[tac_plus] tacacs+ for console logins

heasley heas at shrubbery.net
Fri Dec 14 21:01:24 UTC 2018


Fri, Dec 14, 2018 at 12:58:25PM +0530, Vyasraj (ವ್ಯಾಸರಾಜ):
> Hello there,
> 
> First of all thanks a lot for helping us in setting up tacacs access in our
> systems.
> 
> We've have enabled a tacacs access to our server with 3 tacacs server
> details
> 
> auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=1.1.1.1 secret=test1234 debug
> account [success=done default=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=192.168.5.10 secret=test1234
> service=test  protocol=ssh debug

these all look like the same lines.  i do not know, but expect that you
want 2 lines that have both primary and backup servers specified - if
that pam module is capable of that.

> auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=2.2.2.2 secret=test 111  debug
> account [success=done default=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=2.2.2.2 secret=test 111 service=test
> protocol=ssh debug
> auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=3.3.3.3 secret=test 222  debug
> account [success=done default=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=3.3.3.3 secret=test 222 service=test
> protocol=ssh debug
> auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=4.4.4.4 secret=test 333  debug
> account [success=done default=bad ignore=ignore]
> /lib/security/pam_tacplus.so server=4.4.4.4 secret=test 333 service=test
> protocol=ssh debug
> 
> For sshd,  all the server are tried one after the other and login falls
> back to local. When we login though serial console, its observed that for
> each tacacs+ server, we need to enter password. Hence for  4 servers in the
> file, we end up entering passworing 4 times.
> 
> Is there a way we can over come this and make it similar behaviour as that
> of sshd ?
> 
> Thanks
> Vyasraj
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20181214/b0edaacc/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus



More information about the tac_plus mailing list