search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
132 stars 102 forks source link

Fallback to local authentication #112

Open mmehra opened 6 years ago

mmehra commented 6 years ago

When TACACS+ server is not reachable, it might be desirable to fall back to local authentication. In order to achieve it, pam_tacplus needs to return PAM_IGNORE return code instead of PAM_ERROR. Following diff provides this support

[~: pam_tacplus]# git diff
diff --git a/pam_tacplus.c b/pam_tacplus.c
index f29f45e..b62093e 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -291,6 +291,7 @@ int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
                if (tac_fd < 0) {
                        _pam_log(LOG_ERR, "connection failed srv %d: %m", srv_i);
                        active_server.addr = NULL;
+                       status = PAM_IGNORE;
                        continue;
                }
                if (tac_authen_send(tac_fd, user, pass, tty, r_addr,
@@ -587,7 +588,7 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
         than TACACS+ */
        if (active_server.addr == NULL) {
                _pam_log(LOG_ERR, "user not authenticated by TACACS+");
-               return PAM_AUTH_ERR;
+               return PAM_IGNORE;
        }
        if (ctrl & PAM_TAC_DEBUG)
                syslog(LOG_DEBUG, "%s: active server is [%s]", __FUNCTION__,

We can then configure following in /etc/pam.d/tacacs so that SSHD fallsback to local authentication when TACACS+ server is not reachable. When the server is reachable, SSHD always honours TACACS+ auth response

auth    [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ...
account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ...
daveolson53 commented 6 years ago

On Tue, Feb 27, 2018 at 20:31 Manish Mehra notifications@github.com wrote:

When TACACS+ server is not reachable, it might be desirable to fall back to local authentication. In order to achieve it, pam_tacplus needs to return PAM_IGNORE return code instead of PAM_ERROR. Following diff provides this support

I’ve had feefback that some people would like this, and others that feel quite strongly that falling back to local auth is a major issue.

Sounds like we need to make this a clear and obvious configuration choice, not hardcoded in the source.

[~: pam_tacplus]# git diff

diff --git a/pam_tacplus.c b/pam_tacplus.c index f29f45e..b62093e 100644 --- a/pam_tacplus.c +++ b/pam_tacplus.c @@ -291,6 +291,7 @@ int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, if (tac_fd < 0) { _pam_log(LOG_ERR, "connection failed srv %d: %m", srv_i); active_server.addr = NULL;

  • status = PAM_IGNORE; continue; } if (tac_authen_send(tac_fd, user, pass, tty, r_addr, @@ -587,7 +588,7 @@ int pam_sm_acct_mgmt(pam_handle_t pamh, int flags, int argc, than TACACS+ / if (active_server.addr == NULL) { _pam_log(LOG_ERR, "user not authenticated by TACACS+");
  • return PAM_AUTH_ERR;
  • return PAM_IGNORE; } if (ctrl & PAM_TAC_DEBUG) syslog(LOG_DEBUG, "%s: active server is [%s]", FUNCTION,

We can then configure following in /etc/pam.d/tacacs so that SSHD fallsback to local authentication when TACACS+ server is not reachable. When the server is reachable, SSHD always honours TACACS+ auth response

auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ... account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jeroennijhof/pam_tacplus/issues/112, or mute the thread https://github.com/notifications/unsubscribe-auth/AI2zGI-Q6lhDj92ORs_RBjaNmnTxX900ks5tZNaZgaJpZM4SWD3v .

-- Dave Olson olson@cumulusnetworks.com

mmehra commented 6 years ago

Config knob might not be needed after all. Here is what can be done with PAM constructs

When fallback to local auth is desired:

[root@gotham: ~]# head /etc/pam.d/sshd 
auth     include     tacacs
account  include     tacacs

[root@gotham: ~]# head /etc/pam.d/tacacs
auth    [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ...
account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ...

When fallback to local auth is not desired:

[root@gotham: ~]# head /etc/pam.d/sshd 
auth     include     tacacs
auth     requisite   pam_deny.so
account  include     tacacs

[root@gotham: ~]# head /etc/pam.d/tacacs
auth  sufficient /lib/security/pam_tacplus.so ...
account sufficient /lib/security/pam_tacplus.so ...
daveolson53 commented 6 years ago

Manish Mehra notifications@github.com wrote:

Config knob might not be needed after all. Here is what can be done with PAM constructs

When fallback to local auth is desired:

Yes, that's possible, but it's not very system admin friendly.

In my version of the libpam-tacplus code, I've moved to using pam-auth-update, and the admin no longer needs to edit the pam.d files.

I really think we want this to be an option to pam_tacplus.so, not a change to pam.d files (in my version, I support setting options to pam_tacplus from a config file, not just the options on the various lines in /etc/pam.d/ files.). For the mainline, it could still just be an option on the pam_tacplus.so lines, and not require changes to add deny, etc., which get even more problematic when you have multiple authentication methods (tacacs, radius, ldap) present. Doable, but I really think an explicit option is better.

[root@gotham: ~]# head /etc/pam.d/sshd auth include tacacs account include tacacs

[root@gotham: ~]# head /etc/pam.d/tacacs auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ... account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ...

When fallback to local auth is not desired:

[root@gotham: ~]# head /etc/pam.d/sshd auth include tacacs auth requisite pam_deny.so account include tacacs

[root@gotham: ~]# head /etc/pam.d/tacacs auth sufficient /lib/security/pam_tacplus.so ... account sufficient /lib/security/pam_tacplus.so ...

Dave Olson olson@cumulusnetworks.com

mmehra commented 6 years ago

Sure, we can even go with explicit option and depending on the config option return PAM_IGNORE or PAM_FAILURE

stancufm commented 1 year ago

Unfortunately, for me it didn't work with authinfo_unavail=bad. In logs i found that i was keep receiving "pam_sm_authenticate: exit with pam status: 9". After i've changed to auth [default=bad success=done ignore=ignore authinfo_unavail=ignore] /usr/local/lib/pam_tacplus.so is working. Tests were made with tacacs server running (where user has password1 set), and for fallback scenario i've stopped the tac_plus service from server and use local password2 defined.