[tac_plus] tac_plus coring Under FreeBSD 10.3-AMD64 with pam

Alan McKinnon alan.mckinnon at gmail.com
Thu Jul 27 14:26:40 UTC 2017


On 27/07/2017 11:54, Dan Mahoney wrote:
> All,
> 
> This is a bit bewildering.  We have two systems running tac_plus, and after an upgrade to 10.3, tac_plus no longer wants to speak to PAM/Kerberos
> 
> Weirdly, the error we get when it dies seems to come from Kerberos, since the string “sha1 checksum failed” is not in any of the tac_plus code.
> 
> I’ve managed to fix this by installing an alternate pam_krb5 instead of the base one, but it’s still an odd error.
> 
> How could I collect more info to help debug this?
> 
> /usr/local/sbin/tac_plus -g -d 16 -d 32 -d 8 -C /usr/local/etc/tac_plus.conf -t -U root
> Reading config
> Version F4.0.4.28 Initialized 1
> tac_plus server F4.0.4.28 starting
> socket FD 5 AF 28
> socket FD 7 AF 2
> uid=0 euid=0 gid=559 egid=559 s=33649520
> connect from 149.20.60.11 [149.20.60.11]
> pam_verify dmahoney
> pam_tacacs received 1 pam_messages
> 149.20.60.11 unknown-port: PAM_PROMPT_ECHO_OFF
> tac_plus: sha1 checksum failed
> Abort

Not at all weird.

The base version of pam_krb5 in FreeBSD-10.3 does not appear to support
SHA1, but the version in pkg and/or ports does.

So installing from pkg/ports to get functionality above what base gives,
as you did, was the correct thing to do.


-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the tac_plus mailing list