From ninjabytes at gmail.com Fri Jun 1 21:53:46 2007 From: ninjabytes at gmail.com (ninjabytes) Date: Fri, 1 Jun 2007 18:53:46 -0300 Subject: [tac_plus] Error Cannot generate skey prompt for USER Message-ID: <17f180d20706011453r1a380353s3a79cfd1d048505a@mail.gmail.com> Hi folks, I have installed tac_plus version F4.0.4.alpha on my OpenBSD 4.1-STABLE BOX. Below is my /etc/tac_plus.conf config file: user = john { login = skey } When i run tac_plus in debug mode and I telnet in my router which uses that tacacs server I get the following error message: Jun 1 14:49:51 angor tac_plus[12374]: Error Cannot generate skey prompt for angel on the router side I dont get the SKEY chalenge but a regular Login and Password I think thats why tacacs complains and gives me that error. is there any "specifical" config that needs to be done on the router side to tell it to use "skey" with tacacs? What could be causing this? ANY help will be trully aprecciated. -Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070601/35f44cc8/attachment.html From heas at shrubbery.net Sat Jun 2 07:04:44 2007 From: heas at shrubbery.net (john heasley) Date: Sat, 2 Jun 2007 07:04:44 +0000 Subject: [tac_plus] Re: Error Cannot generate skey prompt for USER In-Reply-To: <17f180d20706011453r1a380353s3a79cfd1d048505a@mail.gmail.com> References: <17f180d20706011453r1a380353s3a79cfd1d048505a@mail.gmail.com> Message-ID: <20070602070444.GD18287@shrubbery.net> Fri, Jun 01, 2007 at 06:53:46PM -0300, ninjabytes: > Hi folks, > > I have installed tac_plus version F4.0.4.alpha on my OpenBSD 4.1-STABLE BOX. > > Below is my /etc/tac_plus.conf config file: > > user = john { > login = skey > } > > When i run tac_plus in debug mode and I telnet in my router which uses that > tacacs server I get the following error message: does that mean it works when not in debug mode? > Jun 1 14:49:51 angor tac_plus[12374]: Error Cannot generate skey prompt for > angel > on the router side I dont get the SKEY chalenge but a regular Login and > Password I think thats why tacacs complains and gives me that error. > > is there any "specifical" config that needs to be done on the router side to > tell it to use "skey" with tacacs? What could be causing this? does skey work outside of tacacs? ie: skeyinfo skey itself does require some config/initialization. From ninjabytes at gmail.com Tue Jun 5 13:35:17 2007 From: ninjabytes at gmail.com (ninjabytes) Date: Tue, 5 Jun 2007 10:35:17 -0300 Subject: [tac_plus] TAC_PLUS S/Key on OpenBSD Message-ID: <17f180d20706050635v16a86d89s74f41b647d36e352@mail.gmail.com> Hello, I have an OpenBSD 4.1-STABLE box running tac_plus F4.0.4.alpha my tac_plus.conf config file looks like this: user = angel { login = skey } I can run tac_plus without a trouble, however, when I telnet in my router and put "user:skey" in the username field I dont get the S/Key challenge, I can see the following message on the OpenBSD box when I telnet in my router: # tac_plus -C /etc/tac_plus.conf -d 8 -g Reading config Version F4.0.4.alpha Initialized 1 tac_plus server F4.0.4.alpha starting uid=511 euid=511 gid=511 egid=511 s=4 login query for 'angel:skey' tty1 from 10.254.80.8 rejected login query for 'angel:skey' tty1 from 10.254.80.8 rejected login query for 'angel:skey' tty1 from 10.254.80.8 rejected # ldd tac_plus /usr/local/sbin/tac_plus: Start End Type Open Ref GrpRef Name 00000000 00000000 exe 1 0 0 /usr/local/sbin/tac_plus 062ca000 262fe000 rlib 0 1 0 /usr/lib/libc.so.40.3 06e3e000 06e3e000 rtld 0 1 0 /usr/libexec/ld.so Any information on this matter will be trully appreciated, I can even move to NetBSD if needed if you guys confirm me it will run perfectly with S/Key, however I would love to keep my OpenBSD box for this and find out whats going on so we can help others. Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070605/6958efaf/attachment.html From ninjabytes at gmail.com Tue Jun 5 12:14:27 2007 From: ninjabytes at gmail.com (ninjabytes) Date: Tue, 5 Jun 2007 09:14:27 -0300 Subject: [tac_plus] Fwd: Error Cannot generate skey prompt for USER In-Reply-To: <17f180d20706041353l48d8295cnbb66103735c46d24@mail.gmail.com> References: <17f180d20706011453r1a380353s3a79cfd1d048505a@mail.gmail.com> <20070602070444.GD18287@shrubbery.net> <17f180d20706040923l386da6btb2807e4515fe2532@mail.gmail.com> <20070604173656.GN27191@shrubbery.net> <17f180d20706041353l48d8295cnbb66103735c46d24@mail.gmail.com> Message-ID: <17f180d20706050514g2071d7f1na90ee3caa8c2c831@mail.gmail.com> Hello, I