[tac_plus] Re: Installing tac_plus as a different user other than root??

Sun Nov 29 22:14:19 UTC 2009

Hi Adam,

I came across that post but it was for RHEL so I just skimmed through it bc
I'm working on a Ubuntu box. I really just want to use the users in
/etc/passwd for now (maybe LDAP further down the track) - nevertheless thank
you for your suggestion.

So my question is that if I just want to authenticate against /etc/passwd,
is it worth me reading up more about PAM and try to get this going or do I
just compile is using the GID of the shadow group as per this guide.

http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs

Thanks.

Andy

For Number 2, these instructions use pam_ldap for tac_plus as an example,
> but you can configure the pam stack for tac_plus to be whatever suits you.
>
> Instructions for RHEL5:
>
> 1. install the pam-devel package from your repository
>
> 2. compile the source for tacacs+, making sure that -lpam was discovered in
> the configure script
>
> 3. define users in the conf file as such:
>
> user = <username> {
>   login = PAM
> }
>
> 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has whatever
> mechanisms you require for authentication (see below)
>
> 5. celebrate
>
> The pam stack I use looks like this:
>
> #cat /etc/pam.d/tac_plus:
>
>  #%PAM-1.0
>  auth       include      system-auth
>  account    required     pam_nologin.so
>  account    include      system-auth
>  password   include      system-auth
>  session    optional     pam_keyinit.so force revoke
>  session    include      system-auth
>  session    required     pam_loginuid.so
>
>  It's not very obvious in that file, but I include system-auth, which
>  looks like this:
>
>  #%PAM-1.0
>  # This file is auto-generated.
>  # User changes will be destroyed the next time authconfig is run.
>  auth        required      pam_env.so
>  auth        sufficient    pam_unix.so nullok try_first_pass
>  auth        requisite     pam_succeed_if.so uid >= 500 quiet
>  auth        sufficient    pam_ldap.so use_first_pass
>  auth        required      pam_deny.so
>
>  account     required      pam_unix.so broken_shadow
>  account     sufficient    pam_localuser.so
>  account     sufficient    pam_succeed_if.so uid < 500 quiet
>  account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>  account     required      pam_permit.so
>
>  password    requisite     pam_cracklib.so try_first_pass retry=3
>  password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>  use_authtok
>  password    sufficient    pam_ldap.so use_authtok
>  password    required      pam_deny.so
>
>  session     optional      pam_keyinit.so revoke
>  session     required      pam_limits.so
>  session     [success=1 default=ignore] pam_succeed_if.so service in
>  crond quiet use_uid
>  session     required      pam_unix.so
>  session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
>  session     optional      pam_ldap.so
>
> So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can
> authenticate a user with ldap-based credentials. Of course, you can use
> whatever you like in terms of pam modules.
>
> Thanks,
>
> Adam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091130/cb8fac8e/attachment.html 