[tac_plus] Re: PAM support via PAP??

Schmidt, Daniel dan.schmidt at uplinkdata.com
Fri Sep 25 16:30:41 UTC 2009 

Whoops!  pap instead of chap, I mean.  

-----Original Message-----
From: Schmidt, Daniel 
Sent: Friday, September 25, 2009 10:30 AM
To: 'Paul Vdovets'; john heasley
Cc: Jason Jeremias; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Re: PAM support via PAP??

Yes, because it makes perfect sense to encrypt the password in your
config when you are using an insecure, clear text protocol like Pam
instead of Chap.  :-P

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Paul Vdovets
Sent: Wednesday, September 23, 2009 9:28 AM
To: john heasley
Cc: Jason Jeremias; tac_plus at shrubbery.net
Subject: [tac_plus] Re: PAM support via PAP??

It also does support  pap = des so if you have to use pap you can at
least
crypt the config  hardcoded password

On Wed, Sep 23, 2009 at 11:04 AM, john heasley <heas at shrubbery.net>
wrote:

> Tue, Sep 22, 2009 at 04:28:31PM -0800, Jason Jeremias:
> > Oh also I removed all the comments from the config file that's why
its
> > referencing line 50.   It looks to me like it just doesn't like the
pap
> > = PAM, if I switch to login = PAM it works fine.
>
> Bad memory; pap auth currently only supports cleartext.  glancing at
the
> code, there is no reason it couldnt be added, just has to be coded.
>
> > -J
> >
> > Jason Jeremias wrote:
> >> When I run it I get.
> >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C
> >> /etc/tacacs/tac_plus.cfg -d 16
> >> Error: expecting 'cleartext', or 'des' keyword after 'pap =' on
line 50
> >>
> >> So to check that I have pam I did a:
> >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v
> >> tac_plus version F4.0.4.19
> >> ACLS
> >> FIONBIO
> >> LIBWRAP
> >> LINUX
> >> LITTLE_ENDIAN
> >> LOG_DAEMON
> >> PAM
> >> NO_PWAGE
> >> REAPCHILD
> >> RETSIGTYPE RETSIGTYPE
> >> SHADOW_PASSWORDS
> >> SIGTSTP
> >> SIGTTIN
> >> SIGTTOU
> >> SO_REUSEADDR
> >> STRERROR
> >> TAC_PLUS_PORT
> >> UENABLE
> >> __STDC__
> >>
> >> This told me that I do indeed have PAM compiled in.
> >>
> >>
> >> Here's my config file.
> >> root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg
> >>
> >> key = testing12345
> >>
> >> # Now tacacs+ also use default PAM authentication
> >> #default authentication = pap PAM
> >>
> >> # Accounting records log file
> >>
> >> accounting file = /var/log/tac_acc.log
> >>
> >> user = DEFAULT {
> >>     #service = ppp protocol = lcp { idletime = 15 }
> >>     #service = ppp protocol = ip {}
> >>     #pap = PAM
> >>     #maxsess = 2
> >>     member = DEFAULT
> >> }
> >>
> >> group = DEFAULT {
> >>     service = ppp protocol = ip {}
> >>     pap = PAM
> >>     #maxsess = 2
> >> }
> >>
> >>
> >> root at ns02:/usr/local/src/tac_plus_v9a#
> >>
> >>
> >>
> >> john heasley wrote:
> >>> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias:
> >>>
> >>>> I downloaded the latest tac_plus software but I can't seem to get
> >>>> pap = PAM to work is this possible?  I need to authenticate ppp
> >>>> uses against pam.
> >>>>
> >>>
> >>> did you make any effort to use daemon debugging options to debug
the
> >>> problem that you'd like to mention?
> >>>
> >>
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>



-- 
Paul Vdovets
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.shrubbery.net/pipermail/tac_plus/attachments/20090923/45d5353
9/attachment.html 
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list