[tac_plus] Tac_plus passwd expiration
john heasley
heas at shrubbery.net
Wed Feb 23 22:34:52 UTC 2011
Mon, Feb 21, 2011 at 03:52:07PM +0100, Francisco Fernandez:
> Hi there...
>
> The fisrt of all, sorry if this is not the apropiate method to ask you a
> question... If not, let me know.
>
> We are using tacacs+ on a linux server who provides authentication for many
> cisco routers with users defined in tacacs's linux operating system. Till
> now, validation was against /etc/passwd file. The problem we have is that
> when user's password expires in linux operating system, the same user can
> continue logging into the routers without any error.
>
> I've trying to avoid this using:
>
> /etc/shadow (but I get always "password has expired" even with active
> passwordas account)
> PAM we dont get any error and I can go telnet to our routers with our
> expired passwd.
>
> Ive tried several tacacs versions and compiled several times with diferent
> options...
>
> Do you know how can I deny access to our routers to users with password
> expired?
there are two ways if using PAM;
1) expire in tac_plus.conf
2) pam checks expire field and returns failure, which probably depends on your
pam config
and two if using a file like /etc/passwd (should deal w/ /etc/shadow
automatically):
1) expire in tac_plus.conf
2) make the shell field empty or not begin with '/'; see expire.c
More information about the tac_plus
mailing list