[tac_plus] DEFAULT user and PAM

Michael Costello mcostello at netflix.com
Wed Sep 21 22:30:26 UTC 2016 

Hi again,

I think I figured out the problem.  I debugged F4.0.4.28 on an
equivalent Ubuntu 14.04 instance with a working PAM/SSSD/LDAP setup.
F4.0.4.26 should behave identically.

The problem appears to be that config.c's cfg_get_value() returns if a
user is not found rather than attempting to lookup the DEFAULT user.

I applied the following patch and was able to authenticate as a user
defined in LDAP but not explicitly defined in tac_plus.conf.

--- config.c.orig 2012-06-06 22:11:30.000000000 +0000
+++ config.c 2016-09-21 22:04:48.734463450 +0000
@@ -1902,7 +1902,11 @@
     if (!user) {
  if (debug & DEBUG_CONFIG_FLAG)
     report(LOG_DEBUG, "cfg_get_value: no user/group named %s", name);
- return(value);
+ if (isuser && cfg_user_exists(DEFAULT_USERNAME)) {
+    user = (USER *)hash_lookup(usertable, DEFAULT_USERNAME);
+    report(LOG_DEBUG, "cfg_get_value: using DEFAULT");
+ } else
+    return(value);
     }

     /* found the entry. Lookup value from attr=value */


Please let me know if this is an effective fix or if it has unintended
consequences.

mc

On Wed, Aug 24, 2016 at 1:07 AM, heasley <heas at shrubbery.net> wrote:
> Tue, Aug 23, 2016 at 03:20:45PM -0700, Michael Costello:
>> Hi tac_plus,
>>
>> I know this question has been asked before[0], but I have not been
>> able to find the answer.
>>
>> I have an Ubuntu 14.04 machine with tac_plus F4.0.4.26 installed
>> through apt.  The box is configured correctly for LDAP through SSSD (I
>> can ssh into it using LDAP credentials).  And I can authenticate to a
>> router against tacacs using LDAP credentials iff my username is
>> explicitly configured in tac_plus.conf.
>>
>> user = me {
>>     login = PAM
>>     member = admin
>> }
>>
>> User 'me' is not in /etc/passwd.  If however I remove the user and
>> attempt to use the default user
>>
>> user = DEFAULT {
>>     login = PAM
>>     member = admin
>> }
>>
>> I cannot authenticate:
>>
>> Tue Aug 23 21:47:53 2016 [10793]: Authenticating ACLs for user
>> 'DEFAULT' instead of 'me'
>> Tue Aug 23 21:47:53 2016 [10793]: login query for 'me' ssh from 1.2.3.4 rejected
>>
>> Is there any way to resolve this through configuration or using a
>> later version (the changelog from 4.0.4.26 to 4.0.4.28 does not
>> mention anything in regards to this)?  Or is what I'm after simply not
>> supported?
>
> I do not know of any reason that this should not work and i'd expect it
> to be needed, but I'll have to build a test environment to test and debug.
>
>> mc
>>
>> [0]
>> http://www.shrubbery.net/pipermail/tac_plus/2010-February/000667.html
>> http://www.shrubbery.net/pipermail/tac_plus/2010-January/000662.html
>>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list