[tac_plus] Re: Installing tac_plus as a different user other than root??

Andy Saykao asaykao at gmail.com
Tue Dec 1 22:53:27 UTC 2009 

Hi Adam,

I've read your post on getting PAM working under RHEL but have a few more
questions about it.

http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html

For those on Ubuntu I had to install libpam0g-dev first and ./configure
again so PAM was detected.

# apt-get install libpam0g-dev

1/ How does the tac_plus daemon know to look for the PAM authentication in
/etc/pam.d/tac_plus. I created the tac_plus file but I notice that when I
deleted it and restarted the tac_plus daemon, PAM auth still works with or
without it. Not sure if the PAM auth just defaults to using the common-*
files in /etc/pam.d/ if it doesn't find the tac_plus file in there.

2/ The tac_plus user guide says that PAM doesn't work if the tac_plus daemon
is started as a non-root user (which is how I am running the daemon). So
once again to get around this I had to configure the daemon to use the
shadow GID.

"Be aware that when the tac_plus daemon runs as a non-root user (as is the
default in FreeBSD /usr/ports), it will not be able to authenticate using
the pam_unix.so module.  This is because the system function getpwnam()
called by pam_unix.so requires root privileges to retrieve the password to
validate from the /etc/master.passwd or /etc/shadow file. The symptom will
be that for each authentiction that is attempted, the password will appear
to be wrong whether it was typed correctly or not."

Cheers.

Andy




On Mon, Nov 30, 2009 at 2:48 PM, adam <prozaconstilts at gmail.com> wrote:

> Andy Saykao wrote:
>
>> Hi Adam,
>>
>> I came across that post but it was for RHEL so I just skimmed through it
>> bc I'm working on a Ubuntu box. I really just want to use the users in
>> /etc/passwd for now (maybe LDAP further down the track) - nevertheless thank
>> you for your suggestion.
>>
>> So my question is that if I just want to authenticate against /etc/passwd,
>> is it worth me reading up more about PAM and try to get this going or do I
>> just compile is using the GID of the shadow group as per this guide.
>>
>>
>> http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs
>>
>> Thanks.
>>
>> Andy
>>
>>    For Number 2, these instructions use pam_ldap for tac_plus as an
>>    example, but you can configure the pam stack for tac_plus to be
>>    whatever suits you.
>>
>>    Instructions for RHEL5:
>>
>>    1. install the pam-devel package from your repository
>>
>>    2. compile the source for tacacs+, making sure that -lpam was
>>    discovered in the configure script
>>
>>    3. define users in the conf file as such:
>>
>>    user = <username> {
>>      login = PAM
>>    }
>>
>>    4. Place a pam stack configuration in /etc/pam.d/tac_plus that has
>>    whatever mechanisms you require for authentication (see below)
>>
>>    5. celebrate
>>
>>    The pam stack I use looks like this:
>>
>>    #cat /etc/pam.d/tac_plus:
>>
>>     #%PAM-1.0
>>     auth       include      system-auth
>>     account    required     pam_nologin.so
>>     account    include      system-auth
>>     password   include      system-auth
>>     session    optional     pam_keyinit.so force revoke
>>     session    include      system-auth
>>     session    required     pam_loginuid.so
>>
>>     It's not very obvious in that file, but I include system-auth, which
>>     looks like this:
>>
>>     #%PAM-1.0
>>     # This file is auto-generated.
>>     # User changes will be destroyed the next time authconfig is run.
>>     auth        required      pam_env.so
>>     auth        sufficient    pam_unix.so nullok try_first_pass
>>     auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>     auth        sufficient    pam_ldap.so use_first_pass
>>     auth        required      pam_deny.so
>>
>>     account     required      pam_unix.so broken_shadow
>>     account     sufficient    pam_localuser.so
>>     account     sufficient    pam_succeed_if.so uid < 500 quiet
>>     account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>     account     required      pam_permit.so
>>
>>     password    requisite     pam_cracklib.so try_first_pass retry=3
>>     password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>     use_authtok
>>     password    sufficient    pam_ldap.so use_authtok
>>     password    required      pam_deny.so
>>
>>     session     optional      pam_keyinit.so revoke
>>     session     required      pam_limits.so
>>     session     [success=1 default=ignore] pam_succeed_if.so service in
>>     crond quiet use_uid
>>     session     required      pam_unix.so
>>     session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
>>     session     optional      pam_ldap.so
>>
>>    So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can
>>    authenticate a user with ldap-based credentials. Of course, you can
>>    use whatever you like in terms of pam modules.
>>
>>    Thanks,
>>
>>    Adam
>>
>>
>>
> These instructions for RHEL should work 95% for ubuntu. Note that the
> pam_unix module in use in the system-auth file is /etc/passwd and
> /etc/shadow...so using pam_unix in your tac_plus pam conf should be
> sufficient. As I recall, while RHEL uses a single system-auth, debian and
> ubuntu use system auth broken out into common-auth common-password
> common-account, and common-session in the pam.d directory. You'll need to
> translate the pam conf files for ubuntu, but the compilation and
> configuration of tac_plus should remain the same.
>
> Adam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/ba755c10/attachment.html

More information about the tac_plus mailing list