From liquidbreeze1 at gmail.com Mon Oct 1 17:09:50 2012 From: liquidbreeze1 at gmail.com (Ryan Johnson) Date: Mon, 1 Oct 2012 13:09:50 -0400 Subject: [tac_plus] Ipv6 working config in F4.0.4.26 Message-ID: Hi, Great product. How do I get tac_plus to listen on ipv6 addresses, by default it does not. In older versions of the tac_plus.conf one could use the listen statement, but those seem to be deprecated? I have also tried to use the id = statement, but that does not work in this version. Any advice? Thanks, Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From antonio.ojea.garcia at gmail.com Mon Oct 1 19:04:07 2012 From: antonio.ojea.garcia at gmail.com (Antonio Ojea Garcia) Date: Mon, 1 Oct 2012 21:04:07 +0200 Subject: [tac_plus] Tac_plus integration with LDAP (Suse issues) In-Reply-To: References: Message-ID: Have you compiled it with PAM support? Does the /lib64/security/pam_ldap.so and /lib64/security/pam_unix2.so files exists? Thanks 2012/9/14 Javier S?nchez Romero > Hi there! > > I'm a newbie with PAM and I'm trying to integrate TACACS+ with a LDAP > server. I've followed the great shrubbery tutorials for a Red Hat > Installation but I need this integration in a Suse enviroment. > > When I check the /var/log/messages I can see several issues about PAM, but > this issues are related with a libraries installed in the system. I don't > know why the libraries are not found. > > /var/log/messages > Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to > dlopen(/lib64/security/pam_ldap.so): /lib64/libc.so.6: version `GLIBC_2.14' > not found (required by /lib64/libnsl.so.1) > Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module: > /lib64/security/pam_ldap.so > Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to > dlopen(/lib64/security/pam_unix2.so): /lib64/libc.so.6: version > `GLIBC_2.14' not found (required by /lib64/libnsl.so.1) > Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module: > /lib64/security/pam_unix2.so > Sep 14 17:00:01 /usr/sbin/cron[30615]: Module is unknown > > > This is my scenario: > > Suse 11 64 bits > Modules installed: pam modules (devel, local, ldap, krb5 and 32 bits), > nss_ldap, openldap, glibc and sasl. And the rest of the system packages > > /etc/pam.d/tac_plus > ---------------------------- > auth required pam_env.so debug > auth sufficient pam_unix.so nullok try_first_pass debug > auth requisite pam_succeed_if.so uid >= 500 quiet debug > auth sufficient pam_ldap.so use_first_pass debug > auth required pam_deny.so debug > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > > /etc/nsswitch.conf > -------------------------- > passwd: files ldap > group: files ldap > shadow: files ldap > > hosts: files dns > networks: files > > services: db files > protocols: db files > rpc: db files > ethers: db files > netmasks: files > netgroup: nis > publickey: files > > bootparams: files > automount: files nis > aliases: files > > > /etc/ldap.conf > -------------------- > host x.x.x.x > base dc=x,dc=x,dc=x > ldap_version 3 > binddn xxxx at x.x > bindpw xxx > port 389 > > nss_base_passwd OU=xx,?sub > nss_base_shadow OU=xx,?sub > > nss_map_objectclass posixAccount User > nss_map_objectclass shadowAccount User > > nss_map_attribute uid sAMAccountName > nss_map_attribute userPassword msSFUPassword > > nss_map_attribute homeDirectory msSFUHomeDirectory > nss_map_objectclass posixGroup Group > nss_map_attribute uniqueMember member > nss_map_attribute cn sAMAccountName > pam_login_attribute sAMAccountName > > pam_filter objectclass=user > pam_password ad > > > /lib/security > ----------------- > pam_access.so pam_exec.so pam_krb5 pam_mail.so > pam_permit.so pam_shells.so pam_tty_audit.so pam_userdb.so > pam_ck_connector.so pam_faildelay.so pam_krb5.so pam_make.so > pam_pwcheck.so pam_smbpass.so pam_umask.so pam_warn.so > pam_cracklib.so pam_filter.so pam_krb5afs.so pam_mkhomedir.so > pam_pwhistory.so pam_stress.so pam_unix.so pam_wheel.so > pam_cryptpass.so pam_ftp.so pam_lastlog.so pam_motd.so > pam_rhosts.so pam_succeed_if.so pam_unix2.so pam_xauth.so > pam_debug.so pam_group.so pam_limits.so pam_mount.so > pam_rootok.so pam_tally.so pam_unix_acct.so > pam_deny.so pam_homecheck.so pam_listfile.so pam_namespace.so > pam_securetty.so pam_tally2.so pam_unix_auth.so > pam_echo.so pam_issue.so pam_localuser.so pam_nologin.so > pam_selinux.so pam_time.so pam_unix_passwd.so > pam_env.so pam_keyinit.so pam_loginuid.so pam_opie.so > pam_sepermit.so pam_timestamp.so pam_unix_session.so > > /lib64/security > -------------------- > pam_access.so pam_exec.so pam_keyinit.so pam_localuser.so > pam_nologin.so pam_securetty.so pam_tally2.so pam_unix_auth.so > pam_ck_connector.so pam_faildelay.so pam_krb5 pam_loginuid.so > pam_opie.so pam_selinux.so pam_time.so pam_unix_passwd.so > pam_cracklib.so pam_filter pam_krb5.so pam_mail.so > pam_permit.so pam_sepermit.so pam_timestamp.so pam_unix_session.so > pam_cryptpass.so pam_filter.so pam_krb5afs.so pam_make.so > pam_pwcheck.so pam_shells.so pam_tty_audit.so pam_userdb.so > pam_debug.so pam_ftp.so pam_lastlog.so pam_mkhomedir.so > pam_pwhistory.so pam_smbpass.so pam_umask.so pam_warn.so > pam_deny.so pam_group.so pam_ldap.so pam_motd.so > pam_rhosts.so pam_stress.so pam_unix.so pam_wheel.so > pam_echo.so pam_homecheck.so pam_limits.so pam_mount.so > pam_rootok.so pam_succeed_if.so pam_unix2.so pam_xauth.so > pam_env.so pam_issue.so pam_listfile.so pam_namespace.so > pam_rpasswd.so pam_tally.so pam_unix_acct.so > > Anybody have a solution for this? > Thanks a lot in advance > > Kind regards > Javi > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Oct 2 14:00:06 2012 From: heas at shrubbery.net (heasley) Date: Tue, 2 Oct 2012 14:00:06 +0000 Subject: [tac_plus] Ipv6 working config in F4.0.4.26 In-Reply-To: References: Message-ID: <20121002140006.GB86934@shrubbery.net> Mon, Oct 01, 2012 at 01:09:50PM -0400, Ryan Johnson: > Hi, > > Great product. How do I get tac_plus to listen on ipv6 addresses, by > default it does not. This remains to be coded. > In older versions of the tac_plus.conf one could use the listen statement, > but those seem to be deprecated? there is -B cmd-line option. > I have also tried to use the id = statement, but that does not work in this > version. > > Any advice? > > Thanks, > Ryan > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From philippe.joyez at renault.com Wed Oct 17 16:06:32 2012 From: philippe.joyez at renault.com (JOYEZ Philippe) Date: Wed, 17 Oct 2012 18:06:32 +0200 Subject: [tac_plus] Tacacs+ and PAM Message-ID: Hello, I?m trying to implement PAM authentication on a tacacs+ (F4.0.4.26) without success. Maybe I?m use the wrong approach, but I try to implement a solution to forward tacacs authentication requests to a backend radius server (we use radius OTP) and then I don?t want to create users on my Unix server hosting the tacacs service. My tacacs.conf file is: -------------------------- user = DEFAULT { login = PAM } host = 10.228.69.201 { key="testing123" } -------------------------- And my /etc/pam.d/tac_plus is: -------------------------- auth required pam_radius_auth.so account required pam_permit.so It seems that the ? user = DEFAULT? is not valid for authentication as when I declare my user the authentication is successful. Is there?s any mistake in my configuration? Cordialement, Best regards Description : http://www.renault.com/RCW_Binaries/signature_renault/logo_renault_drive.jpg Philippe JOYEZ DSIR/DPAI/DSMI API : FR EQV NOV 3 52 13 Avenue Paul Langevin 92359 Le Plessis Robinson CEDEX T?l. : +33 (0) 1 76 84 59 41 - Mob. : +33 (0) 6 26 12 67 33 (www.renault.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 22326 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5387 bytes Desc: not available URL: From acassidy at telekenex.com Fri Oct 19 21:07:36 2012 From: acassidy at telekenex.com (Andrew Cassidy) Date: Fri, 19 Oct 2012 14:07:36 -0700 Subject: [tac_plus] tac plus and ipv6 server support Message-ID: <5081C118.8050906@telekenex.com> Hello, I have been happily using tac_plus for some time but recently we have been running down our list of management access softwares which are ipv6 capable and tac_plus does not seem to be one of them. Please let me know if I am incorrect but googling around and poking through the source does not show v6 server support. Do you know if this is a planned feature? Thanks, -Andrew From geeln at tdc.dk Wed Oct 31 14:24:35 2012 From: geeln at tdc.dk (Gert Elnegaard) Date: Wed, 31 Oct 2012 15:24:35 +0100 Subject: [tac_plus] accounting to syslog. tac_plus F4.0.4.19 Message-ID: <92436F119105D340B00C0E74C0D5401B04D49ACA@VESTMB402A.tdk.dk> Hi, tac_plus version F4.0.4.19 so sending accounting to syslog should be supported. running on FreeBSD 8.3-RELEASE-p4 having following config: accounting syslog; accounting file = /var/log/tac_plus.acct logging = local6 and syslogd.conf local6.* /var/log/tac_plus.log accounting logs go OK to /var/log/tac_plus.acct. We have used that for many years. and I see, for example, following types of messages in /var/log/tac_plus.log: Oct 31 14:15:02 login20 tac_plus[23136]: connect from 62.135.173.4 [62.135.173.4] So basic syslog'ing from tac_plus to syslog local6 facility works ok. but I do not get any accounting records in tac_plus.log I would like to see command accounting logs in tac_plus.log, similar to those we see in tac_plus.acct: Wed Oct 31 14:18:55 2012 213.236.195.47 nothowan ttyp1 195.249.15.10 stop task_id=1 service=shell elapsed_time=3606 process*mgd[27460] cmd=logout Do you have any idea what the problem is? Regards Gert Elnegaard -------------- next part -------------- An HTML attachment was scrubbed... URL: