PAM-tacplus[xxxx]: TACACS+ service type not configured
1,151 views
Skip to first unread message
Dan D.
Aug 1, 2022, 10:47:11 AM8/1/22
to Event-Driven Servers
Has anyone successfully used libpam-tacplus with this tacacs+ service?
Package: libpam-tacplus
Version: 1.3.8-2+deb8u1build0.18.04.1
Priority: extra
Section: universe/admin
Origin: Ubuntu
Version: 1.3.8-2+deb8u1build0.18.04.1
Priority: extra
Section: universe/admin
Origin: Ubuntu
pamtester is successful but an actual login fails with:
PAM-tacplus[6641]: TACACS+ service type not configured
PAM-tacplus[6641]: TACACS+ service type not configured
However, the service is configured. At least, I think it is.
How do I confirm the service is?
Here's the tacacs PAM file in /etc/pam.d.
#%PAM-1.0
auth required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123
account required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
I've tried it with the service and protocol settings and without. I've tried it with different values such as ppp for the service and ip for the protocol. Results don't change. Very frustrated. Any guidance is appreciated.
auth required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123
account required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
I've tried it with the service and protocol settings and without. I've tried it with different values such as ppp for the service and ip for the protocol. Results don't change. Very frustrated. Any guidance is appreciated.
Thanks,
Danny
session required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
session required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
Marc Huber
Aug 1, 2022, 1:54:58 PM8/1/22
to event-driv...@googlegroups.com
Hi Dan,
please post your configuration plus a tac_plus(-ng) debug log.
Thanks,
Marc
please post your configuration plus a tac_plus(-ng) debug log.
Thanks,
Marc
Dan D.
Aug 1, 2022, 5:55:43 PM8/1/22
to Event-Driven Servers
Thanks, I'm not so sure it's an issue with your service but rather with PAM-tacplus.
#%PAM-1.0
auth required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123
account required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
I did two tests. One with the correct password and the other with the wrong password.
debug-20220801.log
/var/log/tac_plus # cat debug-20220801.log
2022-08-01 21:40:59 +0000|172.21.0.1|admin|pts/1|unknown|pap login succeeded
2022-08-01 21:41:04 +0000|172.21.0.1|admin|pts/1|unknown|pap login failed
2022-08-01 21:40:59 +0000|172.21.0.1|admin|pts/1|unknown|pap login succeeded
2022-08-01 21:41:04 +0000|172.21.0.1|admin|pts/1|unknown|pap login failed
On the VM, the system log showed this for the failed password attempt.
Jul 30 16:29:40 vagrant PAM-tacplus[7712]: auth failed: 2
All this is good.
However, when I ssh to the host, there's no entry on the tacacs service and the hosts system log shows:
Jul 30 16:36:24 vagrant PAM-tacplus[7714]: user not authenticated by TACACS+
Jul 30 16:36:24 vagrant sshd[7714]: Accepted password for vagrant from 192.168.56.1 port 62451 ssh2
Jul 30 16:36:24 vagrant systemd[1]: Started Session 93 of user vagrant.
Jul 30 16:36:24 vagrant PAM-tacplus[7714]: TACACS+ service type not configured
Jul 30 16:36:24 vagrant systemd-logind[2982]: New session 93 of user vagrant.
Jul 30 16:36:24 vagrant sshd[7714]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)
Jul 30 16:36:24 vagrant sshd[7714]: Accepted password for vagrant from 192.168.56.1 port 62451 ssh2
Jul 30 16:36:24 vagrant systemd[1]: Started Session 93 of user vagrant.
Jul 30 16:36:24 vagrant PAM-tacplus[7714]: TACACS+ service type not configured
Jul 30 16:36:24 vagrant systemd-logind[2982]: New session 93 of user vagrant.
Jul 30 16:36:24 vagrant sshd[7714]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)
The PAM config for tacacs is:
root@vagrant:/etc/pam.d# cat tacplus
#%PAM-1.0
auth required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123
account required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
session required /lib/security/pam_tacplus.so server=192.168.1.179 secret=testkey123 service=ssh protocol=tcp
The tacacs service config is:
> cat app/tac_plus.cfg
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR
log = stdout {
syslog level = DEBUG
destination = /var/log/tac_plus/debug-%Y%m%d.log
}
authorization log group = yes
authentication log = stdout
authorization log = stdout
accounting log = /var/log/tac_plus/%Y/%m/%d.log
# mavis module = external {
# exec = /tacacs/lib/mavis/mavis_tacplus_passwd.pl
# }
# login backend = mavis
host = 0.0.0.0/0 {
welcome banner = "\nTACACS+ Test!!!\n\n"
key = testkey123
}
group = admin {
default service = permit
service = ssh {
protocol = tcp
}
enable = permit
}
user = vagrant {
password = clear "goldfish"
member = admin
}
user = admin {
password = clear "swordfish"
member = admin
}
}
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR
log = stdout {
syslog level = DEBUG
destination = /var/log/tac_plus/debug-%Y%m%d.log
}
authorization log group = yes
authentication log = stdout
authorization log = stdout
accounting log = /var/log/tac_plus/%Y/%m/%d.log
# mavis module = external {
# exec = /tacacs/lib/mavis/mavis_tacplus_passwd.pl
# }
# login backend = mavis
host = 0.0.0.0/0 {
welcome banner = "\nTACACS+ Test!!!\n\n"
key = testkey123
}
group = admin {
default service = permit
service = ssh {
protocol = tcp
}
enable = permit
}
user = vagrant {
password = clear "goldfish"
member = admin
}
user = admin {
password = clear "swordfish"
member = admin
}
}
The banner never appears. I think this is an issue with the libpam-tacacs module.
I think the module is not fully functional.
Regardless, the part I don't understand is:
PAM-tacplus[7714]: TACACS+ service type not configured
This error message coupled with no entries in the debug log make me think it never touches the tacacs service.
I believe the issue is with the host. I'm just not sure what to do about configuring service type.
Thanks for taking a minute to respond.
Marc Huber
Aug 2, 2022, 1:06:03 PM8/2/22
to event-driv...@googlegroups.com
Hi Dan,
I'd suggest to run "tac_plus -f -d -1 <config-file>" to check whether
the pam module communicates with the daemon.
Cheers,
Marc
I'd suggest to run "tac_plus -f -d -1 <config-file>" to check whether
the pam module communicates with the daemon.
Cheers,
Marc
Dan D.
Aug 5, 2022, 4:56:49 PM8/5/22
to Event-Driven Servers
Good news, everyone! -- Professor Farnsworth
I figured out the issue.
The parameters for libpam-tacplus have to specified in the common-xxx PAM configs.
common-account
common-auth
common-password
common-session
common-session-noninteractive
Once the parameters were set, then no more errors were recorded in the log.
Reply all
Reply to author
Forward
0 new messages