Pam-list Digest, Vol 38, Issue 6
Roberto Dud
roberto.dud at gmail.com
Mon Apr 16 20:34:37 UTC 2007
Hi Andreas,
I´m usind the site
http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/to
configure pam_tacplus in my Red Hat 4, but isn´t work.
My /etc/pam.d/tacacs:
#%PAM-1.0
auth sufficient /lib/security/pam_tacplus.so debug
server=(my_tacacs_IP) \
secret=MySecret encrypt
account sufficient /lib/security/pam_tacplus.so debug
server=(my_tacacs_IP) \
secret=MySecret encrypt service=shell protocol=ssh
session sufficient /lib/security/pam_tacplus.so debug
server=(my_tacacs_IP) \
secret=MySecret encrypt service=shell protocol=ssh
My /etc/pam.d/sshd:
#%PAM-1.0
auth required pam_stack.so service=tacacs
#auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_stack.so service=tacacs
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session sufficient pam_stack.so service=tacacs
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
Im my tacacs server my secret keys pass, but my user do not pass. See my log
on tacacs server:
Mon Apr 16 17:31:11 2007 [26137]: db_get_host: getting hkey from nas(IP)
Mon Apr 16 17:31:11 2007 [26137]: Error verify: failed - could not
authenticate for user 'root' on NAS 'IP'
Mon Apr 16 17:31:11 2007 [26137]: default_fn: pap-login query for 'root' ssh
from IP rejected
Thanks,
Dud.
On 4/14/07, Andreas Schindler <schindler at az1.de> wrote:
>
> pam-list-request at redhat.com wrote:
>
>
> Subject:
> Tacacs +PAM From:
> "Roberto Dud" <roberto.dud at gmail.com> <roberto.dud at gmail.com> Date:
> Thu, 12 Apr 2007 16:56:22 -0300 To:
> pam-list at redhat.com To:
> pam-list at redhat.com Precedence:
> junk MIME-Version:
> 1.0 Reply-To:
> Pluggable Authentication Modules <pam-list at redhat.com><pam-list at redhat.com> Message-ID:
>
> <93b73b230704121256h30d2ebd0t2a939e92edae5d3a at mail.gmail.com><93b73b230704121256h30d2ebd0t2a939e92edae5d3a at mail.gmail.com> Content-Type:
>
> multipart/alternative; boundary="----=_Part_21615_5006272.1176407782942" Message:
>
> 7
> Hi Mrs,
>
> I have a Tacacs server to centralize autentication in my routers, switchs,
> cmts ... And I think I will use this infraestructure to centralize my
> authentication on my Linux Servers.
>
> I found on my seachs on google a PAM module to tacacs.
>
> Anyone know about or use this module?
>
> Thanks,
>
> Dud.
>
> Dud,
>
> i suppose you're talking of the tacacs+ client package published by some
> Polish guy (don't remember the name
> right now). The pam_tacacs module works quite fine. Soem quirks when using
> tacacs 'accounting' (not to be confused
> with PAM accounting, which is the equivalent to tacacs 'authorize'). There
> is a drawback in that the module supports only
> one tacacs server. The workaround i took, was to stack the module twice,
> each one with a different tacacs server.
> Don't forget to switch on encryption. My configuration was:
>
> auth sufficient pam_tacplus.so encrypt secret=FarAway server=
> 10.13.0.22
> auth sufficient pam_tacplus.so encrypt secret=FarAway server=
> 10.14.1.69
>
> BTW the above package includes 'tacc', a small line-mode tacacs client. A
> fine tool when debugging the tacacs environment.
>
> Andreas
>
> --
> Dr.-Ing. Andreas Schindler
>
> Alpha Zero One Computersysteme GmbH
> Frankfurter Str. 141
> 63303 Dreieich
>
> Telefon 06103-57187-21
> Telefax 06103-373245
>
> schindler at az1.de
> www.az1.de
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070416/a2e545ac/attachment.htm>
More information about the Pam-list
mailing list