[tac_plus] Re: PAM authentication
Christian Karlsson
ck at teknikmejeriet.se
Fri Jan 23 10:11:55 UTC 2009
john heasley wrote:
> Thu, Jan 22, 2009 at 01:44:05PM -0500, Adam Allred:
>
>> Hello,
>>
>> I am attempting to get tac_plus to use my pam stack for user authentication.
>> As it stands, my pam stack already authenticates my users successfully for
>> ssh login (I'm on a RHEL5 box). I have confirmed that the configure script
>> did locate the pam devlopment libraries, but w/ debugging on, I don't see
>> tac_plus trying to talk to the pam stack:
>>
>> [root at server tacacs]# /usr/local/bin/tac_plus -C
>> /usr/local/etc/tac_plus.conf -d 8 -d 16 -d 32 -d 64 -g
>> Reading config
>> Version F4.0.4.15 Initialized 1
>> tac_plus server F4.0.4.15 starting
>> uid=0 euid=0 gid=0 egid=0 s=4
>> session.peerip is <ip address>
>> connect from <ip address>
>> tac_passwd_lookup: open /usr/local/etc/tacacs_passwd 6
>> tac_passwd_lookup: close /usr/local/etc/tacacs_passwd 6
>> login query for '<user>' tty1 from <ip address> rejected
>> login failure: <user> <ip address> tty1
>>
>> I kinda feel like I'm missing a step to make this work...and I couldn't find
>> any documetnation beyond the FAQ posting. Any ideas?
>>
>
> as implemented, the user must still be list in the config, and maybe in
> a group, and pam as their auth source.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
Im quite new to sending to mailing lists (google is god) so i hope this
is right.
I don't know how much problems there are in implementing the possibility
to not need username in tacacs config.
I should think that it should be a great thing to be able to direct the
query of usernames to PAM also.
Im after a kind of single instance user thing.
I like the tac_plus program and find it very useful.
Thanks for supplying it to us :-)
/Christian
More information about the tac_plus
mailing list