[tac_plus] tac_plus and PAM

Tucker Jones ttjones2013 at hotmail.com
Sun Dec 29 00:21:48 UTC 2013


So it sounds like I can just use the pam_tally2 instead? When I used that I was able to authenticate but, each time a person logged in successfully via tacacs using pam_tally2  it was counting each of my logins as failed and my user was being locked out after a period of time? Any thoughts on what I may have done wrong to have pam_tally2 track the login as failed though it was allowing the user to login in and work?

> Date: Sat, 28 Dec 2013 14:37:56 -0800
> From: krux at thcnet.net
> To: ttjones2013 at hotmail.com
> CC: heas at shrubbery.net; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] tac_plus and PAM
> 
> > Please excuse my newbie questions. To utilize PAM do I need to use the
> > pam_tacplus module? I currently was only using pam_tally2 but after looking
> 
> No, I think that's a module to have PAM use TACACS+ for authentication.
> You'll have to create a tac_plus pam config file under /etc/pam.d.  A quick
> and easy way to do so, is to "cp /etc/pam.d/ssh /etc/pam.d/tac_plus" which
> would copy the same method of authentication for SSH as for TACACS.  Of course
> you can tweak the authentication settings for PAM so it does something
> different for tac_plus.  For example, our system uses Kerberos for ssh, but
> for TACACS authentication, we want it to use RSA for two factor
> authentication.
> 
> perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131228/cf46a1d3/attachment.html>


More information about the tac_plus mailing list