[tac_plus] Re: Installing tac_plus as a different user other than root??

Andy Saykao asaykao at gmail.com
Wed Dec 2 00:45:46 UTC 2009 

Hi Adam,

On Ubuntu, PAM auth looks for /etc/pam.d/tac_plus. To test this I used the
below code in the tac_plus file and was unable to logon as per the pam_deny
modules.

-------------------------------------------------------------------------------------------------------

#%PAM-1.0
#(The above "magic" header is optional)
# The modules for defaulting services as defined
# in "/etc/pam.d/other" this configuration is
# accepted by Linux-PAM-0.56 and higher.
#
auth    required        pam_deny.so
auth    required        pam_warn.so
account required        pam_deny.so
session required        pam_deny.so
password        required        pam_warn.so
password        required        pam_deny.so
# end of file.

-------------------------------------------------------------------------------------------------------

On the cisco device, I'm not even prompted for the password:

User Access Verification
Username: user1
% Authentication failed

Logs showing me being denied access:

pam_verify user1
Password is incorrect
login query for 'user1' tty2 from 203.17.101.x rejected
login failure: user1 203.17.101.x (203.17.101.x) tty2

-------------------------------------------------------------------------------------------------------

I found out that there's a fallback for PAM auth which uses /etc/pam.d/other
- so without any /etc/pam.d/tac_plus present, it just defaults to using
/etc/pam.d/other.

-------------------------------------------------------------------------------------------------------
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron  specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.  If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
#

@include common-auth
@include common-account
@include common-password
@include common-session

-------------------------------------------------------------------------------------------------------

I'm not an expert on PAM so hope that helps some other people trying to get
PAM working with tac_plus.

A good read on PAM is here:

http://www.linuxjournal.com/article/2120

Cheers.

Andy

On Wed, Dec 2, 2009 at 11:22 AM, adam <prozaconstilts at gmail.com> wrote:

> Andy Saykao wrote:
>
>> Hi Adam,
>>
>> I've read your post on getting PAM working under RHEL but have a few more
>> questions about it.
>>
>> http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html
>>
>> For those on Ubuntu I had to install libpam0g-dev first and ./configure
>> again so PAM was detected.
>>
>> # apt-get install libpam0g-dev
>>
>> 1/ How does the tac_plus daemon know to look for the PAM authentication in
>> /etc/pam.d/tac_plus. I created the tac_plus file but I notice that when I
>> deleted it and restarted the tac_plus daemon, PAM auth still works with or
>> without it. Not sure if the PAM auth just defaults to using the common-*
>> files in /etc/pam.d/ if it doesn't find the tac_plus file in there.
>>
>
> tac_plus just make a C library call to pam_authenticate. For RHEL, this
> required a tac_plus file in pam.d This may not be the case for ubuntu.
>
>
>
>> 2/ The tac_plus user guide says that PAM doesn't work if the tac_plus
>> daemon is started as a non-root user (which is how I am running the daemon).
>> So once again to get around this I had to configure the daemon to use the
>> shadow GID.
>>
>
> poop. I should have read and known about that. You could make the jump and
> go straight to your LDAP solution. Sorry if that caused you to waste your
> time :(
>
>
>  "Be aware that when the tac_plus daemon runs as a non-root user (as is the
>> default in FreeBSD /usr/ports), it will not be able to authenticate using
>> the pam_unix.so module.  This is because the system function getpwnam()
>> called by pam_unix.so requires root privileges to retrieve the password to
>> validate from the /etc/master.passwd or /etc/shadow file. The symptom will
>> be that for each authentiction that is attempted, the password will appear
>> to be wrong whether it was typed correctly or not."
>>
>
>
>
>> Cheers.
>>
>> Andy
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/248eabb0/attachment.html

More information about the tac_plus mailing list