[tac_plus] Re: Changing a user's password from tacacs prompt or other method...
john heasley
heas at shrubbery.net
Wed Jun 2 20:26:43 UTC 2010
Wed, Jun 02, 2010 at 05:12:40PM -0230, Roderick B. Greening:
> > > Just wondering how I would go about allowing the user to change their
> > > password without providing access to the tacacs+ server?
> > >
> > > For example, the user telnets to one of the tacacs+ enabled NAS and
> > > enters their username and then nothing for password. I'd like this to
> > > trigger a request for a password change.
> > >
> > > In my tacacs+ config, I am using the default Linux /etc/passwd with the
> > > file
> >
> > The TACACS+ protocol itself is suitable to do this.
> > The popular (and free) server programs isn't.
> > You have to develop it...
> >
>
> I take it this means that writing a before/after auth script is not possible
> to do this, and only possible with modifications to the tacacs server code base
> itself?
>
> Anyone interested in developing this?
I believe that it currently works if the device initiates the change.
but, otherwise gabor is right. however, you may be able to use PAM
to do that - in theory, but I havent tried it. you'd need PAM modules
that would enforce the empty password bit and perform the change passwd
prompting.
note that empty password is a DoS and security hole.
More information about the tac_plus
mailing list