Open PawelConnectio opened 4 years ago
kravietz
commented
4 years ago @PawelConnectio Please check the Quick start section in README especially as it comes to configuring service and protocol parameters for the PAM module. From the log above it seems like they were left empty and this is most likely reason for mismatch.
PawelConnectio
commented
4 years ago @kravietz Do you know what should be setup with TACACS+ CISCO ?
Edit: even if set something like service=ppp protocol=ip then in log :
PAM-tacplus[2042]: TACACS+ service type not configured
kravietz
commented
2 years ago @PawelConnectio This message is generated on our side pam_tacplus.c#197 and it is produced when the module didn't get any service from the configuration. This is confirmed by the previous log lines:
Mar 23 14:14:54 server01 PAM-tacplus[13515]: tac_service=''Make sure that the file in /etc/pam.d looks like this:
#%PAM-1.0
auth required /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123
account required /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123 service=ppp protocol=ip
password required /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123
session required /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123 service=ppp protocol=ip
ddspell
commented
2 years ago @PawelConnectio Please check the Quick start section in README especially as it comes to configuring
serviceandprotocolparameters for the PAM module. From the log above it seems like they were left empty and this is most likely reason for mismatch.
I'm having the same message... Aug 02 21:17:01 vagrant PAM-tacplus[1358]: user not authenticated by TACACS+ Aug 02 21:17:01 vagrant PAM-tacplus[1358]: TACACS+ service type not configured
I know I must be doing something wrong but I can't figure it out. That tacacs service is running in a container and the service/protocol are configured as ssh/tcp.
The tacacs PAM config also has service and protocol set to ssh/tcp.
I've been reading about service and type, both in your README and the RFC but I guess I'm missing what it is saying. The VM that's setup with libpam-tacacs.so does not have a tacacs_plus.cfg file. That's on the container that's providing the TACACS+ service. It is configured for ssh service and tcp protocol. What am I not understanding? Does something else need to be configured on the VM for libpam-tacplus to be configured?
As it is, I thought if I had /etc/pam.d/tacacs setup as in your example, but with ssh instead of ppp and tcp instead of ip, then all would be set. For that matter, I tried it as is and setup my tac_plus config to have ppp and ip, but it made no difference.
I've used pamtester and there doesn't appear to be an issue. Where are service types configured? The services file has a couple of lines for tacacs 49/tcp and 49/udp.
ddspell
commented
2 years ago group = admin {
service = ssh {
protocol = tcp
}
default service = permit
service = shell {
default command = permit
set priv-lvl = 15
}
}
user = vagrant {
password = clear "goldfish"
member = admin
}
user = admin {
password = clear "swordfish"
member = admin
}I do see one difference that is shown in this thread compared to the README.
You added this line...
password required /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123nezha.krvtz.net
ddspell
commented
2 years ago OK, here is what I've determined. When I used pamtester, I specified that pam config found in /etc/pam.d, which I had named tacplus. This explains why pamtester worked. I told it what config to use.
What I discovered is that pam was using the entries made by the apt package installer into the common-account, common-auth, common-password, common-session, and common-session-noninteractive. I guess I don't understand how pam needs to be setup.
The documentation in this project said to create a config, which I did, but in my use case, it doesn't work. Can you guide me in how it should be implemented? Do I leave the entries in the common configs and add the server, secret, service, and protocol parameters, or can I use a independent config in /etc/pam.d? If so, how do I enable it?
I tried doing pam-auth-update --enable tacplus, but that didn't work.
Hi ,
on server tacacs+ side i have in log that user is authenticated (when password is correct ,if not i have failed to auth in log). I cant login into server , logs on client site :