[tac_plus] PAM authentication and default user

[Henry-Nicolas Tourneur]

Hello everybody,


 


In some cases, the PAM user won't be present in /etc/passwd (eg. pam LDAP
backend).


The current comportment of Tacacs+ is to check for the username in its
configuration file.


If it doesn't exist but that there is a DEFAULT user, the username is
replaced by DEFAULT, therefore it won't work with PAM.


 


What would be really very nice : 


Don't change the username to default if you see that the login method is
PAM. That will allow the tacacs daemon to authenticate against remote server
like LDAP (in such a case, the login information may not be present on the
tacacs running server). It might be easy to patch the do_author.c file at
line 86 but I guess it won't be enough or maybe we will need to do something
in other parts of the daemon (like hash ?).


 


The general picture would be :


1. Auth request with user name = xxy


2. I got no user name xxy in my tacacs conf but a DEFAULT user exist


3. The default user does authenticate against PAM, I won't change the
username


4. Authenticate against PAM with username = xxy and return the result.


 


If any tacacs+ hacker wants to implement this, it would be fabulous :)


 


Please also note that I'm currently trying to get the Tacacs+ daemon to be
shipped with Debian.


It has been uploaded and is waiting for ftp masters approval :


http://ftp-master.debian.org/new/tacacs+_4.0.4.19-2.html


 


Regards,


 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100212/0965c9d4/attachment.html