[tac_plus] Extend "default authentication" using "PAM"

krux at thcnet.net krux at thcnet.net
Sun Nov 3 18:13:39 UTC 2013


I know under tac_plus you can setup per user enable authentication "enable = "
But setting it to PAM isn't an option.  You're stuck with DES, cleartext, or a
file.  Cisco ASAs are really only where this is a problem, since they
don't let you set the privilege level (by design) from TACACS.

Of course you have your value in is it really any more secure if you have to
enter your PAM password twice?  At that point you could just specify "enable =
nopassword", since you've already proven who you are once.

> Does enable even send a username?
>
>
> On Thu, Oct 31, 2013 at 7:02 PM, Kouhei Maeda <mkouhei at gmail.com> wrote:
>
> > 2013/11/1 Brandon Ewing <nicotine at warningg.com <javascript:;>>:
> > > On Thu, Oct 31, 2013 at 02:10:52AM +0900, Kouhei Maeda wrote:
> > >> Hi,
> > >>
> > >> I customised tacplus related "default authentication" top level
> > >> directive to enable to use PAM.
> > >>
> > >
> > > Does this patch cover enable authentication as well?  Cisco ASA doesn't
> > like
> > > priviledge assignment from TACACS, IIRC.
> >
> > I have understood your question that the "enable authentication" is the
> > authentication when  changeing to enable mode.
> > If so, it is No.
> > My patch covers the authentication of login network devices, etc. only.
> > That does not support changing to enable mode.
> >
> > Best regard,
> > --
> > Kouhei Maeda <mkouhei at gmail.com | palmtb.net>
> >  KeyID 4096R/7E37CE41
> >
> >
> > --
> > --
> > Kouhei Maeda <mkouhei at gmail.com>
> >  KeyID 4096R/7E37CE41
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20131101/d2f5d23d/attachment.html
> > >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131103/1fb8091f/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'



More information about the tac_plus mailing list