Hi Adam,<br><br>I came across that post but it was for RHEL so I just skimmed through it bc I'm working on a Ubuntu box. I really just want to use the users in /etc/passwd for now (maybe LDAP further down the track) - nevertheless thank you for your suggestion.<br>
<br>So my question is that if I just want to authenticate against /etc/passwd, is it worth me reading up more about PAM and try to get this going or do I just compile is using the GID of the shadow group as per this guide.<br>
<br><a href="http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs">http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs</a><br>
<br>Thanks.<br><br>Andy<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">For Number 2, these instructions use pam_ldap for tac_plus as an example, but you can configure the pam stack for tac_plus to be whatever suits you.<br>
<br>
Instructions for RHEL5:<br>
<br>
1. install the pam-devel package from your repository<br>
<br>
2. compile the source for tacacs+, making sure that -lpam was discovered in the configure script<br>
<br>
3. define users in the conf file as such:<br>
<br>
user = <username> {<br>
login = PAM<br>
}<br>
<br>
4. Place a pam stack configuration in /etc/pam.d/tac_plus that has whatever mechanisms you require for authentication (see below)<br>
<br>
5. celebrate<br>
<br>
The pam stack I use looks like this:<br>
<br>
#cat /etc/pam.d/tac_plus:<br>
<br>
#%PAM-1.0<br>
auth include system-auth<br>
account required pam_nologin.so<br>
account include system-auth<br>
password include system-auth<br>
session optional pam_keyinit.so force revoke<br>
session include system-auth<br>
session required pam_loginuid.so<br>
<br>
It's not very obvious in that file, but I include system-auth, which<br>
looks like this:<br>
<br>
#%PAM-1.0<br>
# This file is auto-generated.<br>
# User changes will be destroyed the next time authconfig is run.<br>
auth required pam_env.so<br>
auth sufficient pam_unix.so nullok try_first_pass<br>
auth requisite pam_succeed_if.so uid >= 500 quiet<br>
auth sufficient pam_ldap.so use_first_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so broken_shadow<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 500 quiet<br>
account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br>
account required pam_permit.so<br>
<br>
password requisite pam_cracklib.so try_first_pass retry=3<br>
password sufficient pam_unix.so md5 shadow nullok try_first_pass<br>
use_authtok<br>
password sufficient pam_ldap.so use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
session [success=1 default=ignore] pam_succeed_if.so service in<br>
crond quiet use_uid<br>
session required pam_unix.so<br>
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077<br>
session optional pam_ldap.so<br>
<br>
So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can authenticate a user with ldap-based credentials. Of course, you can use whatever you like in terms of pam modules.<br>
<br>
Thanks,<br><font color="#888888">
<br>
Adam<br>
</font></blockquote></div><br>