ssh denied by ACL despite ACL config is correct
23 views
Skip to first unread message
Kusay Mohammed
May 23, 2025, 8:27:14 AMMay 23
to Event-Driven Servers
Hello Marc,
I have configured tac_plus on ubuntu with multiple groups per user, and each group has it own ACL.
example below is alreadted tested.
group = ebh-nonprod_admin {
acl = EBH_nonprod
default service = permit
service = shell {
default cmd = permit
default attribute = permit
set priv-lvl = 15
set idletime = 120
set timeout = 120
}
}
acl = EBH_nonprod {
nas = 172.31.116.236
nas = 172.31.116.237
nas = 172.31.116.238
nas = 172.31.116.239
nas = 172.31.116.232
nas = 172.31.116.234
nas = 172.31.116.228
nas = 172.31.116.230
}
connecting to 172.31.116.236 is always failing:
May 23 12:51:03 Bretagne tac_plus[7994]: - Error kmohamme:1: Group membership for network ::/0 is already defined
May 23 12:51:03 Bretagne tac_plus[7994]: 172.31.116.236 ascii login for 'kmohamme' from 172.31.128.57 on ssh denied by ACL
if I keep 1 group only, it is working with "skip missing groups = yes".
I have checked all ACL and there is no overlap.
what could go wrong?
thanks,
Kusay
I have configured tac_plus on ubuntu with multiple groups per user, and each group has it own ACL.
example below is alreadted tested.
group = ebh-nonprod_admin {
acl = EBH_nonprod
default service = permit
service = shell {
default cmd = permit
default attribute = permit
set priv-lvl = 15
set idletime = 120
set timeout = 120
}
}
acl = EBH_nonprod {
nas = 172.31.116.236
nas = 172.31.116.237
nas = 172.31.116.238
nas = 172.31.116.239
nas = 172.31.116.232
nas = 172.31.116.234
nas = 172.31.116.228
nas = 172.31.116.230
}
connecting to 172.31.116.236 is always failing:
May 23 12:51:03 Bretagne tac_plus[7994]: - Error kmohamme:1: Group membership for network ::/0 is already defined
May 23 12:51:03 Bretagne tac_plus[7994]: 172.31.116.236 ascii login for 'kmohamme' from 172.31.128.57 on ssh denied by ACL
if I keep 1 group only, it is working with "skip missing groups = yes".
I have checked all ACL and there is no overlap.
what could go wrong?
thanks,
Kusay
Marc Huber
May 23, 2025, 11:43:19 AMMay 23
to event-driv...@googlegroups.com
Hi Kusay,
tac_plus doesn't support overlapping (same-scope) group memberships. The "acl = EBH_nonprod" limits access to the group only. To limit the scope from within the group use "nas default restriction".
Please keep in mind that tac_plus is no longer under active
development. The generic suggestion is to move to tac_plus-ng.
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/e63f56bd-be58-43f3-aefa-3dc066ddb39fn%40googlegroups.com.
Kusay Mohammed
May 26, 2025, 7:04:31 AMMay 26
to Event-Driven Servers
thanks Marc for your answer :)
Indeed we are planning to replace with ng put for the short term I wanted to adapt our old tac_plus to do the job fast.
Thanks again for your spport.
Best regards,
Kusay
Reply all
Reply to author
Forward
0 new messages