[tac_plus] Fwd: Error Cannot generate skey prompt for USER

Tue Jun 5 12:14:27 UTC 2007

Hello,

I have been reporting a few problems to John Heasley from shubbery.net who
turned out to be a pretty friendly guy, I dont even know if you are him but
here is a copy of my e-mail so you might be able to help me out with my
problem. To make a long history short, OpenBSD tacacs does not work with
SKEY.

Thanks in advance

---------- Forwarded message ----------
From: ninjabytes <ninjabytes at gmail.com>
Date: 04-jun-2007 17:53
Subject: Re: [tac_plus] Error Cannot generate skey prompt for USER
To: john heasley <heas at shrubbery.net>

John:

Take a quick look at the following debugging line:

# tac_plus -C /etc/tac_plus.conf -d 16 -g
Reading config
Version F4.0.4.alpha Initialized 1
tac_plus server F4.0.4.alpha starting
uid=511 euid=511 gid=511 egid=511 s=4
login query for 'angel:skey' tty1 from 10.254.80.8 rejected
10.254.80.8 tty1: Login aborted by request -- msg: CTRL-C pressed
login query for 'angel:skey' tty1 from 10.254.80.8 rejected

When I telnet in one of my routers 1) I dont get a S/Key prompt 2) tac_plus
debug message only reports the following message "login query for
'angel:skey' tty1 from 10.254.80.8 rejected" any leads/tips will be truly
appreciated.

Below is a copy of my config file:

# more /etc/tac_plus.conf
user = angel {
login = skey
}

2007/6/4, john heasley <heas at shrubbery.net>:
>
> Mon, Jun 04, 2007 at 01:23:15PM -0300, ninjabytes:
> > John:
> >
> > I forgot to ask:
> >
> > 1) does my OpenBSD has to have telnet enable in order to have tacacs to
> > generate the KEY prompt for skey?
>
> your host should not need anything enabled.  I dont recall testing skey
> with ssh (on the router), but I dont see why it wouldnt work.
>
> > 2) do you know how to get tacacs to work with S/Key on OpenBSD?
>
> It should just work.
>
> > 3) I tried to compile tacacs manually on my OpenBSD box and also on my
> > FreeBSD box with the --with-skey configure paramether but it fails when
> I
> > run "make" it gives me a couple libskeyaccess errors.
>
> what is the error?.
>
> > 4) Please, let me know the best OS to get tacacs to work with S/Key
>
> I tested with NetBSD, but the skey libraries should be no different for
> any O/S.
>
> > 5) is it possible to integrate tacacs with OPIE and instead use OPIE
> than
> > S/Key?
>
> Sorry, I'm not familiar with opie.
>
> > Thanks in advance
> >
> >
> > 2007/6/2, john heasley < heas at shrubbery.net>:
> > >
> > >Fri, Jun 01, 2007 at 06:53:46PM -0300, ninjabytes:
> > >> Hi folks,
> > >>
> > >> I have installed tac_plus version F4.0.4.alpha on my OpenBSD
> > >4.1-STABLEBOX.
> > >>
> > >> Below is my /etc/tac_plus.conf config file:
> > >>
> > >> user = john {
> > >> login = skey
> > >> }
> > >>
> > >> When i run tac_plus in debug mode and I telnet in my router which
> uses
> > >that
> > >> tacacs server I get the following error message:
> > >
> > >does that mean it works when not in debug mode?
> > >
> > >> Jun  1 14:49:51 angor tac_plus[12374]: Error Cannot generate skey
> prompt
> > >for
> > >> angel
> > >> on the router side I dont get the SKEY chalenge but a regular Login
> and
> > >> Password I think thats why tacacs complains and gives me that error.
> > >>
> > >> is there any "specifical" config that needs to be done on the router
> > >side to
> > >> tell it to use "skey" with tacacs? What could be causing this?
> > >
> > >does skey work outside of tacacs?  ie: skeyinfo  skey itself does
> require
> > >some config/initialization.
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070605/91e0017d/attachment.html 