Hi Adam,<br><br>On Ubuntu, PAM auth looks for /etc/pam.d/tac_plus. To test this I used the below code in the tac_plus file and was unable to logon as per the pam_deny modules.<br><br>-------------------------------------------------------------------------------------------------------<br>
<pre class="programlisting">#%PAM-1.0<br>#(The above "magic" header is optional)<br># The modules for defaulting services as defined<br># in "/etc/pam.d/other" this configuration is<br># accepted by Linux-PAM-0.56 and higher.<br>
#<br>auth required pam_deny.so<br>auth required pam_warn.so<br>account required pam_deny.so<br>session required pam_deny.so<br>password required pam_warn.so<br>password required pam_deny.so<br>
# end of file.<br></pre>-------------------------------------------------------------------------------------------------------<br><br>On the cisco device, I'm not even prompted for the password:<br><br>User Access Verification<br>
Username: user1<br>% Authentication failed<br><br>Logs showing me being denied access:<br><br>pam_verify user1<br>Password is incorrect<br>login query for 'user1' tty2 from 203.17.101.x rejected<br>login failure: user1 203.17.101.x (203.17.101.x) tty2<br>
<br>-------------------------------------------------------------------------------------------------------<br><br>I found out that there's a fallback for PAM auth which uses /etc/pam.d/other - so without any /etc/pam.d/tac_plus present, it just defaults to using /etc/pam.d/other.<br>
<br>-------------------------------------------------------------------------------------------------------<br># /etc/pam.d/other - specify the PAM fallback behaviour<br>#<br># Note that this file is used for any unspecified service; for example<br>
#if /etc/pam.d/cron specifies no session modules but cron calls<br>#pam_open_session, the session module out of /etc/pam.d/other is<br>#used. If you really want nothing to happen then use pam_permit.so or<br>#pam_deny.so as appropriate.<br>
<br># We fall back to the system default in /etc/pam.d/common-*<br>#<br><br>@include common-auth<br>@include common-account<br>@include common-password<br>@include common-session<br><br>-------------------------------------------------------------------------------------------------------<br>
<br>I'm not an expert on PAM so hope that helps some other people trying to get PAM working with tac_plus.<br><br>A good read on PAM is here:<br><br><a href="http://www.linuxjournal.com/article/2120">http://www.linuxjournal.com/article/2120</a><br>
<br>Cheers.<br><br>Andy<br><br><div class="gmail_quote">On Wed, Dec 2, 2009 at 11:22 AM, adam <span dir="ltr"><<a href="mailto:prozaconstilts@gmail.com">prozaconstilts@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Andy Saykao wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Adam,<br>
<br><div class="im">
I've read your post on getting PAM working under RHEL but have a few more questions about it.<br>
<br>
<a href="http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html</a><br>
<br>
For those on Ubuntu I had to install libpam0g-dev first and ./configure again so PAM was detected.<br>
<br>
# apt-get install libpam0g-dev<br>
<br>
1/ How does the tac_plus daemon know to look for the PAM authentication in /etc/pam.d/tac_plus. I created the tac_plus file but I notice that when I deleted it and restarted the tac_plus daemon, PAM auth still works with or without it. Not sure if the PAM auth just defaults to using the common-* files in /etc/pam.d/ if it doesn't find the tac_plus file in there.<br>
</div></blockquote>
<br>
tac_plus just make a C library call to pam_authenticate. For RHEL, this required a tac_plus file in pam.d This may not be the case for ubuntu.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
2/ The tac_plus user guide says that PAM doesn't work if the tac_plus daemon is started as a non-root user (which is how I am running the daemon). So once again to get around this I had to configure the daemon to use the shadow GID.<br>
</blockquote>
<br></div>
poop. I should have read and known about that. You could make the jump and go straight to your LDAP solution. Sorry if that caused you to waste your time :(<div><div></div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
"Be aware that when the tac_plus daemon runs as a non-root user (as is the<br>
default in FreeBSD /usr/ports), it will not be able to authenticate using<br>
the pam_unix.so module. This is because the system function getpwnam()<br>
called by pam_unix.so requires root privileges to retrieve the password to<br>
validate from the /etc/master.passwd or /etc/shadow file. The symptom will<br>
be that for each authentiction that is attempted, the password will appear<br>
to be wrong whether it was typed correctly or not."<br>
</blockquote>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Cheers.<br>
<br>
Andy<br>
</blockquote>
<br>
<br>
<br>
</div></div></blockquote></div><br>