[tac_plus] tac_plus and PAM

[heasley]

Sat, Dec 28, 2013 at 07:21:48PM -0500, Tucker Jones:
> So it sounds like I can just use the pam_tally2 instead? When I used that I was able to authenticate but, each time a person logged in successfully via tacacs using pam_tally2  it was counting each of my logins as failed and my user was being locked out after a period of time? Any thoughts on what I may have done wrong to have pam_tally2 track the login as failed though it was allowing the user to login in and work?

no - have you read the manuals for pam and pam_tally2?  pam_tally provides
a function - one piece of the authentication task, an optional piece that
is not needed.  remove it and your tacacs auth through pam should work.

why pam_tally2 is failing for you, i do not know.  possibly a bug, a missing
PAM prerequisite, missing file, permissions problem?  pam offers debugging
options, enable them and figure out the cause.

> > Date: Sat, 28 Dec 2013 14:37:56 -0800
> > From: krux at thcnet.net
> > To: ttjones2013 at hotmail.com
> > CC: heas at shrubbery.net; tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] tac_plus and PAM
> > 
> > > Please excuse my newbie questions. To utilize PAM do I need to use the
> > > pam_tacplus module? I currently was only using pam_tally2 but after looking
> > 
> > No, I think that's a module to have PAM use TACACS+ for authentication.
> > You'll have to create a tac_plus pam config file under /etc/pam.d.  A quick
> > and easy way to do so, is to "cp /etc/pam.d/ssh /etc/pam.d/tac_plus" which
> > would copy the same method of authentication for SSH as for TACACS.  Of course
> > you can tweak the authentication settings for PAM so it does something
> > different for tac_plus.  For example, our system uses Kerberos for ssh, but
> > for TACACS authentication, we want it to use RSA for two factor
> > authentication.
> > 
> > perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
> > 
>