pam_tacplus managing priviledges/access control
Chandan Kumar
chandank.kumar at gmail.com
Fri Feb 20 16:49:39 UTC 2015
Hello All,
I am using pam_tacplus.so for tacacs+ authentication for Linux client
(CentOS) on a small PC based system.
I am wondering how could I get Linux groups working. As far as I know,
tacplus inherently does not support Linux group at all as it is more
designed for CISCO devices.
If we can't support the Linux groups from tacacs+, is there any way that I
could pass on some information from tacplus server to the Linux pam_tacplus
module either during authorization or authentication phase which could be
used by the pam_tacplus do change user info on the fly. I know it won't be
the best way to do so, but it may work. I have done similar changes for
other pam_radius module and it works pretty well.
it could also be possible that my server configurations are not good.
I am sending authorization request from client, but the server does not
seems to understand the "service=shell". It says "No identifiable
service/protocol in authorization request".
=============================================
My server config
group = test {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = shell {
priv-lvl= 15
}
}
user = joe {
member = test
}
Please find below the server side log.
===============================================
Fri Feb 20 11:03:09 2015 [7437]: 0x73 0x73 0x68
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR, priv_lvl=0, authen=2
Fri Feb 20 11:03:09 2015 [7437]: method=tacacs+
Fri Feb 20 11:03:09 2015 [7437]: svc=3 user_len=3 port_len=3 rem_addr_len=12
Fri Feb 20 11:03:09 2015 [7437]: arg_cnt=2
Fri Feb 20 11:03:09 2015 [7437]: User:
Fri Feb 20 11:03:09 2015 [7437]: joe
Fri Feb 20 11:03:09 2015 [7437]: port:
Fri Feb 20 11:03:09 2015 [7437]: ssh
Fri Feb 20 11:03:09 2015 [7437]: rem_addr:
Fri Feb 20 11:03:09 2015 [7437]: 192.168.2.30
Fri Feb 20 11:03:09 2015 [7437]: arg[0]: size=13
Fri Feb 20 11:03:09 2015 [7437]: service=shell
Fri Feb 20 11:03:09 2015 [7437]: arg[1]: size=12
Fri Feb 20 11:03:09 2015 [7437]: protocol=ssh
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: Writing AUTHOR/ERROR size=75
Fri Feb 20 11:03:09 2015 [7437]: PACKET: key=<NULL>
Fri Feb 20 11:03:09 2015 [7437]: version 192 (0xc0), type 2, seq no 2,
flags 0x1
Fri Feb 20 11:03:09 2015 [7437]: session_id 0 (0x0), Data length 63 (0x3f)
Fri Feb 20 11:03:09 2015 [7437]: End header
Fri Feb 20 11:03:09 2015 [7437]: Packet body hex dump:
Fri Feb 20 11:03:09 2015 [7437]: 0x11 0x0 0x0 0x0 0x39 0x0 0x4e 0x6f 0x20
0x69 0x64 0x65 0x6e 0x74 0x69 0x66
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x61 0x62 0x6c 0x65 0x20 0x73 0x65
0x72 0x76 0x69 0x63 0x65 0x2f 0x70 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x6f 0x74 0x6f 0x63 0x6f 0x6c 0x20 0x69
0x6e 0x20 0x61 0x75 0x74 0x68 0x6f 0x72
Fri Feb 20 11:03:09 2015 [7437]: 0x69 0x7a 0x61 0x74 0x69 0x6f 0x6e 0x20
0x72 0x65 0x71 0x75 0x65 0x73 0x74
Fri Feb 20 11:03:09 2015 [7437]: type=AUTHOR/REPLY status=17 (AUTHOR/ERROR)
Fri Feb 20 11:03:09 2015 [7437]: msg_len=0, data_len=57 arg_cnt=0
Fri Feb 20 11:03:09 2015 [7437]: msg:
Fri Feb 20 11:03:09 2015 [7437]: data:
Fri Feb 20 11:03:09 2015 [7437]: No identifiable service/protocol in
authorization request
Fri Feb 20 11:03:09 2015 [7437]: End packet
Fri Feb 20 11:03:09 2015 [7437]: authorization query for 'joe' ssh from
192.168.2.201 rejected
Thanks in advance for any help.
--
http://about.me/chandank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20150220/e40f21c8/attachment.htm>
More information about the Pam-list
mailing list