have been reporting a few problems to John Heasley from shubbery.net who turned out to be a pretty friendly guy, I dont even know if you are him but here is a copy of my e-mail so you might be able to help me out with my problem. To make a long history short, OpenBSD tacacs does not work with SKEY. Thanks in advance ---------- Forwarded message ---------- From: ninjabytes Date: 04-jun-2007 17:53 Subject: Re: [tac_plus] Error Cannot generate skey prompt for USER To: john heasley John: Take a quick look at the following debugging line: # tac_plus -C /etc/tac_plus.conf -d 16 -g Reading config Version F4.0.4.alpha Initialized 1 tac_plus server F4.0.4.alpha starting uid=511 euid=511 gid=511 egid=511 s=4 login query for 'angel:skey' tty1 from 10.254.80.8 rejected 10.254.80.8 tty1: Login aborted by request -- msg: CTRL-C pressed login query for 'angel:skey' tty1 from 10.254.80.8 rejected When I telnet in one of my routers 1) I dont get a S/Key prompt 2) tac_plus debug message only reports the following message "login query for 'angel:skey' tty1 from 10.254.80.8 rejected" any leads/tips will be truly appreciated. Below is a copy of my config file: # more /etc/tac_plus.conf user = angel { login = skey } 2007/6/4, john heasley : > > Mon, Jun 04, 2007 at 01:23:15PM -0300, ninjabytes: > > John: > > > > I forgot to ask: > > > > 1) does my OpenBSD has to have telnet enable in order to have tacacs to > > generate the KEY prompt for skey? > > your host should not need anything enabled. I dont recall testing skey > with ssh (on the router), but I dont see why it wouldnt work. > > > 2) do you know how to get tacacs to work with S/Key on OpenBSD? > > It should just work. > > > 3) I tried to compile tacacs manually on my OpenBSD box and also on my > > FreeBSD box with the --with-skey configure paramether but it fails when > I > > run "make" it gives me a couple libskeyaccess errors. > > what is the error?. > > > 4) Please, let me know the best OS to get tacacs to work with S/Key > > I tested with NetBSD, but the skey libraries should be no different for > any O/S. > > > 5) is it possible to integrate tacacs with OPIE and instead use OPIE > than > > S/Key? > > Sorry, I'm not familiar with opie. > > > Thanks in advance > > > > > > 2007/6/2, john heasley < heas at shrubbery.net>: > > > > > >Fri, Jun 01, 2007 at 06:53:46PM -0300, ninjabytes: > > >> Hi folks, > > >> > > >> I have installed tac_plus version F4.0.4.alpha on my OpenBSD > > >4.1-STABLEBOX. > > >> > > >> Below is my /etc/tac_plus.conf config file: > > >> > > >> user = john { > > >> login = skey > > >> } > > >> > > >> When i run tac_plus in debug mode and I telnet in my router which > uses > > >that > > >> tacacs server I get the following error message: > > > > > >does that mean it works when not in debug mode? > > > > > >> Jun 1 14:49:51 angor tac_plus[12374]: Error Cannot generate skey > prompt > > >for > > >> angel > > >> on the router side I dont get the SKEY chalenge but a regular Login > and > > >> Password I think thats why tacacs complains and gives me that error. > > >> > > >> is there any "specifical" config that needs to be done on the router > > >side to > > >> tell it to use "skey" with tacacs? What could be causing this? > > > > > >does skey work outside of tacacs? ie: skeyinfo skey itself does > require > > >some config/initialization. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070605/91e0017d/attachment.html From chris at kadux.com Sun Jun 10 15:58:45 2007 From: chris at kadux.com (Chris Phillips) Date: Sun, 10 Jun 2007 08:58:45 -0700 Subject: [tac_plus] Please help? Message-ID: <466C1FB5.2010500@kadux.com> Hi there, I've just setup your TACACS server for the first time and I am either running into a bug or outdated documentation/man pages. I am really sorry for emailing you, but there isn't a whole lot in your mailing list or in Google about my issue. Here is my config: key = xxxxxxxxxxxxx accounting file = /home/tacacs/accounting.log #default authorization = permit user = chris { login = des xxxxxxxxxxxxx enable = des xxxxxxxxxxxxx default authorization = permit # cmd = show { # permit .* # } # cmd = configure { # permit .* # } # cmd = aaa { # permit .* # } # cmd = write { # permit .* # } # cmd = enable { # permit .* # } # cmd = .* { # permit .