Re: Tacacs and OpenSSH

Sun, 06 Aug 2006 22:14:33 -0700 

Asif,
Thank you for your offer. However, I fear you just answered my question. Your comment: 


       "Also make sure you do have a local user account and it is not 
locked.
       You must need a local account even though the authentication is 
done

       thru tacacs server. "


      is exactly what is was trying to avoid.  I was wanting to NOT 
have a local account on the server.  I am trying to have sshd use the 
local account as defined on the TACACS server.  I was hoping there was a 
way to configure OpenSSH to not look for a local account.  I am able to 
authenticate perfectly if the local account is created on the server.


Gary


Asif Iqbal wrote:

On 8/2/06, Gary Schlachter <[EMAIL PROTECTED]> wrote:

Since I am told OpenSSH works with radius, it should work with TACACS as
well.  I believe I have the /etc/pam.d/sshd setup correctly as below:

#%PAM-1.0
auth       required     pam_stack.so service=tacacs
auth       required     pam_nologin.so
account    sufficient   pam_stack.so service=tacacs
password   required     pam_stack.so service=tacacs
session    sufficient   pam_stack.so service=tacacs
session    required     pam_limits.so
session    optional     pam_console.so

So my TACACS pam is getting called with the incoming user.  OpenSSH
complains that the incoming user is not found but continues processing.
My pam authenticates the incoming user and sends back the response to
OpenSSH to prompt for the password.  I enter the password.  Now the
incoming request to my pam does not have the password that was entered
but the hardcorded value in OpenSSH of "****INCORRECT" which indicates
that sshpam_authctxt->valid is 0.  Obviously this fails from the TACACS
server


You want to make sure UsePAM is set to `yes' and you are using
keyboard interactive for protocol 2 and challenge response for
protocol 1.

There are couple of log files that you can send me, if it exceeds the
attachment size restriction of this mailing list, to take a look at.

Change the loglevel to debug in sshd_config file. Then restart sshd.
Now try to ssh in from a remote client. Collect all the logs related
to `auth.*'  (assuming your syslog fasciliy on sshd_config is set to
auth) and post it here. You may also post the ssh_config of the remote
client and sshd_config of the sshd server. I can use those test on my
side.

Also make sure you do have a local user account and it is not locked.
You must need a local account even though the authentication is done
thru tacacs server.



I am wondering if I am missing something in the sshd_config

configuration.  Or is the interaction between the pam and sshd 
incorrect?


Gary

Asif Iqbal wrote:
> On 8/1/06, Gary Schlachter <[EMAIL PROTECTED]> wrote:
>> Thank you for your reply.  The PAM is getting called which in turn
>> contacts the TACACS server.  However, my problem is that OpenSSH is

>> authenticating the user against /etc/passwd instead of letting the 
user

>> be authenticated by the TACACS server.  I am looking for a way to

>> configure SSH to stop the /etc/passwd authentication.  When the 
user is

>> in /etc/passwd a but does not have a local password and is defined on
>> the TACACS server, TACACS authenticates the user correctly.   I am

>> looking for a way to not have to configure the same user id on 
both the

>> TACACS server and the local system.
>

> I am using PAM with Radius Server Auth. So we should have similar 
setup.

>
> This is all I have in /etc/pam.conf (Solaris) for sshd to use only one
> pam_radius module and no other pam libraries.
>
> sshd auth required      pam_radius_auth.so debug
>
> You may be using other pam libraries--specially the library that talks
> to /etc/passwd.
>
>> BTW, I am the PAM developer.
>>
>> Thanks,
>> Gary
>>
>> Asif Iqbal wrote:
>> > On 7/27/06, Gary Schlachter <[EMAIL PROTECTED]> wrote:
>> >>        I know this question has been asked several times over the
>> years
>> >> but I have not seen a definitive answer/solution if one exists.
>> If one
>> >> does not exist or I need to develop one, then I can stop looking!
>> I am

>> >> attempting to integrate a Tacacs+ PAM with OpenSSH.  I would 
like to

>> >> have the PAM authenticate the User ID as well as the password.
>> Thus the

>> >> users do not exist in /etc/passwd.  I am not using NIS or any 
other

>> >> system for user ids.  The Tacacs server is the only place the user
>> ids
>> >> exist. Ultimately when the user authenticates via Tacacs, I will
>> switch
>> >> the user to a known user in /etc/passwd and provide the logging in
>> user

>> >> with a specific TTY interface via the shell.  When attempting 
this on

>> >> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
>> >> correct sshd_config options, I received the infamous
>> >
>> > This is how I test
>> >
>> > Make sure ldd to sshd shows pam library in the list
>> >
>> > Modify the sshd_config file with the following two parameters
>> >
>> > Syslog Fascility auth
>> > Loglevel Debug
>> >
>> > restart OpenSSH
>> >
>> > touch a file /var/log/sshd.log.
>> >

>> > modify the syslog.conf with auth.debug point to 
/var/log/sshd.log and

>> > restart syslog.
>> >
>> > Now ssh with your tacacs account and see if your tacacs server
>> > receiving any connection logs from you as well as your
>> > /var/log/sshd.log file.
>> >
>> > If all fails I would ask the tacacs pam module developer about the
>> issue.
>> >
>> >
>> >>
>> >> Thanks in advance,
>> >> Gary
>> >>
>> >>
>> >
>> >
>>
>>
>
>





























					Reply via email to