kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
132 stars 102 forks source link

Unencrypted password sent to TACACS server #128

Closed lmcbmai closed 3 years ago

lmcbmai commented 5 years ago

I am trying to configure Ubuntu 18.04.2 LTS to "talk" to Cisco ISE. I followed the instructions from https://github.com/jeroennijhof/pam_tacplus and was able to successfully compile and install the files. tacc works fine:

root@ubuntu:~# tacc -s 10.xx.xx.xx -u testuser -ptest_password -TRA -r 192.168.1.10 -k secret -S ppp -P ip -L pap 
Authentication OK
Authorization OK: (Service granted)
Accounting: START OK
Accounting: STOP OK

However, all my attempts to SSH to Ubuntu server fail. After looking into the traces I can see that during login Ubuntu does not encrypt user credentials and sends them to ISE as an open text. ISE server does not expects that and returns "possibly mismatched Shared Secrets" error.

Unfortunately installation instruction does not specify which file should contain Example configuration. I added it to /etc/pam.d/tacacs, but what about /etc/pam.d/login ? Should I update this file as well?

Thanks

eriktuantran commented 5 years ago

I assume that the configuration in your lib pam is not correct. Please make sure that it contains both "server" and "secret" entry: i.e: auth requisite /usr/lib/security/pam_tacplus.so server=... secret=...

kravietz commented 3 years ago

Configuration issue