Pam-list Digest, Vol 38, Issue 6

Roberto Dud roberto.dud at gmail.com
Mon Apr 16 20:34:37 UTC 2007 

Hi Andreas,

I´m usind the site
http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/to
configure pam_tacplus in my Red Hat 4, but isn´t work.

My /etc/pam.d/tacacs:


#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug
server=(my_tacacs_IP) \
secret=MySecret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug
server=(my_tacacs_IP) \
secret=MySecret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug
server=(my_tacacs_IP) \
secret=MySecret encrypt service=shell protocol=ssh


My /etc/pam.d/sshd:

#%PAM-1.0
auth       required   pam_stack.so service=tacacs
#auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_stack.so service=tacacs
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    sufficient   pam_stack.so service=tacacs
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so


Im my tacacs server my secret keys pass, but my user do not pass. See my log
on tacacs server:


Mon Apr 16 17:31:11 2007 [26137]: db_get_host: getting hkey from nas(IP)
Mon Apr 16 17:31:11 2007 [26137]: Error verify: failed - could not
authenticate for user 'root' on NAS 'IP'
Mon Apr 16 17:31:11 2007 [26137]: default_fn: pap-login query for 'root' ssh
from IP rejected


Thanks,

Dud.



On 4/14/07, Andreas Schindler <schindler at az1.de> wrote:
>
>  pam-list-request at redhat.com wrote:
>
>
>   Subject:
> Tacacs +PAM  From:
> "Roberto Dud" <roberto.dud at gmail.com> <roberto.dud at gmail.com>  Date:
> Thu, 12 Apr 2007 16:56:22 -0300  To:
> pam-list at redhat.com    To:
> pam-list at redhat.com    Precedence:
> junk  MIME-Version:
> 1.0  Reply-To:
> Pluggable Authentication Modules <pam-list at redhat.com><pam-list at redhat.com>  Message-ID:
>
> <93b73b230704121256h30d2ebd0t2a939e92edae5d3a at mail.gmail.com><93b73b230704121256h30d2ebd0t2a939e92edae5d3a at mail.gmail.com>  Content-Type:
>
> multipart/alternative; boundary="----=_Part_21615_5006272.1176407782942"  Message:
>
> 7
> Hi Mrs,
>
> I have a Tacacs server to centralize autentication in my routers, switchs,
> cmts ... And I think I will use this infraestructure to centralize my
> authentication on my Linux Servers.
>
> I found on my seachs on google a PAM module to tacacs.
>
> Anyone know about or use this module?
>
> Thanks,
>
> Dud.
>
>  Dud,
>
> i suppose you're talking of the tacacs+ client package published by some
> Polish guy (don't remember the name
> right now). The pam_tacacs module works quite fine. Soem quirks when using
> tacacs 'accounting' (not to be confused
> with PAM accounting, which is the equivalent to tacacs 'authorize'). There
> is a drawback in that the module supports only
> one tacacs server. The workaround i took, was to stack the module twice,
> each one with a different tacacs server.
> Don't forget to switch on encryption. My configuration was:
>
>     auth        sufficient   pam_tacplus.so encrypt secret=FarAway server=
> 10.13.0.22
>     auth        sufficient   pam_tacplus.so encrypt secret=FarAway server=
> 10.14.1.69
>
> BTW the above package includes 'tacc', a small  line-mode tacacs client. A
> fine tool when debugging the tacacs environment.
>
> Andreas
>
> --
> Dr.-Ing. Andreas Schindler
>
> Alpha Zero One Computersysteme GmbH
> Frankfurter Str. 141
> 63303 Dreieich
>
> Telefon 06103-57187-21
> Telefax 06103-373245
>
> schindler at az1.de
> www.az1.de
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070416/a2e545ac/attachment.htm>

More information about the Pam-list mailing list