[tac_plus] Need help to authenticate to SSH
Darren Share
darren.share at chronos.co.uk
Mon Feb 1 18:18:54 UTC 2016
Hello,
I am currently trying to put myself through a crash course with tac_plus to
assist a customer. We sell an NTP server which supports TACACS+ for
authentication. The server has a web interface (port 80) and and SSH interface
(port 22). A relatively default tac_plus installation on a debian server is
allowing us to log in to the web interface but the SSH login (with the same
user) is getting rejected. According to the manufacturuer the SSH login is not
supported with TACACS+ but I'm convinced it should be able to work as I can see
the NTP server is sending requests to the TACACS+ server when we attempt to log
in.
I've attached the current tac_plus.conf that works with the web login (user
"support" is an existing user on the debian system).
If I enable debugging on tac_plus (tac_plus -C /etc/tacacs+/tac_plus.conf -g
-d 256) with a successful web login I get the attached web.txt and with a
failed ssh login I get the attached ssh.txt.
The main difference I can see being the "port: unknown" and "port: ssh". I feel
like there should be something I can set in tac_plus.conf to enable this. I've
tried this with no joy:
group = netadmin {
default service = permit
login = file /etc/passwd
service = exec {}
service = ppp protocol = ip {
port = 22
}
}
Can anyone offer any suggestions?
Many thanks.
PS. the TACACS+ config on the NTP server itself is very simple. It's just a
field for the IP address of the TACACS+ server and one for the shared secret so
there's nothing I can change there.
Regards,
Darren Share
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssh.txt
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160201/d721e87c/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tac_plus.conf
Type: application/octet-stream
Size: 268 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160201/d721e87c/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: web.txt
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160201/d721e87c/attachment-0001.txt>
More information about the tac_plus
mailing list