[tac_plus] Re: FreeBSD & PAM

[john heasley]

Mon, Aug 18, 2008 at 03:59:53PM -0600, Aaron Scarisbrick:
> Greetings,
> 
> I'm writing to ask that a blurb be placed in the tac_plus users_guide, faq
> or man page so that others may not suffer the same excruciating debug
> session to discover why PAM and tac_plus didn't work together the way I
> thought they should:
> 
> Be aware that when the tac_plus daemon runs as a non-root user (as is the
> default in FreeBSD /usr/ports), it will not be able to authenticate using
> the pam_unix.so module.  This is because the system function getpwnam()
> called by pam_unix.so requires root privileges to retrieve the password to
> validate from the /etc/master.passwd or /etc/shadow file. The symptom will
> be that for each authentiction that is attempted, the password will appear
> to be wrong whether it was typed correctly or not.
> 
> The maddening bit was that by default, PAM debug messages are suppressed in
> tac_plus via the PAM_SILENT flag passed to pam_authenticate() in the pwlib.c
> source file. This was compounded by FreeBSD also hard coding that all libpam
> debug messages be disabled as well.  Once those hurdles were cleared, the
> cuplable system function was identified.  After inserting some additional
> debug statements, it was obvious what the problem was.  Too obvious as it
> turned out.  I should have known better.

should tacacs not set PAM_SILENT?  When I added PAM, IIRC, I thought that
PAM_SILENT prevented PAM from sending messages to tacacs; ie: crap it doesnt
care about.  Perhaps you've tried it.

> Cheers,
> 
> Aaron M. Scarisbrick
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080818/fc08d679/attachment.html 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus