[tac_plus] Re: PAM authentication

Chetan_Jain at Monitor.com Chetan_Jain at Monitor.com
Wed Jun 27 15:31:10 UTC 2007


I have tested it on the localhost where tacacs+ server is running.....

./tacacsplustest -user chetan -pass 123456 -key cooler 
sending Authentication request...
Bad status in authentication response: 2, ''
sending Authorization request...
Received incorrect response type: 

I am not sure what's wrong with the Server config or compilation.... btw i 
am running FC5 on both server and network client


Thanks and Regards,
Chetan Jain
Network Team - IR,
Monitor Group,
131 Free Press House,
Nariman Point, Mumbai.
India



Chetan_Jain at monitor.com 
Sent by: tac_plus-bounces at shrubbery.net
06/27/2007 01:45 PM

To
tac_plus at shrubbery.net
cc

Subject
[tac_plus] Re: PAM authentication






Logs on the Tacacs+ Server :

Jun 27 03:40:43 netmgr tac_plus[22460]: Version F4.0.4.10 Initialized 1
Jun 27 03:50:21 netmgr tac_plus[22462]: session.peerip is 10.115.111.215
Jun 27 03:50:21 netmgr tac_plus[23406]: connect from 10.115.111.215 
[10.115.111.215]
Jun 27 03:50:22 netmgr tac_plus[23406]: pap-login query for 'chetan' ssh 
from 10.115.111.215 rejected

/var/log/secure on the Network Client :

Jun 27 13:18:53 cjain-test sshd[27081]: Deprecated pam_stack module called 

from service "sshd"
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: called 
(pam_tacplus v1.2.9)
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: user [chetan] 

obtained
Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: called
Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: obtained 
password [H M?INCORRECT]
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: pass [H 
M?INCORRECT] obtained
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: tty [ssh] 
obtained
Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: trying srv 0
Jun 27 13:18:53 cjain-test sshd[27081]: tac_authen_pap_read: 
authentication failed, server reply was 2 (Login incorrect)
Jun 27 13:18:53 cjain-test sshd[27081]: Failed password for invalid user 
chetan from 10.115.100.100 port 3610 ssh2

I am not sure why its showing some password which was not typed.... I 
think its the issue with the pam_tacacs installed on the network client... 

Can somebody suggest me what could be the issue......


Thanks and Regards,
Chetan Jain
Network Team - IR,
Monitor Group,
131 Free Press House,
Nariman Point, Mumbai.
India



john heasley <heas at shrubbery.net> 
06/26/2007 10:42 PM

To
Chetan_Jain at Monitor.com
cc
tac_plus at shrubbery.net
Subject
Re: [tac_plus]  PAM authentication






Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com:
> Hi,
> 
> I am trying to authenticate sshd service on a linux system through 
> tacacs+.... 
> 
> Tacacs+ server IP : 10.1.100.114
> Network Client : 10.115.111.215
> 
> I am starting tacacs+ using tac_plus -d 8 -C 
> /opt/WiKID/private/tacacs.conf
> 
> # This file is dynamically written by the WiKID server
> # manual changes to this file will be overwritten almost immediately
> 
> key = "cooler"
> accounting file = /opt/WiKID/log/tacacs.accounting.log
> 
> user = chetan { 
>         default service = permit
>         chap = cleartext "605992"
>         pap = cleartext "605992"
>         arap = cleartext "605992"
>         login = des chRQBOhi.agrM
> }
> 
> On the Network Client side.... 
> 
> /etc/pam.d/tacacs :
> 
> #%PAM-1.0
> auth    sufficient   /lib/security/pam_tacplus.so       debug \ 
> server=10.1.100.114     secret=cooler encrypt
> account    sufficient   /lib/security/pam_tacplus.so    debug \
> server=10.1.100.114     secret=cooler encrypt service=shell protocol=ssh
> session    sufficient   /lib/security/pam_tacplus.so    debug \
> server=10.1.100.114     secret=cooler encrypt service=shell protocol=ssh
> 
> /etc/pam.d/sshd :
> 
> #%PAM-1.0
> auth       sufficient   pam_stack.so service=tacacs
> #auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    sufficient   pam_stack.so service=tacacs
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    sufficient   pam_stack.so service=tacacs
> session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
> session    optional     pam_console.so
> 
> 
> Tacacs+ is not authenticating the credentials.... 
> 
> /var/log/messages on Tacacs+ Server shows :
> 
> Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1
> Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 
> [10.115.111.215]
> Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh 


> from 10.115.111.215 rejected
> 
> 
> Can you help me what could be the issue......

start with enabling authentication debugging on the tacacs daemon.  it 
should
tell you why the login failed.





-----------------------------------
This message contains information that may be confidential and 
proprietary. Unless you are the intended recipient (or authorized to 
receive this message for the intended recipient), you may not use, copy, 
disseminate or disclose to anyone the message or any information contained 
in the message. If you have received the message in error, please advise 
the sender by reply e-mail, and delete the message immediately. Thank you 
very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/63bb0535/attachment.html 

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus





-----------------------------------
This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/37ede942/attachment.html 


More information about the tac_plus mailing list