[tac_plus] password expiration with PAM?
Brandon Ewing
nicotine at warningg.com
Fri May 27 17:18:11 UTC 2011
On Thu, May 26, 2011 at 01:11:34AM -0400, Morty wrote:
> I'm testing tacacs+-F4.0.4.19 under Solaris.
>
> I've got users with LOGIN=PAM. I set the password to be expired
> (i.e. I faked out the age in /etc/shadow to be 1000 days, with a max
> age of 60 days). Other subsystems using PAM, i.e. openssh and
> radiusd, do not allow the user to login; openssh provides a useful
> prompt, while radiusd just fails to allow the login for devices that
> utilize radiusd. But when the user logs in to a device using the
> tac_plus server, the login succeeds.
>
> This seems like a bug.
>
> - Morty
What's in your PAM config for tac_plus? If your config doesn't have a
"password" section, I don't believe it will respect password expiration.
--
Brandon Ewing (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110527/85bedf55/attachment.bin>
More information about the tac_plus
mailing list