[tac_plus] Re: PAM authentication
Chetan_Jain at Monitor.com
Chetan_Jain at Monitor.com
Wed Jun 27 08:15:01 UTC 2007
Logs on the Tacacs+ Server :
Jun 27 03:40:43 netmgr tac_plus[22460]: Version F4.0.4.10 Initialized 1
Jun 27 03:50:21 netmgr tac_plus[22462]: session.peerip is 10.115.111.215
Jun 27 03:50:21 netmgr tac_plus[23406]: connect from 10.115.111.215
[10.115.111.215]
Jun 27 03:50:22 netmgr tac_plus[23406]: pap-login query for 'chetan' ssh
from 10.115.111.215 rejected
/var/log/secure on the Network Client :
Jun 27 13:18:53 cjain-test sshd[27081]: Deprecated pam_stack module called
from service "sshd"
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: called
(pam_tacplus v1.2.9)
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: user [chetan]
obtained
Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: called
Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: obtained
password [H M?INCORRECT]
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: pass [H
M?INCORRECT] obtained
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: tty [ssh]
obtained
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: trying srv 0
Jun 27 13:18:53 cjain-test sshd[27081]: tac_authen_pap_read:
authentication failed, server reply was 2 (Login incorrect)
Jun 27 13:18:53 cjain-test sshd[27081]: Failed password for invalid user
chetan from 10.115.100.100 port 3610 ssh2
I am not sure why its showing some password which was not typed.... I
think its the issue with the pam_tacacs installed on the network client...
Can somebody suggest me what could be the issue......
Thanks and Regards,
Chetan Jain
Network Team - IR,
Monitor Group,
131 Free Press House,
Nariman Point, Mumbai.
India
john heasley <heas at shrubbery.net>
06/26/2007 10:42 PM
To
Chetan_Jain at Monitor.com
cc
tac_plus at shrubbery.net
Subject
Re: [tac_plus] PAM authentication
Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com:
> Hi,
>
> I am trying to authenticate sshd service on a linux system through
> tacacs+....
>
> Tacacs+ server IP : 10.1.100.114
> Network Client : 10.115.111.215
>
> I am starting tacacs+ using tac_plus -d 8 -C
> /opt/WiKID/private/tacacs.conf
>
> # This file is dynamically written by the WiKID server
> # manual changes to this file will be overwritten almost immediately
>
> key = "cooler"
> accounting file = /opt/WiKID/log/tacacs.accounting.log
>
> user = chetan {
> default service = permit
> chap = cleartext "605992"
> pap = cleartext "605992"
> arap = cleartext "605992"
> login = des chRQBOhi.agrM
> }
>
> On the Network Client side....
>
> /etc/pam.d/tacacs :
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_tacplus.so debug \
> server=10.1.100.114 secret=cooler encrypt
> account sufficient /lib/security/pam_tacplus.so debug \
> server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh
> session sufficient /lib/security/pam_tacplus.so debug \
> server=10.1.100.114 secret=cooler encrypt service=shell protocol=ssh
>
> /etc/pam.d/sshd :
>
> #%PAM-1.0
> auth sufficient pam_stack.so service=tacacs
> #auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account sufficient pam_stack.so service=tacacs
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session sufficient pam_stack.so service=tacacs
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
>
> Tacacs+ is not authenticating the credentials....
>
> /var/log/messages on Tacacs+ Server shows :
>
> Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1
> Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215
> [10.115.111.215]
> Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh
> from 10.115.111.215 rejected
>
>
> Can you help me what could be the issue......
start with enabling authentication debugging on the tacacs daemon. it
should
tell you why the login failed.
-----------------------------------
This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/63bb0535/attachment.html
More information about the tac_plus
mailing list