[tac_plus] Extend "default authentication" using "PAM"

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Nov 4 23:28:11 UTC 2013


Ah, yes, I remember this.  I tried to fix it once and failed miserably
because I'm not any good at C.

Can you hard set the priv_lvl to 15 on an asa line the way you can on a
router?  Seriously, why does an asa even have a disable - it's useless.


On Sun, Nov 3, 2013 at 11:13 AM, <krux at thcnet.net> wrote:

> I know under tac_plus you can setup per user enable authentication "enable
> = "
> But setting it to PAM isn't an option.  You're stuck with DES, cleartext,
> or a
> file.  Cisco ASAs are really only where this is a problem, since they
> don't let you set the privilege level (by design) from TACACS.
>
> Of course you have your value in is it really any more secure if you have
> to
> enter your PAM password twice?  At that point you could just specify
> "enable =
> nopassword", since you've already proven who you are once.
>
> > Does enable even send a username?
> >
> >
> > On Thu, Oct 31, 2013 at 7:02 PM, Kouhei Maeda <mkouhei at gmail.com> wrote:
> >
> > > 2013/11/1 Brandon Ewing <nicotine at warningg.com <javascript:;>>:
> > > > On Thu, Oct 31, 2013 at 02:10:52AM +0900, Kouhei Maeda wrote:
> > > >> Hi,
> > > >>
> > > >> I customised tacplus related "default authentication" top level
> > > >> directive to enable to use PAM.
> > > >>
> > > >
> > > > Does this patch cover enable authentication as well?  Cisco ASA
> doesn't
> > > like
> > > > priviledge assignment from TACACS, IIRC.
> > >
> > > I have understood your question that the "enable authentication" is the
> > > authentication when  changeing to enable mode.
> > > If so, it is No.
> > > My patch covers the authentication of login network devices, etc. only.
> > > That does not support changing to enable mode.
> > >
> > > Best regard,
> > > --
> > > Kouhei Maeda <mkouhei at gmail.com | palmtb.net>
> > >  KeyID 4096R/7E37CE41
> > >
> > >
> > > --
> > > --
> > > Kouhei Maeda <mkouhei at gmail.com>
> > >  KeyID 4096R/7E37CE41
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20131101/d2f5d23d/attachment.html
> > > >
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo/tac_plus
> > >
> >
> >
> > E-Mail to and from me, in connection with the transaction
> > of public business, is subject to the Wyoming Public Records
> > Act and may be disclosed to third parties.
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20131103/1fb8091f/attachment.html
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
> perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131104/88e8becd/attachment.html>


More information about the tac_plus mailing list