Hi Andreas,<br><br>I´m usind the site <a href="http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/">http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/</a> to configure pam_tacplus in my Red Hat 4, but isn´t work. <br><br>My /etc/pam.d/tacacs:<br><br><br><pre>#%PAM-1.0<br>auth sufficient /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \<br>secret=MySecret encrypt<br>account sufficient /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \ <br>secret=MySecret encrypt service=shell protocol=ssh<br>session sufficient /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \<br>secret=MySecret encrypt service=shell protocol=ssh</pre><br>My /etc/pam.d/sshd: <br><br><pre>#%PAM-1.0<br>auth required pam_stack.so service=tacacs<br>#auth required pam_stack.so service=system-auth<br>auth required pam_nologin.so<br>account sufficient pam_stack.so service=tacacs <br>account required pam_stack.so service=system-auth<br>password required pam_stack.so service=system-auth<br>session sufficient pam_stack.so service=tacacs<br>session required pam_stack.so service=system-auth <br>session required pam_limits.so<br>session optional pam_console.so</pre><br>Im my tacacs server my secret keys pass, but my user do not pass. See my log on tacacs server:<br><br><br>Mon Apr 16 17:31:11 2007 [26137]: db_get_host: getting hkey from nas(IP) <br>Mon Apr 16 17:31:11 2007 [26137]: Error verify: failed - could not authenticate for user 'root' on NAS 'IP'<br>Mon Apr 16 17:31:11 2007 [26137]: default_fn: pap-login query for 'root' ssh from IP rejected <br><br><br>Thanks,<br><br>Dud.<br><br><br><br><div><span class="gmail_quote">On 4/14/07, <b class="gmail_sendername">Andreas Schindler</b> <<a href="mailto:schindler@az1.de">schindler@az1.de</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div bgcolor="#ffffff" text="#000000"> <a href="mailto:pam-list-request@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">pam-list-request@redhat.com</a> wrote: <blockquote cite="http://mid20070412203546.59975735C3@hormel.redhat.com" type="cite"><br> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody> <tr> <td> <div style="display: inline;">Subject: </div> Tacacs +PAM</td> </tr> <tr> <td> <div style="display: inline;">From: </div> "Roberto Dud" <a href="mailto:roberto.dud@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><roberto.dud@gmail.com></a></td> </tr> <tr> <td> <div style="display: inline;">Date: </div> Thu, 12 Apr 2007 16:56:22 -0300</td> </tr> <tr> <td> <div style="display: inline;">To: </div> <a href="mailto:pam-list@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">pam-list@redhat.com</a></td> </tr> </tbody> </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody> <tr> <td> <div style="display: inline;">To: </div> <a href="mailto:pam-list@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">pam-list@redhat.com</a></td> </tr> </tbody> </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody> <tr> <td> <div style="display: inline;">Precedence: </div> junk</td> </tr> <tr> <td> <div style="display: inline;">MIME-Version: </div> 1.0</td> </tr> <tr> <td> <div style="display: inline;">Reply-To: </div> Pluggable Authentication Modules <a href="mailto:pam-list@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><pam-list@redhat.com></a></td> </tr> <tr> <td> <div style="display: inline;">Message-ID: </div> <a href="mailto:93b73b230704121256h30d2ebd0t2a939e92edae5d3a@mail.gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><93b73b230704121256h30d2ebd0t2a939e92edae5d3a@mail.gmail.com></a></td> </tr> <tr> <td> <div style="display: inline;">Content-Type: </div> multipart/alternative; boundary="----=_Part_21615_5006272.1176407782942"</td> </tr> <tr> <td> <div style="display: inline;">Message: </div> 7</td> </tr> </tbody> </table> <br> Hi Mrs,<br> <br> I have a Tacacs server to centralize autentication in my routers, switchs, cmts ... And I think I will use this infraestructure to centralize my authentication on my Linux Servers.<br> <br> I found on my seachs on google a PAM module to tacacs. <br> <br> Anyone know about or use this module?<br> <br> Thanks,<br> <br> Dud.<br> <br> </blockquote> <font face="Helvetica, Arial, sans-serif">Dud,<br> <br> i suppose you're talking of the tacacs+ client package published by some Polish guy (don't remember the name<br> right now). The pam_tacacs module works quite fine. Soem quirks when using tacacs 'accounting' (not to be confused <br> with PAM accounting, which is the equivalent to tacacs 'authorize'). There is a drawback in that the module supports only<br> one tacacs server. The workaround i took, was to stack the module twice, each one with a different tacacs server.<br> Don't forget to switch on encryption. My configuration was:<br> <br> auth sufficient pam_tacplus.so encrypt secret=FarAway server=<a href="http://10.13.0.22" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.13.0.22</a><br> </font><font face="Helvetica, Arial, sans-serif"> auth sufficient pam_tacplus.so encrypt secret=FarAway server=<a href="http://10.14.1.69" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.14.1.69</a></font><br> <font face="Helvetica, Arial, sans-serif"><br> BTW the above package includes 'tacc', a small line-mode tacacs client. A fine tool when debugging the tacacs environment. <br> <br> Andreas<br> </font><br> <pre cols="90">-- <br>Dr.-Ing. Andreas Schindler<br> <br>Alpha Zero One Computersysteme GmbH<br>Frankfurter Str. 141<br>63303 Dreieich<br> <br>Telefon 06103-57187-21<br>Telefax 06103-373245<br> <br><a href="mailto:schindler@az1.de" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> schindler@az1.de</a><br><a href="http://www.az1.de" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.az1.de</a> </pre> </div> <br>_______________________________________________<br>Pam-list mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank"> https://www.redhat.com/mailman/listinfo/pam-list</a><br></blockquote></div><br>