[tac_plus] Problems getting tac_plus work with PAM auth on NetBSD

Fredrik Pettai pettai at nordu.net
Thu Nov 24 14:53:02 UTC 2011


Hi,

I don't get the PAM authentication going on NetBSD 5. It always reject the PAM requests.
Ordinary auth from the tac_plus.conf works fine, and the pam conf works fine with for example ssh...
I don't see any compilation errors for tacacs-shrubbery either. (compiled from pkgsrc-wip)

Host:

NetBSD guineapig 5.1_RC3 NetBSD 5.1_RC3 (GENERIC) #1: Sun Jul  4 01:38:35 CEST 2010  root at guineapig:/usr/obj/sys/arch/amd64/compile/GENERIC amd64

---

tac_plus conf:

user = tug1 {
    login = PAM
    name = "Training account 1"
    member = staff
    expires = "Dec 17 2011"
}

---

Pam conf:

# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
#
# System-wide defaults
#

# auth
auth            required        pam_nologin.so  no_warn
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         required        pam_login_access.so
account         required        pam_unix.so

# session
session         required        pam_permit.so
#session                required        pam_lastlog.so          no_fail no_nested

# password
password        required        pam_unix.so             no_warn try_first_pass

---

The log, (tac_plus running with -d4088)

Nov 24 09:35:15 guineapig tac_plus[22386]: Reading config
Nov 24 09:35:15 guineapig tac_plus[22386]: Version F4.0.4.19 Initialized 1

Nov 24 09:38:52 guineapig tac_plus[1351]: session.peerip is 193.10.255.73
Nov 24 09:38:52 guineapig tac_plus[7542]: connect from 193.10.255.73 [193.10.255.73]
Nov 24 09:38:52 guineapig tac_plus[7542]: Error 193.10.255.73 unknown-port: PAM_PROMPT_ECHO_OFF
Nov 24 09:38:52 guineapig tac_plus[7542]: login query for 'tug1' unknown-port from 193.10.255.73 rejected
Nov 24 09:38:52 guineapig tac_plus[7542]: login failure: tug1 193.10.255.73 (193.10.255.73) unknown-port

Any Ideas what might be wrong?
Does the tac_plus server have insufficient credentials running as a non-root user to perform pam lookups?

Regards,
/P



More information about the tac_plus mailing list