search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
130 stars 97 forks source link

Authorization not working #168

Closed aridhaa closed 2 years ago

aridhaa commented 3 years ago

Hi team, I'm tryning to implement PAM with CentOS 8.3, every thing is working fine as expected (installation and configuration) But I have issue with authorization : whatever service configured on the Tacacs+ side the authorization PASS and user loged in even for users that no service is configured at all the user is authorized to login here is my config files

sshd file

%PAM-1.0

auth include tacacs auth required pam_sepermit.so auth include password-auth

account required pam_nologin.so account include tacacs account include password-auth

password include password-auth

session required pam_selinux.so close session required pam_loginuid.so

session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke

session include tacacs session include password-auth

tacacs file

%PAM-1.0

auth sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.168.169.140 secret=p1atf0rm account sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.168.169.140 secret=XXXXXXX Service=ppp protocol=ssh session sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.168.169.140 secret=XXXXXXX Service=ppp protocol=ssh

any idea please and if someone make this works with authorization ?

kravietz commented 2 years ago

@aridhaa The authorisation decision is made on the TACACS+ server and pam_tacplus just proxies the responses, so I don't think this can be diagnosed without server config. Please reopen this issue if you think this can be diagnosed any further.