[tac_plus] Re: Installing tac_plus as a different user other than root??
adam
prozaconstilts at gmail.com
Mon Nov 30 03:48:40 UTC 2009
Andy Saykao wrote:
> Hi Adam,
>
> I came across that post but it was for RHEL so I just skimmed through it
> bc I'm working on a Ubuntu box. I really just want to use the users in
> /etc/passwd for now (maybe LDAP further down the track) - nevertheless
> thank you for your suggestion.
>
> So my question is that if I just want to authenticate against
> /etc/passwd, is it worth me reading up more about PAM and try to get
> this going or do I just compile is using the GID of the shadow group as
> per this guide.
>
> http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs
>
> Thanks.
>
> Andy
>
> For Number 2, these instructions use pam_ldap for tac_plus as an
> example, but you can configure the pam stack for tac_plus to be
> whatever suits you.
>
> Instructions for RHEL5:
>
> 1. install the pam-devel package from your repository
>
> 2. compile the source for tacacs+, making sure that -lpam was
> discovered in the configure script
>
> 3. define users in the conf file as such:
>
> user = <username> {
> login = PAM
> }
>
> 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has
> whatever mechanisms you require for authentication (see below)
>
> 5. celebrate
>
> The pam stack I use looks like this:
>
> #cat /etc/pam.d/tac_plus:
>
> #%PAM-1.0
> auth include system-auth
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so force revoke
> session include system-auth
> session required pam_loginuid.so
>
> It's not very obvious in that file, but I include system-auth, which
> looks like this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session optional pam_ldap.so
>
> So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can
> authenticate a user with ldap-based credentials. Of course, you can
> use whatever you like in terms of pam modules.
>
> Thanks,
>
> Adam
>
>
These instructions for RHEL should work 95% for ubuntu. Note that the
pam_unix module in use in the system-auth file is /etc/passwd and
/etc/shadow...so using pam_unix in your tac_plus pam conf should be
sufficient. As I recall, while RHEL uses a single system-auth, debian
and ubuntu use system auth broken out into common-auth common-password
common-account, and common-session in the pam.d directory. You'll need
to translate the pam conf files for ubuntu, but the compilation and
configuration of tac_plus should remain the same.
Adam
More information about the tac_plus
mailing list