On 8/2/06, Gary Schlachter wrote:
> Since I am told OpenSSH works with radius, it should work with TACACS as
> well. I believe I have the /etc/pam.d/sshd setup correctly as below:
>
> #%PAM-1.0
> auth required pam_stack.so service=tacacs
> auth required pam_nologin.so
> account sufficient pam_stack.so service=tacacs
> password required pam_stack.so service=tacacs
> session sufficient pam_stack.so service=tacacs
> session required pam_limits.so
> session optional pam_console.so
>
> So my TACACS pam is getting called with the incoming user. OpenSSH
> complains that the incoming user is not found but continues processing.
> My pam authenticates the incoming user and sends back the response to
> OpenSSH to prompt for the password. I enter the password. Now the
> incoming request to my pam does not have the password that was entered
> but the hardcorded value in OpenSSH of "****INCORRECT" which indicates
> that sshpam_authctxt->valid is 0. Obviously this fails from the TACACS
> server


You want to make sure UsePAM is set to `yes' and you are using
keyboard interactive for protocol 2 and challenge response for
protocol 1.

There are couple of log files that you can send me, if it exceeds the
attachment size restriction of this mailing list, to take a look at.

Change the loglevel to debug in sshd_config file. Then restart sshd.
Now try to ssh in from a remote client. Collect all the logs related
to `auth.*' (assuming your syslog fasciliy on sshd_config is set to
auth) and post it here. You may also post the ssh_config of the remote
client and sshd_config of the sshd server. I can use those test on my
side.

Also make sure you do have a local user account and it is not locked.
You must need a local account even though the authentication is done
thru tacacs server.

>
> I am wondering if I am missing something in the sshd_config
> configuration. Or is the interaction between the pam and sshd incorrect?
>
> Gary
>
> Asif Iqbal wrote:
> > On 8/1/06, Gary Schlachter wrote:
> >> Thank you for your reply. The PAM is getting called which in turn
> >> contacts the TACACS server. However, my problem is that OpenSSH is
> >> authenticating the user against /etc/passwd instead of letting the user
> >> be authenticated by the TACACS server. I am looking for a way to
> >> configure SSH to stop the /etc/passwd authentication. When the user is
> >> in /etc/passwd a but does not have a local password and is defined on
> >> the TACACS server, TACACS authenticates the user correctly. I am
> >> looking for a way to not have to configure the same user id on both the
> >> TACACS server and the local system.

> >
> > I am using PAM with Radius Server Auth. So we should have similar setup.
> >
> > This is all I have in /etc/pam.conf (Solaris) for sshd to use only one
> > pam_radius module and no other pam libraries.
> >
> > sshd auth required pam_radius_auth.so debug
> >
> > You may be using other pam libraries--specially the library that talks
> > to /etc/passwd.
> >
> >> BTW, I am the PAM developer.
> >>
> >> Thanks,
> >> Gary
> >>
> >> Asif Iqbal wrote:
> >> > On 7/27/06, Gary Schlachter wrote:
> >> >> I know this question has been asked several times over the
> >> years
> >> >> but I have not seen a definitive answer/solution if one exists.
> >> If one
> >> >> does not exist or I need to develop one, then I can stop looking!
> >> I am
> >> >> attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to
> >> >> have the PAM authenticate the User ID as well as the password.
> >> Thus the
> >> >> users do not exist in /etc/passwd. I am not using NIS or any other
> >> >> system for user ids. The Tacacs server is the only place the user
> >> ids
> >> >> exist. Ultimately when the user authenticates via Tacacs, I will
> >> switch
> >> >> the user to a known user in /etc/passwd and provide the logging in
> >> user
> >> >> with a specific TTY interface via the shell. When attempting this on
> >> >> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
> >> >> correct sshd_config options, I received the infamous
> >> >
> >> > This is how I test
> >> >
> >> > Make sure ldd to sshd shows pam library in the list
> >> >
> >> > Modify the sshd_config file with the following two parameters
> >> >
> >> > Syslog Fascility auth
> >> > Loglevel Debug
> >> >
> >> > restart OpenSSH
> >> >
> >> > touch a file /var/log/sshd.log.
> >> >
> >> > modify the syslog.conf with auth.debug point to /var/log/sshd.log and
> >> > restart syslog.
> >> >
> >> > Now ssh with your tacacs account and see if your tacacs server
> >> > receiving any connection logs from you as well as your
> >> > /var/log/sshd.log file.
> >> >
> >> > If all fails I would ask the tacacs pam module developer about the
> >> issue.
> >> >
> >> >
> >> >>
> >> >> Thanks in advance,
> >> >> Gary
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>

> >
> >

>
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu