From daniel.schmidt at wyo.gov Mon Jul 9 17:04:25 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 9 Jul 2018 11:04:25 -0600 Subject: [tac_plus] Pam/PAP bug Message-ID: I've noticed an intermittent bug. User1 inherits pap = PAM from a group. User2 has simply pap = cleartext "some_password" explicitly set. Randomly, User 1 starts to be denied on nexus with failed to respond: 2018 Jul 9 10:37:10 Test-Rtr %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond 2018 Jul 9 10:37:12 Test-Rtr %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.0.40 - sshd[26316] User 2, however, gets right in. Also, User 1 works on authentications other than pap. (login and enable) Restarting the tac_plus daemon causes the issue to go away for an undefined period of time. I am at a loss to debug or even find a way to recreate the recurring issue. tacacs+-F4.0.4.19 did not have this issue. Note, I have applied this patch because I require pam for enable: https://gist.github.com/ragzilla/11297928 Admittedly, the next step should be to back out that patch, but I don't understand why it would cause an intermittent bug, especially when enable works just fine in the broken state. Thanks for your time. -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: