[tac_plus] Re: PAM support via PAP??

Schmidt, Daniel dan.schmidt at uplinkdata.com
Fri Sep 25 16:29:50 UTC 2009


Yes, because it makes perfect sense to encrypt the password in your
config when you are using an insecure, clear text protocol like Pam
instead of Chap.  :-P

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Paul Vdovets
Sent: Wednesday, September 23, 2009 9:28 AM
To: john heasley
Cc: Jason Jeremias; tac_plus at shrubbery.net
Subject: [tac_plus] Re: PAM support via PAP??

It also does support  pap = des so if you have to use pap you can at
least
crypt the config  hardcoded password

On Wed, Sep 23, 2009 at 11:04 AM, john heasley <heas at shrubbery.net>
wrote:

> Tue, Sep 22, 2009 at 04:28:31PM -0800, Jason Jeremias:
> > Oh also I removed all the comments from the config file that's why
its
> > referencing line 50.   It looks to me like it just doesn't like the
pap
> > = PAM, if I switch to login = PAM it works fine.
>
> Bad memory; pap auth currently only supports cleartext.  glancing at
the
> code, there is no reason it couldnt be added, just has to be coded.
>
> > -J
> >
> > Jason Jeremias wrote:
> >> When I run it I get.
> >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C
> >> /etc/tacacs/tac_plus.cfg -d 16
> >> Error: expecting 'cleartext', or 'des' keyword after 'pap =' on
line 50
> >>
> >> So to check that I have pam I did a:
> >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v
> >> tac_plus version F4.0.4.19
> >> ACLS
> >> FIONBIO
> >> LIBWRAP
> >> LINUX
> >> LITTLE_ENDIAN
> >> LOG_DAEMON
> >> PAM
> >> NO_PWAGE
> >> REAPCHILD
> >> RETSIGTYPE RETSIGTYPE
> >> SHADOW_PASSWORDS
> >> SIGTSTP
> >> SIGTTIN
> >> SIGTTOU
> >> SO_REUSEADDR
> >> STRERROR
> >> TAC_PLUS_PORT
> >> UENABLE
> >> __STDC__
> >>
> >> This told me that I do indeed have PAM compiled in.
> >>
> >>
> >> Here's my config file.
> >> root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg
> >>
> >> key = testing12345
> >>
> >> # Now tacacs+ also use default PAM authentication
> >> #default authentication = pap PAM
> >>
> >> # Accounting records log file
> >>
> >> accounting file = /var/log/tac_acc.log
> >>
> >> user = DEFAULT {
> >>     #service = ppp protocol = lcp { idletime = 15 }
> >>     #service = ppp protocol = ip {}
> >>     #pap = PAM
> >>     #maxsess = 2
> >>     member = DEFAULT
> >> }
> >>
> >> group = DEFAULT {
> >>     service = ppp protocol = ip {}
> >>     pap = PAM
> >>     #maxsess = 2
> >> }
> >>
> >>
> >> root at ns02:/usr/local/src/tac_plus_v9a#
> >>
> >>
> >>
> >> john heasley wrote:
> >>> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias:
> >>>
> >>>> I downloaded the latest tac_plus software but I can't seem to get
> >>>> pap = PAM to work is this possible?  I need to authenticate ppp
> >>>> uses against pam.
> >>>>
> >>>
> >>> did you make any effort to use daemon debugging options to debug
the
> >>> problem that you'd like to mention?
> >>>
> >>
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>



-- 
Paul Vdovets
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.shrubbery.net/pipermail/tac_plus/attachments/20090923/45d5353
9/attachment.html 
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list