[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_tacplus managing priviledges/access control



Hello All,

I am using pam_tacplus.so for tacacs+ authentication for Linux client (CentOS) on a small PC based system.

I am wondering how could I get Linux groups working. As far as I know, tacplus inherently does not support Linux group at all as it is more designed for CISCO devices.

If we can't support the Linux groups from tacacs+, is there any way that I could pass on some information from tacplus server to the Linux pam_tacplus module either during authorization or authentication phase which could be used by the pam_tacplus do change user info on the fly. I know it won't be the best way to do so, but it may work. I have done similar changes for other pam_radius module and it works pretty well.

it could also be possible that my server configurations are not good.

I am sending authorization request from client, but the server does not seems to understand the "service=shell". It says "No identifiable service/protocol in authorization request".

=============================================

My server config

group = test {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = shell {
                priv-lvl= 15
        }
}
user = joe {
        member = test
}


Please find below the server side log.

===============================================
Fri Feb 20 11:03:09 2015 [7437]: 0x73 0x73 0x68
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR, priv_lvl=0, authen=2
Fri Feb 20 11:03:09 2015 [7437]: method=tacacs+
Fri Feb 20 11:03:09 2015 [7437]: svc=3 user_len=3 port_len=3 rem_addr_len=12
Fri Feb 20 11:03:09 2015 [7437]: arg_cnt=2
Fri Feb 20 11:03:09 2015 [7437]: User:
Fri Feb 20 11:03:09 2015 [7437]: joe
Fri Feb 20 11:03:09 2015 [7437]: port:
Fri Feb 20 11:03:09 2015 [7437]: ssh
Fri Feb 20 11:03:09 2015 [7437]: rem_addr:
Fri Feb 20 11:03:09 2015 [7437]: 192.168.2.30
Fri Feb 20 11:03:09 2015 [7437]: arg[0]: size=13
Fri Feb 20 11:03:09 2015 [7437]: service=shell
Fri Feb 20 11:03:09 2015 [7437]: arg[1]: size=12
Fri Feb 20 11:03:09 2015 [7437]: protocol=ssh
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: Writing AUTHOR/ERROR size=75
Fri Feb 20 11:03:09 2015 [7437]: PACKET: key=<NULL>
Fri Feb 20 11:03:09 2015 [7437]: version 192 (0xc0), type 2, seq no 2, flags 0x1
Fri Feb 20 11:03:09 2015 [7437]: session_id 0 (0x0), Data length 63 (0x3f)
Fri Feb 20 11:03:09 2015 [7437]: End header
Fri Feb 20 11:03:09 2015 [7437]: Packet body hex dump:
Fri Feb 20 11:03:09 2015 [7437]: 0x11 0x0 0x0 0x0 0x39 0x0 0x4e 0x6f 0x20 0x69 0x64 0x65 0x6e 0x74 0x69 0x66
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x61 0x62 0x6c 0x65 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x2f 0x70 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x6f 0x74 0x6f 0x63 0x6f 0x6c 0x20 0x69 0x6e 0x20 0x61 0x75 0x74 0x68 0x6f 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x7a 0x61 0x74 0x69 0x6f 0x6e 0x20 0x72 0x65 0x71 0x75 0x65 0x73 0x74
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR/REPLY status=17 (AUTHOR/ERROR)
Fri Feb 20 11:03:09 2015 [7437]: msg_len=0, data_len=57 arg_cnt=0
Fri Feb 20 11:03:09 2015 [7437]: msg:
Fri Feb 20 11:03:09 2015 [7437]: data:
Fri Feb 20 11:03:09 2015 [7437]: No identifiable service/protocol in authorization request
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: authorization query for 'joe' ssh from 192.168.2.201 rejected




Thanks in advance for any help.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]