[tac_plus] Problem with TAC_PLUS and S/Key

heasley heas at shrubbery.net
Wed Jan 16 21:10:30 UTC 2013


Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP:
> Hello,
> 
> Like ninjabytes 
> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I 
> have some trouble with "tac_plus with S/Key". Unfortunately, the 
> documentation about "tac_plus and S/Key" isn't really detailed.
> 
> The positive aspect:
> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext 
> password: Done) and the libskey seems to work as well ("configure [...] 
> --with-skey" and the following "make" without error and the config 
> snippet "login = skey" was accepted while starting tac_plus).
> 
> I use the following config
> 
> user = fred {
>    default service = permit
>    login = skey
>    enable = skey
> }
> 
> My question is now:
> When I try to login as "fred" on my NAS, I see the message "Cannot 
> generate skey prompt for fred" in the tac_plus log file. In my opinion, 
> it's no wonder that this doesn't work because there is no password 

this would be skeychallenge() failing.  iirc, that would include the
challenge number; its been a while since i've tested this or used skey,
so memory is foggy.

> configued for the user "fred" - and a skey challenge is build on a 
> sequence_no, seed and the users password, right? The user itself can 
> then calculate the response with the challenge string and its password.

seed?  the password is the OTP, which would be returned after skeychallenge()'s
return was sent to the device for the prompt.  the question is why
skeychallenge() fails.  i'd suspect that it can't open or find the OTP
database.

> So: Where can I enter the user's password for an skey authentication in 
> the tac_plus.conf?
> 
> Thanks in advance for your help,
> 
> Best regards,
> 
> Patrick Albert
> 
> -- 
> 
> Patrick Albert
> __________________
> *GIP Exyr GmbH*
> Hechtsheimer Str. 35-37 | 55131 Mainz
> 
> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
> www.gip.com <http://www.gip.com/>
> 
> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
> Handelsregister: HRB 6870 - Amtsgericht Mainz
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list