[tac_plus] Re: Installing tac_plus as a different user other than root??

Sun Nov 29 21:57:32 UTC 2009

Andy Saykao wrote:
> Hi Alan,
> 
> 1/ So in other words I should be able to run tac_plus using the ID/GID of
> the tac_plus user I created because /etc/passwd should be world-readable? I
> intially tried compiling with just the ID/GID of the tac_plus user but was
> unable to authenticate using /etc/passwd - hence why I compiled it a second
> time using the GID of the shadow group and was then able to authenticate
> using /etc/passwd (not sure if this is good or bad but I just followed
> somebody else's guide).
> 
> Sorry if I'm a bit naive on the unix file permission stuff, but here's the
> permissions on the Ubuntu box I'm testing with.
> 
> # ls -la /etc/passwd /etc/shadow
> -rw-r--r-- 1 root root   1130 2009-11-27 12:48 /etc/passwd
> -rw-r----- 1 root shadow  835 2009-11-27 12:48 /etc/shadow
> 
> 2/ How do I get tac_plus to authenticate using PAM? I've googled around and
> re-checked the mailing list but not much to go on. I've got a few PAM
> modules installed and can see that there's a /etc/pam.conf file and
> /etc/pam.d/ folder.
> 
> Cheers.
> 
> Andy

For Number 2, these instructions use pam_ldap for tac_plus as an 
example, but you can configure the pam stack for tac_plus to be whatever 
suits you.

Instructions for RHEL5:

1. install the pam-devel package from your repository

2. compile the source for tacacs+, making sure that -lpam was discovered 
in the configure script

3. define users in the conf file as such:

user = <username> {
    login = PAM
}

4. Place a pam stack configuration in /etc/pam.d/tac_plus that has 
whatever mechanisms you require for authentication (see below)

5. celebrate

The pam stack I use looks like this:

#cat /etc/pam.d/tac_plus:

  #%PAM-1.0
  auth       include      system-auth
  account    required     pam_nologin.so
  account    include      system-auth
  password   include      system-auth
  session    optional     pam_keyinit.so force revoke
  session    include      system-auth
  session    required     pam_loginuid.so

  It's not very obvious in that file, but I include system-auth, which
  looks like this:

  #%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth        required      pam_env.so
  auth        sufficient    pam_unix.so nullok try_first_pass
  auth        requisite     pam_succeed_if.so uid >= 500 quiet
  auth        sufficient    pam_ldap.so use_first_pass
  auth        required      pam_deny.so

  account     required      pam_unix.so broken_shadow
  account     sufficient    pam_localuser.so
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
  account     required      pam_permit.so

  password    requisite     pam_cracklib.so try_first_pass retry=3
  password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
  use_authtok
  password    sufficient    pam_ldap.so use_authtok
  password    required      pam_deny.so

  session     optional      pam_keyinit.so revoke
  session     required      pam_limits.so
  session     [success=1 default=ignore] pam_succeed_if.so service in
  crond quiet use_uid
  session     required      pam_unix.so
  session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
  session     optional      pam_ldap.so

So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can 
authenticate a user with ldap-based credentials. Of course, you can use 
whatever you like in terms of pam modules.

Thanks,

Adam