[tac_plus] tac_plus with PAM on FreeBSD

Joe Moore joe.moore at holidaycompanies.com
Mon Mar 10 21:01:46 UTC 2008 

I've been ports of running tac_plus4 in production for a few years on
FreeBSD 4.x, 5.x, 6.x and now 7.0. Somewhere during a 6.x "build world"
update, authenticating to "file /etc/passwd" stopped working. I didn't
have time to troubleshoot so I went with DES passwords which are now too
cumbersome to use with our newer, stricter corporate password policies.

 

I had no luck fixing the "files /etc/passwd" authentication so I tried
using PAM on a new FBSD 7.0 box. All was well with this tac_plus.conf :

 

# /usr/local/etc/tac_plus.conf

 

key = "zoomzoomzoom"

accounting file = "/var/log/tac.log"

 

user = daman {

    member = admin

    login = PAM

}

 

user = billy {

    member = grunts

    login = PAM

}

 

group = grunts {

    default service = permit

    service = exec {

        priv-lvl = 0

    }

}

 

group = admin {

    default service = permit

    service = exec {

        priv-lvl = 15

    }

}

 

And this /etc/pam.d/tac_plus :

 

# auth

auth            sufficient      pam_tacplus.so

 

# account

account         sufficient      pam_tacplus.so

 

# session

session         sufficient      pam_tacplus.so

 

But when I put it on a production box (that I am always ssh'd into), I
got in to routers with just a valid username. I was never even prompted
for a password. I have had no luck finding any docs about configuring
PAM for this. The "pam_tacplus.so" on my test box links to
pam_tac_plus.so4, my production box links it to pam_tac_plus.so3.

 

Here is the output of /usr/local/bin/tac_plus -v on my prod box.

 

tac_plus version F4.0.4.14

ACLS

FIONBIO

FREEBSD

LIBWRAP

LITTLE_ENDIAN

LOG_DAEMON

PAM

NO_PWAGE

RETSIGTYPE RETSIGTYPE

SIGTSTP

SIGTTIN

SIGTTOU

SO_REUSEADDR

STRERROR

TACPLUS_GROUPID

TAC_PLUS_PORT

TACPLUS_USERID

UENABLE

__STDC__

 

I updated ports and installed this version today. The prod box is
"6.2-STABLE #0".

 

Any clues would be much appreciated.

 

                                                ...jgm

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080310/755a0852/attachment.html

More information about the tac_plus mailing list