[tac_plus] Re: Installing tac_plus as a different user other than root??
adam
prozaconstilts at gmail.com
Mon Nov 30 03:55:10 UTC 2009
Andy Saykao wrote:
> Hi Adam,
>
> I came across that post but it was for RHEL so I just skimmed through it
> bc I'm working on a Ubuntu box. I really just want to use the users in
> /etc/passwd for now (maybe LDAP further down the track) - nevertheless
> thank you for your suggestion.
>
> So my question is that if I just want to authenticate against
> /etc/passwd, is it worth me reading up more about PAM and try to get
> this going or do I just compile is using the GID of the shadow group as
> per this guide.
>
> http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs
>
> Thanks.
>
> Andy
>
> For Number 2, these instructions use pam_ldap for tac_plus as an
> example, but you can configure the pam stack for tac_plus to be
> whatever suits you.
>
> Instructions for RHEL5:
>
> 1. install the pam-devel package from your repository
>
> 2. compile the source for tacacs+, making sure that -lpam was
> discovered in the configure script
>
> 3. define users in the conf file as such:
>
> user = <username> {
> login = PAM
> }
>
> 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has
> whatever mechanisms you require for authentication (see below)
>
> 5. celebrate
>
> The pam stack I use looks like this:
>
> #cat /etc/pam.d/tac_plus:
>
> #%PAM-1.0
> auth include system-auth
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so force revoke
> session include system-auth
> session required pam_loginuid.so
>
> It's not very obvious in that file, but I include system-auth, which
> looks like this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session optional pam_ldap.so
>
> So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can
> authenticate a user with ldap-based credentials. Of course, you can
> use whatever you like in terms of pam modules.
>
> Thanks,
>
> Adam
>
>
And after reading your post, I definitely advocate the understanding,
compilation, and use of PAM. It allows you to be extremely flexible with
your authentication, both now and when LDAP arrives. It's _the_ way your
Linux variants perform user authentication, meaning it's widely used,
widely understood, and widely supported. It also means it gets heavy
scrutiny in terms of code security. I'd take the time to learn how to
use it.
Thanks,
Adam
More information about the tac_plus
mailing list