[tac_plus] password expiration with PAM?

[Morty]

On Fri, May 27, 2011 at 12:18:11PM -0500, Brandon Ewing wrote:
> On Thu, May 26, 2011 at 01:11:34AM -0400, Morty wrote:
> > I'm testing tacacs+-F4.0.4.19 under Solaris.
> > 
> > I've got users with LOGIN=PAM.  I set the password to be expired
> > (i.e. I faked out the age in /etc/shadow to be 1000 days, with a max
> > age of 60 days).  Other subsystems using PAM, i.e. openssh and
> > radiusd, do not allow the user to login; openssh provides a useful
> > prompt, while radiusd just fails to allow the login for devices that
> > utilize radiusd.  But when the user logs in to a device using the
> > tac_plus server, the login succeeds.
> > 
> > This seems like a bug.
> > 
> > - Morty
> 
> What's in your PAM config for tac_plus?  If your config doesn't have a
> "password" section, I don't believe it will respect password expiration.

Here is the pam.conf from my test box:

login   auth required   /usr/lib/security/pam_unix.so.1
login   auth required   /usr/lib/security/pam_dial_auth.so.1
#
rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/pam_unix.so.1
#
rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/pam_unix.so.1
#
# Account management
#
login   account required        /usr/lib/security/pam_unix.so.1
dtlogin account required        /usr/lib/security/pam_unix.so.1
#
other   account required        /usr/lib/security/pam_unix.so.1
#
# Session management
#
other   session required        /usr/lib/security/pam_unix.so.1
#
# Password management
#
other   password required       /usr/lib/security/pam_unix.so.1


tac_plus, openssh, and radiusd are all handled via "other".  openssh
and radiusd are doing password expiration correctly.  tac_plus isn't.
As you can see, "other" has password defined.

- Morty