pam + tacacs configuration

Nick Owen nowen at wikidsystems.com
Wed Oct 1 21:52:39 UTC 2008 

Greetings:

I am trying to get pam_tacplus 1.2.9 working with pam-0.99.6.2-3.22.fc6.
 I had this working back in the pam_stack days, but can't seem to get it
quite right using include.

here is my /etc/pam.d/tacacs file:

#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug
server=10.100.0.102 secret=super_secret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug
server=10.100.0.102 secret=super_secret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug
server=10.100.0.102 secret=super_secret encrypt service=shell protocol=ssh

Here's my /etc/pam.d/sshd:

#%PAM-1.0
auth       include      tacacs
#auth       required     pam_nologin.so
account    include      tacacs
#account    required     system-auth
password   required     tacacs
session    include      tacacs
#session    required     system-auth
#session    required     pam_limits.so
#session    optional     pam_console.so

And here's the output from /var/log/secure:

Oct  1 17:21:40 vpn sshd[22767]: PAM unable to dlopen(/lib/security/tacacs)
Oct  1 17:21:40 vpn sshd[22767]: PAM [error: /lib/security/tacacs:
cannot open shared object file: No such file or directory]
Oct  1 17:21:40 vpn sshd[22767]: PAM adding faulty module:
/lib/security/tacacs
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: called
(pam_tacplus v1.2.9)
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: user [nowen] obtained
Oct  1 17:21:42 vpn sshd[22767]: tacacs_get_password: called
Oct  1 17:21:42 vpn sshd[22767]: tacacs_get_password: obtained password
[933032]
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: pass [933032] obtained
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: tty [ssh] obtained
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: trying srv 0
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_authenticate: exit
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: called (pam_tacplus
v1.2.9)
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: active server is
[10.100.0.102]
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: username obtained [nowen]
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: tty obtained [ssh]
Oct  1 17:21:42 vpn sshd[22767]: pam_sm_acct_mgmt: sent authorization
request
Oct  1 17:21:42 vpn sshd[22767]: tac_author_read: inconsistent author
reply body, incorrect key?
Oct  1 17:21:42 vpn sshd[22767]: Failed password for nowen from
10.100.0.102 port 58121 ssh2
Oct  1 17:21:42 vpn sshd[22770]: fatal: Access denied for user nowen by
PAM account configuration


I can't seem to google up any info on configuring with modules using
include. The logs seem to point to tacacs being in the wrong place. I
also wonder if the source for tacplus needs to be updated.

TIA,

Nick

-- 
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.

More information about the Pam-list mailing list