search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
132 stars 101 forks source link

Passwd changing with pam_tacplus? #35

Open joakim-tjernlund opened 9 years ago

joakim-tjernlund commented 9 years ago

From what I can tell TACACS+ supports changing passwd on the server. Is there any support for this? If not, could it be added?

daveolson53 commented 9 years ago

joakim-tjernlund notifications@github.com wrote:

From what I can tell TACACS+ supports changing passwd on the server. Is there any support for this? If not, could it be added?

It shouldn't be too hard to add, the infrastructure is all there, if the server supports it. As best as I can tell, the linux tac_plus server does not, however.

Dave Olson olson@cumulusnetworks.com

gthouret commented 9 years ago

I implemented it on my fork. It diverged a bit from this repo but has full support for password change, changing from prompt when password expired. All tested against Cisco ACS backend and OpenSSH on client. https://github.com/WEMS/pam_tacplus

joakim-tjernlund commented 9 years ago

On Thu, 2015-10-01 at 08:46 -0700, Guy Thouret wrote:

I implemented it on my fork. It diverged a bit from this repo but has full support for password change, changing from prompt when password expired. All tested against Cisco ACS backend and OpenSSH on client. https://github.com/WEMS/pam_tacplus

This is really great! Also it should be pushed upstream, any plans to do that?

Jocke

gthouret commented 9 years ago

I diverged a bit from upstream during development so it's not going to merge easily. I intended to clean things up and rebase the feature from upstream but never found the time to do it.

Looking through my commits most changes are separated fairly well so shouldn't be too much work. I don't have a test environment set up any more to test this though.

benschumacher commented 9 years ago

I had done this too. You could also make it occur at first auth, which policies with Cisco ACS often require.

One of the biggest changes from what I recall was how the interaction with PAM/OpenSSH worked. You have to support challenge/response in OpenSSH for the exchange with the backend to work as expected.

joakim-tjernlund commented 9 years ago

benschumacher, do you have source online somewhere? Is "NSS integration for TACACS+ #28" included therin too?

benschumacher commented 9 years ago

Let me upload what I've got in some form.

I've been intending to put together PRs, but haven't quite found the time, and have changed focus in my day job, so not so much support there from my new team.

joakim-tjernlund commented 8 years ago

benschumacher, did you commit your source somewhere? I starting to get close to impl. and want to look at all possibilities. We have our own embedded device which needs this.

benschumacher commented 8 years ago

This can be closed with the merge of #45 and #47.