[tac_plus] Re: tac_plus with PAM on FreeBSD

Joe Moore joe.moore at holidaycompanies.com
Wed Mar 12 15:31:17 UTC 2008 

John,

The hashes in /etc/master.passwd start with $1$ and then there are 30
characters after that.

I did try running tac_plus as root on the FreeBSD box last night with
"login = file /etc/passwd" and still no joy.

You are right about the pam_tacpus.so PAM module. It is used to
authenticate login requests against a tacacs+ server, not for
authenticating tacacs users. I believe it was looping to the local
tac_plus service. I think the only reason it worked was that the "auth"
line in /etc/pam.d/tac_plus was "sufficient" which doesn't actually
require the password to be correct as long as one of the remaining lines
(account or password) succeeded. Oddly enough though, one of those
remaining lines was letting me in but only if the password was correct.
I did get pam_unix.so to let me in too as long as auth wasn't "required"
in the pam file.

One other odd thing I've noticed with tac_plus on FreeBSD when using DES
passwords in the config file: Only the first 8 characters of the
password matter. If your password is longer than 8 characters, and you
type the first 8 correctly, you can just hit <enter> or type add a few
random characters before hitting <enter> and you get in just fine.

I installed Centos5 on a clean box last night and installed tac_plus4.
It worked fine against /etc/passwd.

With "login = PAM" in the config file tac_plus refused to load because
PAM was an unrecognized "token". If I can get my password synching
utility to run on Centos I'll be OK authenticating to /etc/passwd for
now, but ideally I'd like to use an OS where tac_plus doesn't run as
root (like it does on Centos) and supports PAM. Centos definitely
supports PAM. I don't know if the tac_plus configure didn't detect PAM
or if I'm supposed to do something to force the build to include it.

If you have any recommendations for a Linux/*nix distribution that'll do
this out of the box, please let me know. I'll be building a box just for
this in the next few days. I hope to run two instances of tac_plus on
the box, (each instance with it own config) either on different ports or
bound to different IP addresses.

			TIA   ...jgm






-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Tuesday, March 11, 2008 5:07 PM
To: Joe Moore
Subject: Re: [tac_plus] tac_plus with PAM on FreeBSD

Mon, Mar 10, 2008 at 04:36:20PM -0500, Joe Moore:
> John,
> 
> Thanks for the response!
> 
> My /etc/passwd file doesn't actually have any passwords in it. That's
> been standard on FreeBSD for a very long time. The actual (salted and
> hashed) passwords are in "/etc/master.passwd" which is readable ONLY
by
> root, so I suppose it's possible that it broke when tac_plus started
> running as the "tacacs" user instead of root.

right, but getpwent() should return the right bits from master.password,
and that should be used if the file is set to /etc/passwd.

> I don't know if the hashes are MD5 or not. They're whatever FBSD

md5 begins with $1$ in the hash.

> normally does. I did see in a debug last night what tac_plus thought
the
> password should encrypt to, and it wasn't anything like the hash in
> /etc/master.passwd.
> 
> I'll try copying the PAM file from ssh and see if that works. Is your
> PAM file just that single line? My /etc/pam.d/sshd is more than that:

the point was that the module is like pam_unix.so, not pam_tacplus.so.
mine/NetBSDs is:

# $NetBSD: sshd,v 1.8 2005/09/22 01:02:12 tsarna Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so  no_warn
#auth           sufficient      pam_krb5.so     no_warn try_first_pass
#auth           optional        pam_afslog.so   no_warn try_first_pass
# pam_ssh has potential security risks.  See pam_ssh(8).
#auth           sufficient      pam_ssh.so      no_warn try_first_pass
auth            required        pam_unix.so     no_warn try_first_pass

# account
#account                required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
# pam_ssh has potential security risks.  See pam_ssh(8).
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so     no_warn try_first_pass
password        required        pam_unix.so     no_warn try_first_pass

again, i THINK that is what I tested with.

More information about the tac_plus mailing list