* # } } user = bob { login = cleartext 123 } My problem is that this breaks the tac_plus daemon. I get the following error: "Error: Unrecognised keyword default for user on line 8" This line is the "default authorization = permit" which the man page suggests works. Am I reading this wrong? When I uncomment the "cmd =" statements, those commands work fine, as does everything else I have tried thus far, with the exception of the default authorization statement. My goal here is to permit authorization for all commands for the user chris or even on a global level; both are acceptable. I can then implicitly specify the commands I want to permit for say, the user bob. Thank you in advance for your reply, and many many thank yous for writing this, and other (RANCID), GREAT services. -CP From heas at shrubbery.net Mon Jun 11 16:01:11 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 11 Jun 2007 09:01:11 -0700 Subject: [tac_plus] Re: Please help? In-Reply-To: <466C1FB5.2010500@kadux.com> References: <466C1FB5.2010500@kadux.com> Message-ID: <20070611160111.GI6883@shrubbery.net> I believe you want one of the following: user = DEFAULT { default service = permit } user = whomever { default service = permit } the first replaces the syntax default authorization = permit. Sun, Jun 10, 2007 at 08:58:45AM -0700, Chris Phillips: > Hi there, > > I've just setup your TACACS server for the first time and I am either > running into a bug or outdated documentation/man pages. I am really > sorry for emailing you, but there isn't a whole lot in your mailing list > or in Google about my issue. > > Here is my config: > > key = xxxxxxxxxxxxx > accounting file = /home/tacacs/accounting.log > #default authorization = permit > > user = chris { > login = des xxxxxxxxxxxxx > enable = des xxxxxxxxxxxxx > default authorization = permit > # cmd = show { > # permit .* > # } > # cmd = configure { > # permit .* > # } > # cmd = aaa { > # permit .* > # } > # cmd = write { > # permit .* > # } > # cmd = enable { > # permit .* > # } > # cmd = .* { > # permit .* > # } > } > > user = bob { > login = cleartext 123 > } > > My problem is that this breaks the tac_plus daemon. I get the following > error: "Error: Unrecognised keyword default for user on line 8" > > This line is the "default authorization = permit" which the man page > suggests works. Am I reading this wrong? When I uncomment the "cmd =" > statements, those commands work fine, as does everything else I have > tried thus far, with the exception of the default authorization statement. > > My goal here is to permit authorization for all commands for the user > chris or even on a global level; both are acceptable. I can then > implicitly specify the commands I want to permit for say, the user bob. > > Thank you in advance for your reply, and many many thank yous for > writing this, and other (RANCID), GREAT services. > > -CP > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From Rupert.Dobrounig at sonydadc.com Wed Jun 13 10:37:20 2007 From: Rupert.Dobrounig at sonydadc.com (Rupert Dobrounig) Date: Wed, 13 Jun 2007 12:37:20 +0200 Subject: [tac_plus] Tac+ and Cisco WCS Message-ID: Dear all, we are using your Tacacs+ server for AAA on our Cisco equipment which ever worked fine. Now we spent some money on Cisco's new "Wirless Lan Controller" and also a "Wirless Controll System" Server. These kits support AAA and Tacacs in their most recent version but I haven't got really a clue how to pair them off (neither WLC nor WCS + tacacs). I found some good manuals on the Cisco web (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml), but they just state out how to use theyr ACS and that's a bit pricey if you don't already have that server. Mainly I failed in finding out how to use these rolebased auth methods in your tac Server. Maybe you already have got some experiences with this. I'd be very pleased if you could help me. best regards rupert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070613/fd040d6e/attachment.html From heas at shrubbery.net Wed Jun 13 15:13:47 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 13 Jun 2007 08:13:47 -0700 Subject: [tac_plus] Re: Tac+ and Cisco WCS In-Reply-To: References: Message-ID: <20070613151347.GC7848@shrubbery.net> Wed, Jun 13, 2007 at 12:37:20PM +0200, Rupert Dobrounig: > Dear all, > > we are using your Tacacs+ server for AAA on our Cisco equipment which ever > worked fine. > Now we spent some money on Cisco's new "Wirless Lan Controller" and also a > "Wirless Controll System" Server. > > These kits support AAA and Tacacs in their most recent version but I > haven't