Pam-list Digest, Vol 38, Issue 6

Roberto Dud roberto.dud at gmail.com
Mon Apr 16 20:41:21 UTC 2007 

I forgot my log on NAS:

/var/log/messages:

Apr 16 18:37:14 201-75-201-82-am PAM-tacplus[24385]: auth failed: Login
incorrect

I have a account on Tacacs server and I conect in my Cisco Routers
normaly...

Thanks,

Dud.



On 4/16/07, Roberto Dud <roberto.dud at gmail.com > wrote:
>
> Hi Andreas,
>
> I´m usind the site
> http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/to configure pam_tacplus in my Red Hat 4, but isn´t work.
>
> My /etc/pam.d/tacacs:
>
>
> #%PAM-1.0
> auth       sufficient   /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \
> secret=MySecret encrypt
> account    sufficient   /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \
>
>
> secret=MySecret encrypt service=shell protocol=ssh
> session    sufficient   /lib/security/pam_tacplus.so debug server=(my_tacacs_IP) \
> secret=MySecret encrypt service=shell protocol=ssh
>
>
> My /etc/pam.d/sshd:
>
> #%PAM-1.0
> auth       required   pam_stack.so service=tacacs
> #auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    sufficient   pam_stack.so service=tacacs
>
>
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    sufficient   pam_stack.so service=tacacs
> session    required     pam_stack.so service=system-auth
>
>
> session    required     pam_limits.so
> session    optional     pam_console.so
>
>
> Im my tacacs server my secret keys pass, but my user do not pass. See my
> log on tacacs server:
>
>
> Mon Apr 16 17:31:11 2007 [26137]: db_get_host: getting hkey from nas(IP)
> Mon Apr 16 17:31:11 2007 [26137]: Error verify: failed - could not
> authenticate for user 'root' on NAS 'IP'
> Mon Apr 16 17:31:11 2007 [26137]: default_fn: pap-login query for 'root'
> ssh from IP rejected
>
>
> Thanks,
>
> Dud.
>
>
>
> On 4/14/07, Andreas Schindler < schindler at az1.de> wrote:
>
> >  pam-list-request at redhat.com wrote:
> >
> >
> >   Subject:
> > Tacacs +PAM  From:
> > "Roberto Dud" <roberto.dud at gmail.com> <roberto.dud at gmail.com>  Date:
> > Thu, 12 Apr 2007 16:56:22 -0300  To:
> > pam-list at redhat.com    To:
> > pam-list at redhat.com    Precedence:
> > junk  MIME-Version:
> > 1.0  Reply-To:
> > Pluggable Authentication Modules <pam-list at redhat.com><pam-list at redhat.com>  Message-ID:
> >
> > <93b73b230704121256h30d2ebd0t2a939e92edae5d3a at mail.gmail.com><93b73b230704121256h30d2ebd0t2a939e92edae5d3a at mail.gmail.com>  Content-Type:
> >
> > multipart/alternative; boundary="----=_Part_21615_5006272.1176407782942"  Message:
> >
> > 7
> > Hi Mrs,
> >
> > I have a Tacacs server to centralize autentication in my routers,
> > switchs, cmts ... And I think I will use this infraestructure to centralize
> > my authentication on my Linux Servers.
> >
> > I found on my seachs on google a PAM module to tacacs.
> >
> > Anyone know about or use this module?
> >
> > Thanks,
> >
> > Dud.
> >
> >  Dud,
> >
> > i suppose you're talking of the tacacs+ client package published by some
> > Polish guy (don't remember the name
> > right now). The pam_tacacs module works quite fine. Soem quirks when
> > using tacacs 'accounting' (not to be confused
> > with PAM accounting, which is the equivalent to tacacs 'authorize').
> > There is a drawback in that the module supports only
> > one tacacs server. The workaround i took, was to stack the module twice,
> > each one with a different tacacs server.
> > Don't forget to switch on encryption. My configuration was:
> >
> >     auth        sufficient   pam_tacplus.so encrypt secret=FarAway
> > server=10.13.0.22
> >     auth        sufficient   pam_tacplus.so encrypt secret=FarAway
> > server=10.14.1.69
> >
> > BTW the above package includes 'tacc', a small  line-mode tacacs client.
> > A fine tool when debugging the tacacs environment.
> >
> > Andreas
> >
> > --
> > Dr.-Ing. Andreas Schindler
> >
> > Alpha Zero One Computersysteme GmbH
> > Frankfurter Str. 141
> > 63303 Dreieich
> >
> > Telefon 06103-57187-21
> > Telefax 06103-373245
> >
> >
> > schindler at az1.de
> > www.az1.de
> >
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070416/acbda897/attachment.htm>

More information about the Pam-list mailing list