tac_plus with pam
773 views
Skip to first unread message
mateuspok
Jul 27, 2010, 2:33:42 PM7/27/10
to Event-Driven Servers
Hi,
Sorry by my english, i'm Brazilian...
I'm trying to run tac_plus with integration of pam, cause of pam has
password lock policies (when 4 times wrong password, lock account
using pam_tally.so), but every try with a correct user/pass , it
increase a count to wrong password on pam_tally. Bellow my config for
tac_plus and pam.d:
id = spawnd {
listen = {
port = 49
}
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
access log = /var/log/tacacs/%Y/%m/%d/access.log
accounting log = /var/log/tacacs/%Y/%m/%d/acct.log
debug = ACL AUTHEN MAVIS NET
mavis module = external {
script out = {
if ($TYPE == TACPLUS) {
if ($TACTYPE == AUTH && $PASSWORD ==
$DBPASSWORD) {
set $RESULT = ACK
}
}
}
exec = /usr/local/sbin/pammavis pammavis -s mavis
script in = { if ($TYPE == TACPLUS && $TACTYPE ==
INFO) return }
}
user backend = mavis
login backend = mavis
pap backend = mavis
host = world {
address = ::/0
prompt = "Welcome\n"
key = cisco
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = myuser { password = mavis member = admin }
}
================== /etc/pam.d/mavis ======================
auth required pam_unix.so nodelay
auth required pam_tally.so audit deny=4 per_user
unlock_time=1800
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
Thanks in advance...
Sorry by my english, i'm Brazilian...
I'm trying to run tac_plus with integration of pam, cause of pam has
password lock policies (when 4 times wrong password, lock account
using pam_tally.so), but every try with a correct user/pass , it
increase a count to wrong password on pam_tally. Bellow my config for
tac_plus and pam.d:
id = spawnd {
listen = {
port = 49
}
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
access log = /var/log/tacacs/%Y/%m/%d/access.log
accounting log = /var/log/tacacs/%Y/%m/%d/acct.log
debug = ACL AUTHEN MAVIS NET
mavis module = external {
script out = {
if ($TYPE == TACPLUS) {
if ($TACTYPE == AUTH && $PASSWORD ==
$DBPASSWORD) {
set $RESULT = ACK
}
}
}
exec = /usr/local/sbin/pammavis pammavis -s mavis
script in = { if ($TYPE == TACPLUS && $TACTYPE ==
INFO) return }
}
user backend = mavis
login backend = mavis
pap backend = mavis
host = world {
address = ::/0
prompt = "Welcome\n"
key = cisco
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = myuser { password = mavis member = admin }
}
================== /etc/pam.d/mavis ======================
auth required pam_unix.so nodelay
auth required pam_tally.so audit deny=4 per_user
unlock_time=1800
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
Thanks in advance...
Marc Huber
Jul 28, 2010, 12:44:01 PM7/28/10
to Event-Driven Servers
Does
printf "4 youruser\n8 yourpassword\n=\n" | /usr/local/sbin/pammavis
pammavis -s mavis
work?
Cheers,
Marc
printf "4 youruser\n8 yourpassword\n=\n" | /usr/local/sbin/pammavis
pammavis -s mavis
work?
Cheers,
Marc
Marc Huber
Jul 28, 2010, 12:47:39 PM7/28/10
to Event-Driven Servers
Copy-paste error. The test should read
printf "4 youruser\n8 yourpassword\n=\n" | /usr/local/sbin/pammavis -
s mavis
Cheers,
Marc
printf "4 youruser\n8 yourpassword\n=\n" | /usr/local/sbin/pammavis -
s mavis
Cheers,
Marc
Mateus Pokreviescki
Jul 28, 2010, 1:05:50 PM7/28/10
to event-driv...@googlegroups.com
Hi there, here's the result for a wrong pass:
balancer:/home/gsigmet# printf "4 gsigmet\n8 WRONGpass\n=\n" | /usr/local/sbin/pammavis -s mavis
4 gsigmet
8 WRONGpass
=0
And here for a right pass:
balancer:/home/gsigmet# printf "4 gsigmet\n8 MYass\n=\n" | /usr/local/sbin/pammavis -s mavis
4 gsigmet
8 MYpass
9 1000
10 1000
24 1000
19 /home/gsigmet
53 /bin/bash
36 MYpass
=0
But in both cases, it increases a wrong try on pam_tally counter...
pam_tally --user gsigmet
User gsigmet (1000) has 4
Appreciate your help
Cheers Mateus
2010/7/28 Marc Huber <marc.j...@googlemail.com>
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To post to this group, send email to event-driv...@googlegroups.com.
To unsubscribe from this group, send email to event-driven-ser...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/event-driven-servers?hl=en.
--
Atenciosamente,
Mateus Pokreviescki
48 8412-4644
48 3254-8700 R.6283
Gsurfnet.com
A PCI Compliant Company
Garopaba, SC • Brasil • 88495-000
Marc Huber
Jul 28, 2010, 3:03:52 PM7/28/10
to Event-Driven Servers
Hi Mateus,
I tend to believe that
auth required pam_tally.so audit deny=4 per_user unlock_time=1800
auth required pam_unix.so nodelay
auth required pam_deny.so
account required pam_tally.so
account required pam_unix.so
account required pam_permit.so
password required pam_unix.so
password required pam_deny.so
session required pam_unix.so
would work. Didn't try this myself, based on a couple of googled
results.
Cheers,
Marc
I tend to believe that
auth required pam_tally.so audit deny=4 per_user unlock_time=1800
auth required pam_unix.so nodelay
account required pam_tally.so
account required pam_unix.so
account required pam_permit.so
password required pam_unix.so
password required pam_deny.so
session required pam_unix.so
would work. Didn't try this myself, based on a couple of googled
results.
Cheers,
Marc
Mateus Pokreviescki
Jul 28, 2010, 3:49:25 PM7/28/10
to event-driv...@googlegroups.com
Hello there,
Your help was fundamental, but I happened to have fixed it by another approach...check it out:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# The below line is used to lock an account if user failed to authenticate 5 times and will be locked for 60 secs.
auth required pam_tally.so onerr=fail deny=4 per_user unlock_time=1800
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
# The below line is required for account lockout due to failed login attempt
account required pam_tally.so reset
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
And it worked.
Thanx a lot for your help.
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To post to this group, send email to event-driv...@googlegroups.com.
To unsubscribe from this group, send email to event-driven-ser...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/event-driven-servers?hl=en.
Reply all
Reply to author
Forward
0 new messages