ssh allowing login when tacacs exits with status 7, [PAM_PERM_DENIED]

[stevetavve]

I've tried many configurations of /etc/pam.d/sshd but can't quite get it to work properly. The current configuration is:

#%PAM-1.0
auth       include      tacacs
#auth       include      radius
auth       required     pam_sepermit.so
auth       include     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
#-auth      optional     pam_reauthorize.so prepare
account    include      tacacs
#account    include      radius
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
#session    include      tacacs
#session    include      radius
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

However this is allowing any tacacs user to login as long as they provide the correct password. Here is the debug trace. The require level is level 10 so an admin can login in. However, in this example. the tacacsOperator is only level 5 and this is correct returned by the Tacacs server but ssh does not seem to respect the return code from pam_sm_acct_mgmt: exiting with status 7 and allows the login.

Mar 21 17:28:02 zr6 PAM-tacplus[12021]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_service=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_priv_level='15'
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: user [tacacsOperator] obtained
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password: called
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password; in final else
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password; msg.msg: Password:
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password; resp not equal null
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password: obtained password pass5
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: password obtained
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: tty [ssh] obtained
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: rhost [tron.tavve.com] obtained
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: trying srv 0
Mar 21 17:28:02 zr6 sshd[12021]: tacacs status: TAC_PLUS_AUTHEN_STATUS_PASS
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: active srv 0
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: exit with pam status: 0
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_service='zoneranger'
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_priv_level='10'
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: called (pam_tacplus v1.3.8)
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: username obtained [tacacsOperator]
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: tty obtained [ssh]
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: rhost obtained [tron.tavve.com]
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: active server is [10.254.1.117:49]
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: SM: TACACS+ protocol type not configured (IGNORED)
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: SM: TACACS+ command type not configured (IGNORED)
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: sent authorization request
Mar 21 17:28:02 zr6 sshd[12021]: Args cnt 1
Mar 21 17:28:02 zr6 sshd[12021]: Adding buf/value pair (priv-lvl,5)
**Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: user [tacacsOperator] successfully authorized
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: attribute priv-lvl value =5
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: priv-level was 5 but needs to be at least 10
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: returned attribute `PRIV_LVL=5' from server
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: exiting with status 7**
Mar 21 17:28:02 zr6 sshd[12021]: Accepted password for tacacsOperator from 10.254.1.180 port 41730 ssh2
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_service=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_priv_level='15'
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_setcred: called (pam_tacplus v1.3.8)
Mar 21 17:28:02 zr6 systemd: Created slice user-511.slice.
Mar 21 17:28:02 zr6 systemd: Starting user-511.slice.
Mar 21 17:28:02 zr6 systemd-logind: New session 28 of user tv_config.
Mar 21 17:28:02 zr6 systemd: Started Session 28 of user tv_config.
Mar 21 17:28:02 zr6 systemd: Starting Session 28 of user tv_config.
Mar 21 17:28:02 zr6 sshd[12021]: pam_unix(sshd:session): session opened for user tacacsOperator by (uid=0)
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_service=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_priv_level='15'
Mar 21 17:28:02 zr6 sshd[12023]: pam_sm_setcred: called (pam_tacplus v1.3.8)

Any pointers with this issue are greatly appreciated.

Thank you.

[eriktuantran]

What you have in /etc/pam.d/tacacs?

[ayoubkefi]

did you fixed this ?