[tac_plus] Re: PAM authentication

john heasley heas at shrubbery.net
Wed Jun 27 16:01:48 UTC 2007


Please enable the debugging on the tacacs daemon.  tac_plus -d 16 -d 8

Wed, Jun 27, 2007 at 09:01:10PM +0530, Chetan_Jain at Monitor.com:
> I have tested it on the localhost where tacacs+ server is running.....
> 
> ./tacacsplustest -user chetan -pass 123456 -key cooler 
> sending Authentication request...
> Bad status in authentication response: 2, ''
> sending Authorization request...
> Received incorrect response type: 
> 
> I am not sure what's wrong with the Server config or compilation.... btw i 
> am running FC5 on both server and network client
> 
> 
> Thanks and Regards,
> Chetan Jain
> Network Team - IR,
> Monitor Group,
> 131 Free Press House,
> Nariman Point, Mumbai.
> India
> 
> 
> 
> Chetan_Jain at monitor.com 
> Sent by: tac_plus-bounces at shrubbery.net
> 06/27/2007 01:45 PM
> 
> To
> tac_plus at shrubbery.net
> cc
> 
> Subject
> [tac_plus] Re: PAM authentication
> 
> 
> 
> 
> 
> 
> Logs on the Tacacs+ Server :
> 
> Jun 27 03:40:43 netmgr tac_plus[22460]: Version F4.0.4.10 Initialized 1
> Jun 27 03:50:21 netmgr tac_plus[22462]: session.peerip is 10.115.111.215
> Jun 27 03:50:21 netmgr tac_plus[23406]: connect from 10.115.111.215 
> [10.115.111.215]
> Jun 27 03:50:22 netmgr tac_plus[23406]: pap-login query for 'chetan' ssh 
> from 10.115.111.215 rejected
> 
> /var/log/secure on the Network Client :
> 
> Jun 27 13:18:53 cjain-test sshd[27081]: Deprecated pam_stack module called 
> 
> from service "sshd"
> Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: called 
> (pam_tacplus v1.2.9)
> Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: user [chetan] 
> 
> obtained
> Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: called
> Jun 27 13:18:53 cjain-test sshd[27081]: tacacs_get_password: obtained 
> password [H M?INCORRECT]
> Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: pass [H 
> M?INCORRECT] obtained
> Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: tty [ssh] 
> obtained
> Jun 27 13:18:53 cjain-test sshd[27081]: pam_sm_authenticate: trying srv 0
> Jun 27 13:18:53 cjain-test sshd[27081]: tac_authen_pap_read: 
> authentication failed, server reply was 2 (Login incorrect)
> Jun 27 13:18:53 cjain-test sshd[27081]: Failed password for invalid user 
> chetan from 10.115.100.100 port 3610 ssh2
> 
> I am not sure why its showing some password which was not typed.... I 
> think its the issue with the pam_tacacs installed on the network client... 
> 
> Can somebody suggest me what could be the issue......
> 
> 
> Thanks and Regards,
> Chetan Jain
> Network Team - IR,
> Monitor Group,
> 131 Free Press House,
> Nariman Point, Mumbai.
> India
> 
> 
> 
> john heasley <heas at shrubbery.net> 
> 06/26/2007 10:42 PM
> 
> To
> Chetan_Jain at Monitor.com
> cc
> tac_plus at shrubbery.net
> Subject
> Re: [tac_plus]  PAM authentication
> 
> 
> 
> 
> 
> 
> Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com:
> > Hi,
> > 
> > I am trying to authenticate sshd service on a linux system through 
> > tacacs+.... 
> > 
> > Tacacs+ server IP : 10.1.100.114
> > Network Client : 10.115.111.215
> > 
> > I am starting tacacs+ using tac_plus -d 8 -C 
> > /opt/WiKID/private/tacacs.conf
> > 
> > # This file is dynamically written by the WiKID server
> > # manual changes to this file will be overwritten almost immediately
> > 
> > key = "cooler"
> > accounting file = /opt/WiKID/log/tacacs.accounting.log
> > 
> > user = chetan { 
> >         default service = permit
> >         chap = cleartext "605992"
> >         pap = cleartext "605992"
> >         arap = cleartext "605992"
> >         login = des chRQBOhi.agrM
> > }
> > 
> > On the Network Client side.... 
> > 
> > /etc/pam.d/tacacs :
> > 
> > #%PAM-1.0
> > auth    sufficient   /lib/security/pam_tacplus.so       debug \ 
> > server=10.1.100.114     secret=cooler encrypt
> > account    sufficient   /lib/security/pam_tacplus.so    debug \
> > server=10.1.100.114     secret=cooler encrypt service=shell protocol=ssh
> > session    sufficient   /lib/security/pam_tacplus.so    debug \
> > server=10.1.100.114     secret=cooler encrypt service=shell protocol=ssh
> > 
> > /etc/pam.d/sshd :
> > 
> > #%PAM-1.0
> > auth       sufficient   pam_stack.so service=tacacs
> > #auth       required     pam_stack.so service=system-auth
> > auth       required     pam_nologin.so
> > account    sufficient   pam_stack.so service=tacacs
> > account    required     pam_stack.so service=system-auth
> > password   required     pam_stack.so service=system-auth
> > session    sufficient   pam_stack.so service=tacacs
> > session    required     pam_stack.so service=system-auth
> > session    required     pam_limits.so
> > session    optional     pam_console.so
> > 
> > 
> > Tacacs+ is not authenticating the credentials.... 
> > 
> > /var/log/messages on Tacacs+ Server shows :
> > 
> > Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1
> > Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 
> > [10.115.111.215]
> > Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh 
> 
> 
> > from 10.115.111.215 rejected
> > 
> > 
> > Can you help me what could be the issue......
> 
> start with enabling authentication debugging on the tacacs daemon.  it 
> should
> tell you why the login failed.
> 
> 
> 
> 
> 
> -----------------------------------
> This message contains information that may be confidential and 
> proprietary. Unless you are the intended recipient (or authorized to 
> receive this message for the intended recipient), you may not use, copy, 
> disseminate or disclose to anyone the message or any information contained 
> in the message. If you have received the message in error, please advise 
> the sender by reply e-mail, and delete the message immediately. Thank you 
> very much.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/63bb0535/attachment.html 
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> 
> 
> 
> 
> -----------------------------------
> This message contains information that may be confidential and proprietary. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message immediately. Thank you very much.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070627/37ede942/attachment.html 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list