[tac_plus] Re: Possible to get tac_plus to authenticate using pam_radius?

[john heasley]

Tue, Nov 13, 2007 at 05:36:49PM -0700, [SiN]:
> Looks like my problem was how pam.conf was set up.  I thought it would
> go to the "other", as in not defined but I actually needed to define
> tac_plus
> 
> ex
> tac_plus auth required /path/to/radius.so
> 
> seems fine now, though working out how to get either "default
> authentication" or the DEFAULT user to use PAM for authentication.
> Ive made a few quick hacks at it, for the most part its working just
> need to work out some issues.
> 
> come to think of it, I wonder why "default authentcation" only
> supports a password file, would be nice to support at least PAM as a
> default.

never considered that; good point.  another for the to-do list, i think.

> On Nov 13, 2007 5:03 PM, john heasley <heas at shrubbery.net> wrote:
> > Mon, Nov 12, 2007 at 05:15:47PM -0700, [SiN]:
> > > I seen that PAM can be used to authenticate users, but not sure where
> > > to start.  I tried to just set "login = PAM" to see if any errors
> > > would help determine where to get started (looking for missing config
> > > or something of that nature).  But, I get nothing.  Is it possible to
> > > use PAM to authenticate users to my current radius implementation?
> >
> > I have not tried it, but it should be.  PAM (the library, not tacacs)
> > often refers to defaults when there is no specific setup for "tac_plus";
> > so you are unlikely to see errors.
> >
> > > The only reason I even need authentication set up on tac_plus is due
> > > to some of our devices not supporting radius at all, for those I will
> > > need to authenticate using tac_plus - other then that everything is
> > > radius and id like to keep it that way if possible.
> > >
> > > Mon Nov 12 17:05:56 2007 [3912]: pam_verify testing
> > > Mon Nov 12 17:05:56 2007 [3912]: pam_tacacs received 1 pam_messages
> > > Mon Nov 12 17:05:56 2007 [3912]: Error 10.248.18.17 tty2: PAM_PROMPT_ECHO_OFF
> > > Mon Nov 12 17:05:58 2007 [3912]: Password is incorrect
> > >
> > > is all I see in the logs.  and nothing shows up in the radius logs so
> > > I know its not being sent off to radius
> > >
> > > How can I get this set up to use the current PAM implementation on the
> > > system already?  Do I need to install something extra?
> >
> > I'm no PAM expert, but you will need a PAM module that will make the
> > radius query when tac_plus calls PAM to authenticate the user and
> > configure PAM to use it when called/used by tac_plus.
> >
> > > this is on solaris 10 using tac_plus version F4.0.4.14
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> >
> 
> 
> 
> -- 
> ..::x0SiN0x::..
> G4m3R 4 L1F3