[tac_plus] Re: PAM authentication

john heasley heas at shrubbery.net
Tue Jun 26 17:12:41 UTC 2007 

Tue, Jun 26, 2007 at 09:28:16PM +0530, Chetan_Jain at Monitor.com:
> Hi,
> 
> I am trying to authenticate sshd service on a linux system through 
> tacacs+.... 
> 
> Tacacs+ server IP : 10.1.100.114
> Network Client : 10.115.111.215
> 
> I am starting tacacs+ using tac_plus -d 8 -C 
> /opt/WiKID/private/tacacs.conf
> 
> # This file is dynamically written by the WiKID server
> # manual changes to this file will be overwritten almost immediately
> 
> key = "cooler"
> accounting file = /opt/WiKID/log/tacacs.accounting.log
> 
> user = chetan { 
>         default service = permit
>         chap = cleartext "605992"
>         pap = cleartext "605992"
>         arap = cleartext "605992"
>         login = des chRQBOhi.agrM
> }
> 
> On the Network Client side.... 
> 
> /etc/pam.d/tacacs :
> 
> #%PAM-1.0
> auth    sufficient   /lib/security/pam_tacplus.so       debug \ 
> server=10.1.100.114     secret=cooler encrypt
> account    sufficient   /lib/security/pam_tacplus.so    debug \
> server=10.1.100.114     secret=cooler encrypt service=shell protocol=ssh
> session    sufficient   /lib/security/pam_tacplus.so    debug \
> server=10.1.100.114     secret=cooler encrypt service=shell protocol=ssh
> 
> /etc/pam.d/sshd :
> 
> #%PAM-1.0
> auth       sufficient   pam_stack.so service=tacacs
> #auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    sufficient   pam_stack.so service=tacacs
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    sufficient   pam_stack.so service=tacacs
> session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
> session    optional     pam_console.so
> 
> 
> Tacacs+ is not authenticating the credentials.... 
> 
> /var/log/messages on Tacacs+ Server shows :
> 
> Jun 26 11:48:15 netmgr tac_plus[28248]: Version F4.0.4.10 Initialized 1
> Jun 26 11:48:30 netmgr tac_plus[28258]: connect from 10.115.111.215 
> [10.115.111.215]
> Jun 26 11:48:30 netmgr tac_plus[28258]: pap-login query for 'chetan' ssh 
> from 10.115.111.215 rejected
> 
> 
> Can you help me what could be the issue......

start with enabling authentication debugging on the tacacs daemon.  it should
tell you why the login failed.

More information about the tac_plus mailing list