[tac_plus] Re: tac_plus with PAM on FreeBSD
Joe Moore
joe.moore at holidaycompanies.com
Wed Mar 12 15:31:17 UTC 2008
John,
The hashes in /etc/master.passwd start with $1$ and then there are 30
characters after that.
I did try running tac_plus as root on the FreeBSD box last night with
"login = file /etc/passwd" and still no joy.
You are right about the pam_tacpus.so PAM module. It is used to
authenticate login requests against a tacacs+ server, not for
authenticating tacacs users. I believe it was looping to the local
tac_plus service. I think the only reason it worked was that the "auth"
line in /etc/pam.d/tac_plus was "sufficient" which doesn't actually
require the password to be correct as long as one of the remaining lines
(account or password) succeeded. Oddly enough though, one of those
remaining lines was letting me in but only if the password was correct.
I did get pam_unix.so to let me in too as long as auth wasn't "required"
in the pam file.
One other odd thing I've noticed with tac_plus on FreeBSD when using DES
passwords in the config file: Only the first 8 characters of the
password matter. If your password is longer than 8 characters, and you
type the first 8 correctly, you can just hit <enter> or type add a few
random characters before hitting <enter> and you get in just fine.
I installed Centos5 on a clean box last night and installed tac_plus4.
It worked fine against /etc/passwd.
With "login = PAM" in the config file tac_plus refused to load because
PAM was an unrecognized "token". If I can get my password synching
utility to run on Centos I'll be OK authenticating to /etc/passwd for
now, but ideally I'd like to use an OS where tac_plus doesn't run as
root (like it does on Centos) and supports PAM. Centos definitely
supports PAM. I don't know if the tac_plus configure didn't detect PAM
or if I'm supposed to do something to force the build to include it.
If you have any recommendations for a Linux/*nix distribution that'll do
this out of the box, please let me know. I'll be building a box just for
this in the next few days. I hope to run two instances of tac_plus on
the box, (each instance with it own config) either on different ports or
bound to different IP addresses.
TIA ...jgm
-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net]
Sent: Tuesday, March 11, 2008 5:07 PM
To: Joe Moore
Subject: Re: [tac_plus] tac_plus with PAM on FreeBSD
Mon, Mar 10, 2008 at 04:36:20PM -0500, Joe Moore:
> John,
>
> Thanks for the response!
>
> My /etc/passwd file doesn't actually have any passwords in it. That's
> been standard on FreeBSD for a very long time. The actual (salted and
> hashed) passwords are in "/etc/master.passwd" which is readable ONLY
by
> root, so I suppose it's possible that it broke when tac_plus started
> running as the "tacacs" user instead of root.
right, but getpwent() should return the right bits from master.password,
and that should be used if the file is set to /etc/passwd.
> I don't know if the hashes are MD5 or not. They're whatever FBSD
md5 begins with $1$ in the hash.
> normally does. I did see in a debug last night what tac_plus thought
the
> password should encrypt to, and it wasn't anything like the hash in
> /etc/master.passwd.
>
> I'll try copying the PAM file from ssh and see if that works. Is your
> PAM file just that single line? My /etc/pam.d/sshd is more than that:
the point was that the module is like pam_unix.so, not pam_tacplus.so.
mine/NetBSDs is:
# $NetBSD: sshd,v 1.8 2005/09/22 01:02:12 tsarna Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
# pam_ssh has potential security risks. See pam_ssh(8).
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
again, i THINK that is what I tested with.
More information about the tac_plus
mailing list