got really a clue how to pair them off (neither WLC nor WCS + > tacacs). > > I found some good manuals on the Cisco web > (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml), > but they just state out how to use theyr ACS and that's a bit pricey if > you don't already have that server. > > Mainly I failed in finding out how to use these rolebased auth methods in > your tac Server. There should not be anything fancy about this. The device probably expects an AV-pair, such as something = role:ALL. You just have to find out what the something is and I don't see it in that document. However, this may require service = ciscowlc, under which this av pair would be. such as: user = foo { service = ciscwlc { something = role:ALL } } From ninjabytes at gmail.com Thu Jun 14 16:45:32 2007 From: ninjabytes at gmail.com (ninjabytes) Date: Thu, 14 Jun 2007 13:45:32 -0300 Subject: [tac_plus] TACACS ACL help Message-ID: <17f180d20706140945gde7186by2d0ed754aad48838@mail.gmail.com> John: I have a quick question. We have a Windows 2003 Server box with the IP 10.1.10.10 running CiscoWorks. We would like to allow that IP (10.1.10.10) to telnet in all of our routers ONLY from that IP. is this something with TACACS? How can I "only" allow the user "ciscoworks" in tacacs to login our routers from the IP 10.1.10.10 Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070614/dda65e5f/attachment.html From Chetan_Jain at Monitor.com Tue Jun 26 15:58:16 2007 From: Chetan_Jain at Monitor.com (Chetan_Jain at Monitor.com) Date: Tue, 26 Jun 2007 21:28:16 +0530 Subject: [tac_plus] PAM authentication Message-ID: Hi, I am trying to authenticate sshd service on a linux system through tacacs+.... Tacacs+ server IP : 10.1.100.114 Network Client : 10.115.111.215 I am starting tacacs+ using tac_plus -d 8 -C /opt/WiKID/private/tacacs.conf # This file is dynamically written by the WiKID server # manual changes to this file will be overwritten almost immediately key = "cooler" accounting file = /opt/WiKID/log/tacacs.accounting.log user = chetan { default service = permit chap = cleartext "605992" pap = cleartext "605992" arap = cleartext "605992" login = des chRQBOhi.agrM } On the Network Client side.... /etc/pam.d/tacacs : #%PAM-1.0 auth sufficient /lib/security/pam_tacplus.so debug \ server=10.1.100.114 secret=cooler encrypt account sufficient /lib/security/pam_tacplus.so debug \ server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh session sufficient /lib/security/pam_tacplus.so debug \ server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh /etc/pam.d/sshd : #%PAM-1.0 auth sufficient pam_stack.so service=tacacs #auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_stack.so service=tacacs account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session sufficient pam_stack.so service=tacacs session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so Tacacs+ is not authenticating the credentials.... /var/log/messages on Tacacs+ Server shows : Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1 Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 [10.115.111.215] Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh from 10.115.111.215 rejected Can you help me what could be the issue...... Thanks and Regards, Chetan Jain Network Team - IR, Monitor Group, 131 Free Press House, Nariman Point, Mumbai. India ----------------------------------- This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070626/b6525a1d/attachment.html From Chetan_Jain at Monitor.com Tue Jun 26 16:11:01 2007 From: Chetan_Jain at Monitor.com (Chetan_Jain at Monitor.com) Date: Tue, 26 Jun 2007 21:41:01 +0530 Subject: [tac_plus] PAM authentication Message-ID: Hi, I am trying to authenticate sshd service on a linux system through tacacs+.... Tacacs+ server IP : 10.1.100.114 Network Client : 10.115.111.215 I am starting tacacs+ using tac_plus -d 8 -C /opt/WiKID/private/tacacs.conf # This file is dynamically written by the WiKID server # manual changes to this file will be overwritten almost immediately key = "cooler" accounting file = /opt/WiKID/log/tacacs.accounting.log user = chetan { default service = permit chap = cleartext "605992" pap = cleartext "605992" arap = cleartext "605992" login = des chRQBOhi.agrM } On the Network Client side.... /etc/pam.d/tacacs : #%PAM-1.0 auth sufficient /lib/security/pam_tacplus.so debug \ server=10.1.100.114 secret=cooler encrypt account sufficient /lib/security/pam_tacplus.so debug \ server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh session sufficient /lib/security/pam_tacplus.so debug \ server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh /etc/pam.d/sshd : #%PAM-1.0 auth sufficient pam_stack.so service=tacacs #auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_stack.so service=tacacs account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session sufficient pam_stack.so service=tacacs session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so Tacacs+ is not authenticating the credentials.... /var/log/messages on Tacacs+ Server shows : Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1 Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 [10.115.111.215] Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh from 10.115.111.215 rejected Can you help me what could be the issue...... Thanks and Regards, Chetan Jain Network Team - IR, Monitor Group, 131 Free Press House, Nariman Point, Mumbai. India ----------------------------------- This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070626/f60ca13a/attachment.html From heas at shrubbery.net Tue Jun 26 17:12:41 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 26 Jun 2007 17:12:41 +0000 Subject: [tac_plus] Re: PAM authentication In-Reply-To: References: Message-ID: <20070626171241.GD25540@shrubbery.net> Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com: > Hi, > > I am trying to authenticate sshd service on a linux system through > tacacs+.... > > Tacacs+ server IP : 10.1.100.114 > Network Client : 10.115.111.215 > > I am starting tacacs+ using tac_plus -d 8 -C > /opt/WiKID/private/tacacs.conf > > # This file is dynamically written by the WiKID server > # manual changes to this file will be overwritten almost immediately > > key = "cooler" > accounting file = /opt/WiKID/log/tacacs.accounting.log > > user = chetan { > default service = permit > chap = cleartext "605992" > pap = cleartext "605992" > arap = cleartext "605992" > login = des chRQBOhi.agrM > } > > On the Network Client side.... > > /etc/pam.d/tacacs : > > #%PAM-1.0 > auth sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt > account sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > session sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > > /etc/pam.d/sshd : > > #%PAM-1.0 > auth sufficient pam_stack.so service=tacacs > #auth required pam_stack.so service=system-auth > auth required pam_nologin.so > account sufficient pam_stack.so service=tacacs > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session sufficient pam_stack.so service=tacacs > session required pam_stack.so service=system-auth > session required pam_limits.so > session optional pam_console.so > > > Tacacs+ is not authenticating the credentials.... > > /var/log/messages on Tacacs+ Server shows : > > Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1 > Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 > [10.115.111.215] > Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh > from 10.115.111.215 rejected > > > Can you help me what could be the issue...... start with enabling authentication debugging on the tacacs daemon. it should tell you why the login failed. From Chetan_Jain at Monitor.com Wed Jun 27 08:15:01 2007 From: Chetan_Jain at Monitor.com (Chetan_Jain at Monitor.com) Date: Wed, 27 Jun 2007 13:45:01 +0530 Subject: [tac_plus] Re: PAM authentication In-Reply-To: <20070626171241.GD25540@shrubbery.net> Message-ID: Logs on the Tacacs+ Server : Jun 27 03:40:43 netmgr tac_plus[22460]: Version F4.0.4.10 Initialized 1 Jun 27 03:50:21 netmgr tac_plus[22462]: session.peerip is 10.115.111.215 Jun 27 03:50:21 netmgr tac_plus[23406]: connect from 10.115.111.215 [10.115.111.215] Jun 27 03:50:22 netmgr tac_plus[23406]: pap-login query for 'chetan' ssh from 10.115.111.215 rejected /var/log/secure on the Network Client : Jun 27 13:18:53 cjain-test sshd[27081]: Deprecated pam_stack module called from service "sshd" Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: called (pam_tacplus v1.2.9) Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: user [chetan] obtained Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: called Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: obtained password [H M?INCORRECT] Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: pass [H M?INCORRECT] obtained Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: tty [ssh] obtained Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: trying