pam + tacacs configuration

Nick Owen nowen at wikidsystems.com
Thu Oct 2 12:37:39 UTC 2008 

Dan Yefimov wrote:
> On 02.10.2008 1:52, Nick Owen wrote:
>> Greetings:
>>
>> I am trying to get pam_tacplus 1.2.9 working with pam-0.99.6.2-3.22.fc6.
>>   I had this working back in the pam_stack days, but can't seem to get it
>> quite right using include.
>>
>> here is my /etc/pam.d/tacacs file:
>>
>> #%PAM-1.0
>> auth       sufficient   /lib/security/pam_tacplus.so debug
>> server=10.100.0.102 secret=super_secret encrypt
>> account    sufficient   /lib/security/pam_tacplus.so debug
>> server=10.100.0.102 secret=super_secret encrypt service=shell
>> protocol=ssh
>> session    sufficient   /lib/security/pam_tacplus.so debug
>> server=10.100.0.102 secret=super_secret encrypt service=shell
>> protocol=ssh
>>
>> Here's my /etc/pam.d/sshd:
>>
>> #%PAM-1.0
>> auth       include      tacacs
>> #auth       required     pam_nologin.so
>> account    include      tacacs
>> #account    required     system-auth
>> password   required     tacacs
>              ^^^^^^^^
> Here is the root of your problem :-)

I had high hopes of that this simple change would prove that I had
wasted a great deal of time yesterday, but alas, I have made the change
and the result is the same:

Oct  2 08:37:23 support sshd[25193]: pam_sm_authenticate: called
(pam_tacplus v1.2.9)
Oct  2 08:37:23 support sshd[25193]: pam_sm_authenticate: user [nowen]
obtained
Oct  2 08:37:23 support sshd[25193]: tacacs_get_password: called
Oct  2 08:37:23 support sshd[25193]: tacacs_get_password: obtained
password [779720]
Oct  2 08:37:23 support sshd[25193]: pam_sm_authenticate: pass [779720]
obtained
Oct  2 08:37:23 support sshd[25193]: pam_sm_authenticate: tty [ssh] obtained
Oct  2 08:37:23 support sshd[25193]: pam_sm_authenticate: trying srv 0
Oct  2 08:37:23 support sshd[25193]: pam_sm_authenticate: exit
Oct  2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: called
(pam_tacplus v1.2.9)
Oct  2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: active server is
[10.100.0.102]
Oct  2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: username obtained
[nowen]
Oct  2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: tty obtained [ssh]
Oct  2 08:37:23 support sshd[25193]: pam_sm_acct_mgmt: sent
authorization request
Oct  2 08:37:24 support sshd[25193]: tac_author_read: inconsistent
author reply body, incorrect key?
Oct  2 08:37:24 support sshd[25194]: fatal: Access denied for user nowen
by PAM account configuration
Oct  2 08:37:24 support sshd[25193]: Failed password for nowen from
10.100.0.102 port 35385 ssh2



> 
>> session    include      tacacs
>> #session    required     system-auth
>> #session    required     pam_limits.so
>> #session    optional     pam_console.so
>>
>> And here's the output from /var/log/secure:
>>
>> Oct  1 17:21:40 vpn sshd[22767]: PAM unable to
>> dlopen(/lib/security/tacacs)
>> Oct  1 17:21:40 vpn sshd[22767]: PAM [error: /lib/security/tacacs:
>> cannot open shared object file: No such file or directory]
>> Oct  1 17:21:40 vpn sshd[22767]: PAM adding faulty module:
>> /lib/security/tacacs
>>
> [skip]
> 
>> I can't seem to google up any info on configuring with modules using
>> include. The logs seem to point to tacacs being in the wrong place. I
>> also wonder if the source for tacplus needs to be updated.
>>
> You just forgot to replace 'required' with 'include' and didn't notice
> that :-)

-- 
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.

More information about the Pam-list mailing list