[tac_plus] Pam/PAP bug
Daniel Schmidt
daniel.schmidt at wyo.gov
Mon Jul 9 17:04:25 UTC 2018
I've noticed an intermittent bug. User1 inherits pap = PAM from a group.
User2 has simply pap = cleartext "some_password" explicitly set.
Randomly, User 1 starts to be denied on nexus with failed to respond:
2018 Jul 9 10:37:10 Test-Rtr %TACACS-3-TACACS_ERROR_MESSAGE: All servers
failed to respond
2018 Jul 9 10:37:12 Test-Rtr %AUTHPRIV-3-SYSTEM_MSG:
pam_aaa:Authentication failed from 192.168.0.40 - sshd[26316]
User 2, however, gets right in.
Also, User 1 works on authentications other than pap. (login and enable)
Restarting the tac_plus daemon causes the issue to go away for an undefined
period of time. I am at a loss to debug or even find a way to recreate the
recurring issue. tacacs+-F4.0.4.19 did not have this issue.
Note, I have applied this patch because I require pam for enable:
https://gist.github.com/ragzilla/11297928
Admittedly, the next step should be to back out that patch, but I don't
understand why it would cause an intermittent bug, especially when enable
works just fine in the broken state.
Thanks for your time.
--
E-Mail to and from me, in connection with the transaction
of public
business, is subject to the Wyoming Public Records
Act and may be
disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180709/70335407/attachment.html>
More information about the tac_plus
mailing list