srv 0 Jun 27 13:18:53 cjain-test sshd[27081]: tac_authen_pap_read: authentication failed, server reply was 2 (Login incorrect) Jun 27 13:18:53 cjain-test sshd[27081]: Failed password for invalid user chetan from 10.115.100.100 port 3610 ssh2 I am not sure why its showing some password which was not typed.... I think its the issue with the pam_tacacs installed on the network client... Can somebody suggest me what could be the issue...... Thanks and Regards, Chetan Jain Network Team - IR, Monitor Group, 131 Free Press House, Nariman Point, Mumbai. India john heasley 06/26/2007 10:42 PM To Chetan_Jain at Monitor.com cc tac_plus at shrubbery.net Subject Re: [tac_plus] PAM authentication Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com: > Hi, > > I am trying to authenticate sshd service on a linux system through > tacacs+.... > > Tacacs+ server IP : 10.1.100.114 > Network Client : 10.115.111.215 > > I am starting tacacs+ using tac_plus -d 8 -C > /opt/WiKID/private/tacacs.conf > > # This file is dynamically written by the WiKID server > # manual changes to this file will be overwritten almost immediately > > key = "cooler" > accounting file = /opt/WiKID/log/tacacs.accounting.log > > user = chetan { > default service = permit > chap = cleartext "605992" > pap = cleartext "605992" > arap = cleartext "605992" > login = des chRQBOhi.agrM > } > > On the Network Client side.... > > /etc/pam.d/tacacs : > > #%PAM-1.0 > auth sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt > account sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > session sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > > /etc/pam.d/sshd : > > #%PAM-1.0 > auth sufficient pam_stack.so service=tacacs > #auth required pam_stack.so service=system-auth > auth required pam_nologin.so > account sufficient pam_stack.so service=tacacs > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session sufficient pam_stack.so service=tacacs > session required pam_stack.so service=system-auth > session required pam_limits.so > session optional pam_console.so > > > Tacacs+ is not authenticating the credentials.... > > /var/log/messages on Tacacs+ Server shows : > > Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1 > Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 > [10.115.111.215] > Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh > from 10.115.111.215 rejected > > > Can you help me what could be the issue...... start with enabling authentication debugging on the tacacs daemon. it should tell you why the login failed. ----------------------------------- This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/63bb0535/attachment.html From Chetan_Jain at Monitor.com Wed Jun 27 15:31:10 2007 From: Chetan_Jain at Monitor.com (Chetan_Jain at Monitor.com) Date: Wed, 27 Jun 2007 21:01:10 +0530 Subject: [tac_plus] Re: PAM authentication In-Reply-To: Message-ID: I have tested it on the localhost where tacacs+ server is running..... ./tacacsplustest -user chetan -pass 123456 -key cooler sending Authentication request... Bad status in authentication response: 2, '' sending Authorization request... Received incorrect response type: I am not sure what's wrong with the Server config or compilation.... btw i am running FC5 on both server and network client Thanks and Regards, Chetan Jain Network Team - IR, Monitor Group, 131 Free Press House, Nariman Point, Mumbai. India Chetan_Jain at monitor.com Sent by: tac_plus-bounces at shrubbery.net 06/27/2007 01:45 PM To tac_plus at shrubbery.net cc Subject [tac_plus] Re: PAM authentication Logs on the Tacacs+ Server : Jun 27 03:40:43 netmgr tac_plus[22460]: Version F4.0.4.10 Initialized 1 Jun 27 03:50:21 netmgr tac_plus[22462]: session.peerip is 10.115.111.215 Jun 27 03:50:21 netmgr tac_plus[23406]: connect from 10.115.111.215 [10.115.111.215] Jun 27 03:50:22 netmgr tac_plus[23406]: pap-login query for 'chetan' ssh from 10.115.111.215 rejected /var/log/secure on the Network Client : Jun 27 13:18:53 cjain-test sshd[27081]: Deprecated pam_stack module called from service "sshd" Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: called (pam_tacplus v1.2.9) Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: user [chetan] obtained Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: called Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: obtained password [H M?INCORRECT] Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: pass [H M?INCORRECT] obtained Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: tty [ssh] obtained Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: trying srv 0 Jun 27 13:18:53 cjain-test sshd[27081]: tac_authen_pap_read: authentication failed, server reply was 2 (Login incorrect) Jun 27 13:18:53 cjain-test sshd[27081]: Failed password for invalid user chetan from 10.115.100.100 port 3610 ssh2 I am not sure why its showing some password which was not typed.... I think its the issue with the pam_tacacs installed on the network client... Can somebody suggest me what could be the issue...... Thanks and Regards, Chetan Jain Network Team - IR, Monitor Group, 131 Free Press House, Nariman Point, Mumbai. India john heasley 06/26/2007 10:42 PM To Chetan_Jain at Monitor.com cc tac_plus at shrubbery.net Subject Re: [tac_plus] PAM authentication Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com: > Hi, > > I am trying to authenticate sshd service on a linux system through > tacacs+.... > > Tacacs+ server IP : 10.1.100.114 > Network Client : 10.115.111.215 > > I am starting tacacs+ using tac_plus -d 8 -C > /opt/WiKID/private/tacacs.conf > > # This file is dynamically written by the WiKID server > # manual changes to this file will be overwritten almost immediately > > key = "cooler" > accounting file = /opt/WiKID/log/tacacs.accounting.log > > user = chetan { > default service = permit > chap = cleartext "605992" > pap = cleartext "605992" > arap = cleartext "605992" > login = des chRQBOhi.agrM > } > > On the Network Client side.... > > /etc/pam.d/tacacs : > > #%PAM-1.0 > auth sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt > account sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > session sufficient /lib/security/pam_tacplus.so debug \ > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > > /etc/pam.d/sshd : > > #%PAM-1.0 > auth sufficient pam_stack.so service=tacacs > #auth required pam_stack.so service=system-auth > auth required pam_nologin.so > account sufficient pam_stack.so service=tacacs > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session sufficient pam_stack.so service=tacacs > session required pam_stack.so service=system-auth > session required pam_limits.so > session optional pam_console.so > > > Tacacs+ is not authenticating the credentials.... > > /var/log/messages on Tacacs+ Server shows : > > Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1 > Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 > [10.115.111.215] > Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh > from 10.115.111.215 rejected > > > Can you help me what could be the issue...... start with enabling authentication debugging on the tacacs daemon. it should tell you why the login failed. ----------------------------------- This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/63bb0535/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ----------------------------------- This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/37ede942/attachment.html From heas at shrubbery.net Wed Jun 27 16:01:48 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 27 Jun 2007 09:01:48 -0700 Subject: [tac_plus] Re: PAM authentication In-Reply-To: References: Message-ID: <20070627160148.GL22136@shrubbery.net> Please enable the debugging on the tacacs daemon. tac_plus -d 16 -d 8 Wed, Jun 27, 2007 at 09:01:10PM +0530, Chetan_Jain at Monitor.com: > I have tested it on the localhost where tacacs+ server is running..... > > ./tacacsplustest -user chetan -pass 123456 -key cooler > sending Authentication request... > Bad status in authentication response: 2, '' > sending Authorization request... > Received incorrect response type: > > I am not sure what's wrong with the Server config or compilation.... btw i > am running FC5 on both server and network client > > > Thanks and Regards, > Chetan Jain > Network Team - IR, > Monitor Group, > 131 Free Press House, > Nariman Point, Mumbai. > India > > > > Chetan_Jain at monitor.com > Sent by: tac_plus-bounces at shrubbery.net > 06/27/2007 01:45 PM > > To > tac_plus at shrubbery.net > cc > > Subject > [tac_plus] Re: PAM authentication > > > > > > > Logs on the Tacacs+ Server : > > Jun 27 03:40:43 netmgr tac_plus[22460]: Version F4.0.4.10 Initialized 1 > Jun 27 03:50:21 netmgr tac_plus[22462]: session.peerip is 10.115.111.215 > Jun 27 03:50:21 netmgr tac_plus[23406]: connect from 10.115.111.215 > [10.115.111.215] > Jun 27 03:50:22 netmgr tac_plus[23406]: pap-login query for 'chetan' ssh > from 