pam + tacacs configuration
Nick Owen
nowen at wikidsystems.com
Wed Oct 1 21:52:39 UTC 2008
Greetings:
I am trying to get pam_tacplus 1.2.9 working with pam-0.99.6.2-3.22.fc6.
I had this working back in the pam_stack days, but can't seem to get it
quite right using include.
here is my /etc/pam.d/tacacs file:
#%PAM-1.0
auth sufficient /lib/security/pam_tacplus.so debug
server=10.100.0.102 secret=super_secret encrypt
account sufficient /lib/security/pam_tacplus.so debug
server=10.100.0.102 secret=super_secret encrypt service=shell protocol=ssh
session sufficient /lib/security/pam_tacplus.so debug
server=10.100.0.102 secret=super_secret encrypt service=shell protocol=ssh
Here's my /etc/pam.d/sshd:
#%PAM-1.0
auth include tacacs
#auth required pam_nologin.so
account include tacacs
#account required system-auth
password required tacacs
session include tacacs
#session required system-auth
#session required pam_limits.so
#session optional pam_console.so
And here's the output from /var/log/secure:
Oct 1 17:21:40 vpn sshd[22767]: PAM unable to dlopen(/lib/security/tacacs)
Oct 1 17:21:40 vpn sshd[22767]: PAM [error: /lib/security/tacacs:
cannot open shared object file: No such file or directory]
Oct 1 17:21:40 vpn sshd[22767]: PAM adding faulty module:
/lib/security/tacacs
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: called
(pam_tacplus v1.2.9)
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: user [nowen] obtained
Oct 1 17:21:42 vpn sshd[22767]: tacacs_get_password: called
Oct 1 17:21:42 vpn sshd[22767]: tacacs_get_password: obtained password
[933032]
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: pass [933032] obtained
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: tty [ssh] obtained
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: trying srv 0
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: exit
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: called (pam_tacplus
v1.2.9)
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: active server is
[10.100.0.102]
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: username obtained [nowen]
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: tty obtained [ssh]
Oct 1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: sent authorization
request
Oct 1 17:21:42 vpn sshd[22767]: tac_author_read: inconsistent author
reply body, incorrect key?
Oct 1 17:21:42 vpn sshd[22767]: Failed password for nowen from
10.100.0.102 port 58121 ssh2
Oct 1 17:21:42 vpn sshd[22770]: fatal: Access denied for user nowen by
PAM account configuration
I can't seem to google up any info on configuring with modules using
include. The logs seem to point to tacacs being in the wrong place. I
also wonder if the source for tacplus needs to be updated.
TIA,
Nick
--
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.
More information about the Pam-list
mailing list