[tac_plus] Need help to authenticate to SSH

Darren Share darren.share at chronos.co.uk
Mon Feb 1 08:40:55 UTC 2016 

Hello,

I am currently trying to put myself through a crash course with tac_plus to assist a customer. We sell an NTP server which supports TACACS+ for authentication. The server has a web interface (port 80) and and SSH interface (port 22). A relatively default tac_plus installation on a debian server is allowing us to log in to the web interface but the SSH login (with the same user) is getting rejected. According to the manufacturuer the SSH login is not supported with TACACS+ but I'm convinced it should be able to work as I can see the NTP server is sending requests to the TACACS+ server when we attempt to log in.

This is the current tac_plus.conf that works with the web login (user "support" is an existing user on the debian system):

accounting file = /var/log/tac_plus.acct
key = testing123

user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}

group = netadmin {
default service = permit
login = file /etc/passwd
service = exec {}
}

user = support {
member = netadmin
}

If I enable debugging on tac_plus (tac_plus -C /etc/tacacs+/tac_plus.conf  -g -d 256) this is what I get with a successful web login:

Reading config
Version F4.0.4.19 Initialized 1
tac_plus server F4.0.4.19 starting
uid=0 euid=0 gid=0 egid=0 s=4
session request from 172.31.100.88 sock=5
connect from 172.31.100.88 [172.31.100.88]
Waiting for packet
Read AUTHEN/START size=48
validation request from 172.31.100.88
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 363537244 (0x15ab235c), Data length 36 (0x24)
End header
type=AUTHEN/START, priv_lvl = 0
action=login
authen_type=ascii
service=ppp
user_len=7 port_len=7 (0x7), rem_addr_len=7 (0x7)
data_len=7
User:
support
port:
unknown
rem_addr:
unknown
data:
Supp0rt
End packet
Authen Start request
choose_authen chose default_fn
Calling authentication function
Writing AUTHEN/GETPASS size=28
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 363537244 (0x15ab235c), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=24
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 363537244 (0x15ab235c), Data length 12 (0xc)
End header
type=AUTHEN/CONT
user_msg_len 7 (0x7), user_data_len 0 (0x0)
flags=0x0
User msg:
Supp0rt
User data:
End packet
login query for 'support' unknown from 172.31.100.88 accepted
Writing AUTHEN/SUCCEED size=18
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 363537244 (0x15ab235c), Data length 6 (0x6)
End header
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
172.31.100.88: disconnect

And this is what I get with a failed ssh login:

Reading config
Version F4.0.4.19 Initialized 1
tac_plus server F4.0.4.19 starting
uid=0 euid=0 gid=0 egid=0 s=4
session request from 172.31.100.88 sock=5
connect from 172.31.100.88 [172.31.100.88]
Waiting for packet
Read AUTHEN/START size=54
validation request from 172.31.100.88
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 1969877126 (0x7569f086), Data length 42 (0x2a)
End header
type=AUTHEN/START, priv_lvl = 0
action=login
authen_type=ascii
service=ppp
user_len=7 port_len=3 (0x3), rem_addr_len=11 (0xb)
data_len=13
User:
support
port:
ssh
rem_addr:
172.31.2.22
data:
0x8  0xa
End packet
Authen Start request
choose_authen chose default_fn
Calling authentication function
Writing AUTHEN/GETPASS size=28
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 1969877126 (0x7569f086), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=30
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 1969877126 (0x7569f086), Data length 18 (0x12)
End header
type=AUTHEN/CONT
user_msg_len 13 (0xd), user_data_len 0 (0x0)
flags=0x0
User msg:
0x8  0xa
User data:
End packet
login query for 'support' ssh from 172.31.100.88 rejected
login failure: support 172.31.100.88 (172.31.100.88) ssh
Writing AUTHEN/FAIL size=18
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 1969877126 (0x7569f086), Data length 6 (0x6)
End header
type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
172.31.100.88: disconnect

The main difference I can see being the "port: unknown" and "port: ssh". I feel like there should be something I can set in tac_plus.conf to enable this. I've tried this with no joy:

group = netadmin {
default service = permit
login = file /etc/passwd
service = exec {}
service = ppp protocol = ip {
port = 22
}
}

Can anyone offer any suggestions?

Many thanks.

PS. the TACACS+ config on the NTP server itself is very simple. It's just a field for the IP address of the TACACS+ server and one for the shared secret.


Regards,

Darren Share



______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the tac_plus mailing list