10.115.111.215 rejected > > /var/log/secure on the Network Client : > > Jun 27 13:18:53 cjain-test sshd[27081]: Deprecated pam_stack module called > > from service "sshd" > Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: called > (pam_tacplus v1.2.9) > Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: user [chetan] > > obtained > Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: called > Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: obtained > password [H M?INCORRECT] > Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: pass [H > M?INCORRECT] obtained > Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: tty [ssh] > obtained > Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: trying srv 0 > Jun 27 13:18:53 cjain-test sshd[27081]: tac_authen_pap_read: > authentication failed, server reply was 2 (Login incorrect) > Jun 27 13:18:53 cjain-test sshd[27081]: Failed password for invalid user > chetan from 10.115.100.100 port 3610 ssh2 > > I am not sure why its showing some password which was not typed.... I > think its the issue with the pam_tacacs installed on the network client... > > Can somebody suggest me what could be the issue...... > > > Thanks and Regards, > Chetan Jain > Network Team - IR, > Monitor Group, > 131 Free Press House, > Nariman Point, Mumbai. > India > > > > john heasley > 06/26/2007 10:42 PM > > To > Chetan_Jain at Monitor.com > cc > tac_plus at shrubbery.net > Subject > Re: [tac_plus] PAM authentication > > > > > > > Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com: > > Hi, > > > > I am trying to authenticate sshd service on a linux system through > > tacacs+.... > > > > Tacacs+ server IP : 10.1.100.114 > > Network Client : 10.115.111.215 > > > > I am starting tacacs+ using tac_plus -d 8 -C > > /opt/WiKID/private/tacacs.conf > > > > # This file is dynamically written by the WiKID server > > # manual changes to this file will be overwritten almost immediately > > > > key = "cooler" > > accounting file = /opt/WiKID/log/tacacs.accounting.log > > > > user = chetan { > > default service = permit > > chap = cleartext "605992" > > pap = cleartext "605992" > > arap = cleartext "605992" > > login = des chRQBOhi.agrM > > } > > > > On the Network Client side.... > > > > /etc/pam.d/tacacs : > > > > #%PAM-1.0 > > auth sufficient /lib/security/pam_tacplus.so debug \ > > server=10.1.100.114 secret=cooler encrypt > > account sufficient /lib/security/pam_tacplus.so debug \ > > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > > session sufficient /lib/security/pam_tacplus.so debug \ > > server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh > > > > /etc/pam.d/sshd : > > > > #%PAM-1.0 > > auth sufficient pam_stack.so service=tacacs > > #auth required pam_stack.so service=system-auth > > auth required pam_nologin.so > > account sufficient pam_stack.so service=tacacs > > account required pam_stack.so service=system-auth > > password required pam_stack.so service=system-auth > > session sufficient pam_stack.so service=tacacs > > session required pam_stack.so service=system-auth > > session required pam_limits.so > > session optional pam_console.so > > > > > > Tacacs+ is not authenticating the credentials.... > > > > /var/log/messages on Tacacs+ Server shows : > > > > Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1 > > Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 > > [10.115.111.215] > > Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh > > > > from 10.115.111.215 rejected > > > > > > Can you help me what could be the issue...... > > start with enabling authentication debugging on the tacacs daemon. it > should > tell you why the login failed. > > > > > > ----------------------------------- > This message contains information that may be confidential and > proprietary. Unless you are the intended recipient (or authorized to > receive this message for the intended recipient), you may not use, copy, > disseminate or disclose to anyone the message or any information contained > in the message. If you have received the message in error, please advise > the sender by reply e-mail, and delete the message immediately. Thank you > very much. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/63bb0535/attachment.html > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > > ----------------------------------- > This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/37ede942/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus