all {
>   permit = .*
> }
> 
> user = DEFAULT {
>   default service = permit
>   login = PAM
>   acl = all
>   service = exec {
>     priv-lvl = 15
>   }
> }
> 
> user = rancid {
>   default service = permit
>   login = cleartext "asd"
>   acl = all
>   service = exec {
>     priv-lvl = 15
>   }
> }
> 
> log ------------>
> 
> Sun Jul  8 22:38:25 2007 [14066]: session.peerip is 213.12.21.71
> Sun Jul  8 22:38:25 2007 [14110]: connect from 213.12.21.71 [213.12.21.71]
> Sun Jul  8 22:38:25 2007 [14110]: Authenticating ACLs for user
> 'DEFAULT' instead of 'david.croft'
> Sun Jul  8 22:38:25 2007 [14110]: cfg_acl_check(all, 213.12.21.71)
> Sun Jul  8 22:38:25 2007 [14110]: ip 213.12.21.71 matched permit regex
> .* of acl filter all
> Sun Jul  8 22:38:25 2007 [14110]: login query for 'david.croft' tty1
> from 213.12.21.71 rejected
> Sun Jul  8 22:38:25 2007 [14110]: login failure: david.croft
> 213.12.21.71 (213.12.21.71) tty1

did it prompt for a password or did it just fail immediately after the
username prompt?

> Sun Jul  8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71
> Sun Jul  8 22:38:30 2007 [14111]: connect from 213.12.21.71 [213.12.21.71]
> Sun Jul  8 22:38:30 2007 [14111]: cfg_acl_check(all, 213.12.21.71)
> Sun Jul  8 22:38:30 2007 [14111]: ip 213.12.21.71 matched permit regex
> .* of acl filter all
> Sun Jul  8 22:38:30 2007 [14111]: login query for 'rancid' tty1 from
> 213.12.21.71 accepted
> Sun Jul  8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71
> Sun Jul  8 22:38:30 2007 [14112]: connect from 213.12.21.71 [213.12.21.71]
> 
> 
> pam.d/tac_plus -------------->
> 
> #
> # /etc/pam.d/tac_plus - PAM configuration for TACACS+
> #
> 
> auth    sufficient      pam_winbind.so require_membership_of=router_admins
> account sufficient      pam_winbind.so require_membership_of=router_admins
> @include common-password
> @include common-session
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list