[tac_plus] Need help to authenticate to SSH

heasley heas at shrubbery.net
Mon Feb 1 22:21:07 UTC 2016 

Mon, Feb 01, 2016 at 06:18:54PM +0000, Darren Share:
> Hello,
> 
> I am currently trying to put myself through a crash course with tac_plus to 
> assist a customer. We sell an NTP server which supports TACACS+ for 
> authentication. The server has a web interface (port 80) and and SSH interface 
> (port 22). A relatively default tac_plus installation on a debian server is 
> allowing us to log in to the web interface but the SSH login (with the same 
> user) is getting rejected. According to the manufacturuer the SSH login is not 
> supported with TACACS+ but I'm convinced it should be able to work as I can see 
> the NTP server is sending requests to the TACACS+ server when we attempt to log 
> in.
> 
> I've attached the current tac_plus.conf that works with the web login (user 
> "support" is an existing user on the debian system).
> 
> If I enable debugging on tac_plus (tac_plus -C /etc/tacacs+/tac_plus.conf  -g 
> -d 256) with a successful web login I get the attached web.txt and with a 
> failed ssh login I get the attached ssh.txt.
> 
> The main difference I can see being the "port: unknown" and "port: ssh". I feel 
> like there should be something I can set in tac_plus.conf to enable this. I've 
> tried this with no joy:

still mangled :)  but, i'll try.

I presume the first is the web login.  in the second, the daemon receives
"<BS><NL>" for the password.  I presume this is not the password as it doesnt
match the first attachment.  So, it appears that what your client is sending
is wrong.

as for the port; the port is port on a NAS, not the tcp port.  I'm not sure
that the port is used, except to differentiate sessions, though an external
authorization script might use it.

> group = netadmin {
> default service = permit
> login = file /etc/passwd
> service = exec {}
> service = ppp protocol = ip {
> port = 22
> }
> }
> 
> Can anyone offer any suggestions?
> 
> Many thanks.
> 
> PS. the TACACS+ config on the NTP server itself is very simple. It's just a 
> field for the IP address of the TACACS+ server and one for the shared secret so 
> there's nothing I can change there.
> 
> 
> Regards,
> 
> Darren Share
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: ssh.txt
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160201/d721e87c/attachment.txt>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: tac_plus.conf
> Type: application/octet-stream
> Size: 268 bytes
> Desc: not available
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160201/d721e87c/attachment.obj>
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: web.txt
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160201/d721e87c/attachment-0001.txt>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list