pammavis sshd authenication using SecurID RSA Tokens

[Johnny Massengill]

Marc, 

I have installed the PAM module for SecureID on my TACACS server.  my tac_plus.cfg looks like this:

id = spawnd {

listen = { 

port = 49

}

spawn = {

instances min = 1

instances max = 10

}

background = yes

}

id = tac_plus {

access log = /var/log/tac_plus/access/%Y%m%d.log

accounting log = /var/log/tac_plus/acct/%Y%m%d.log

debug = AUTHOR AUTHEN ACCT CONFIG CMD AV MAVIS

mavis module = external {

exec = /usr/local/sbin/pammavis pammavis -s sshd

}

user backend=mavis

login backend = mavis

host = special {

address = 192.168.1.148 key = test

motd banner  = "\nHitherto shalt thou come, but no further. (Job 38.11)\n\n"

failed authentication banner = "Authentication FAILED"

enable 15 = clear testenable

prompt = "Welcome\n"

}

group = admin {

service = shell{

default command = permit

default attribute = permit

set priv-lvl = 15

}

}

user = jmassengill {

login = mavis

password = mavis member = admin 

member = admin

service = shell{

default command = permit

default attribute = permit

set priv-lvl = 15

}

}

}

**********************

When I tried to log into the box using sshd from putty, it prompted me for a SecurID passcode and I could authenticate against the server.  The logs for that successful logon are as follows:

when it worked logging into the server. 

Jan 22 09:21:48 localhost sshd[26124]: iReadPAMConfigFile: Returning success.

Jan 22 09:21:48 localhost sshd[26124]: var_ace directory is /var/ace

Jan 22 09:21:48 localhost sshd[26124]: Service name is :: sshd

Jan 22 09:21:48 localhost sshd[26124]: Users Support for PAM enabled

Jan 22 09:21:48 localhost sshd[26124]: Checking user <root>

Jan 22 09:21:48 localhost sshd[26124]: Checking user <admin>

Jan 22 09:21:48 localhost sshd[26124]: User is NOT in SecurID Exclude User. We will ask for their passcode.

Jan 22 09:21:48 localhost sshd[26124]: Entered PAM:InitSecurID 

Jan 22 09:21:48 localhost sshd[26124]: Leaving init

Jan 22 09:21:48 localhost sshd[26124]: Entered SecurIDAuth Function.

Jan 22 09:22:04 localhost sshd[26124]: Next tokencode required

Jan 22 09:23:05 localhost sshd[26124]: Leaving pam_sm_authenticate::auth succeeded

Jan 22 09:23:05 localhost sshd[26123]: Accepted keyboard-interactive for jmassengill from 192.168.1.162 port 19044 ssh2

Jan 22 09:23:05 localhost sshd[26123]: pam_unix(sshd:session): session opened for user jmassengill by (uid=0)

Jan 22 09:23:54 localhost sshd[26123]: pam_unix(sshd:session): session closed for user jmassengill

However, if I try to test my login for TACACS, this is what I get:

printf "4 jmassengill\n8 GOODPASS\n=\n4 jmassengill\n8 BADPASS\n=\n" | pammavis -s sshd

4 jmassengill

8 GOODPASS

[thin]  9:42:05.244 File:acinit.c Line:105 # AceInitializeEx: RSA ACE/Thin API Version 7.1.0.1 [016] 05_06_13_02_04_01

[thin]  9:42:05.250 File:acinit.c Line:369 # Using hostname localhost.localdomain

[thin]  9:42:05.250 File:acutil.c Line:222 # AllocateNewUser(): User allocated at: fe0b7140.

[thin]  9:42:05.250 File:acnetsub.c Line:668 # CreateSocket(): success. socket 4, port 2476, addr 192.168.1.101

[thin]  9:42:05.250 File:udpmsg.c Line:741 # message type = 103

[thin]  9:42:05.250 File:loadbal.c Line:196 # Entering get_server_idx  

[thin]  9:42:05.250 File:loadbal.c Line:349 # Entering EvaluateServers()

[thin]  9:42:05.250 File:loadbal.c Line:388 # Entering set_run_priorities

[thin]  9:42:05.250 File:loadbal.c Line:498 # set_run_priorities_by_proximity() entry

[thin]  9:42:05.250 File:loadbal.c Line:566 # set_run_priorites_by_proximity() useable best_turnaround 1

[thin]  9:42:05.250 File:loadbal.c Line:599 # set_run_priorites_by_proximity() total_best_servers 1

[thin]  9:42:05.250 File:loadbal.c Line:475 # set_run_priorities() exiting

[thin]  9:42:05.250 File:loadbal.c Line:358 # EvaluateServers() selected = 1, emergency = 0

[thin]  9:42:05.250 File:loadbal.c Line:327 # get_server_idx() returning server index 0  192.168.1.100  

[thin]  9:42:05.251 File:udpmsg.c Line:109 # message type = 91

[thin]  9:42:05.252 File:udpmsg.c Line:109 # message type = 101

4 jmassengill

8 BADpass

[thin]  9:42:07.260 File:acinit.c Line:105 # AceInitializeEx: RSA ACE/Thin API Version 7.1.0.1 [016] 05_06_13_02_04_01

[thin]  9:42:07.266 File:acinit.c Line:369 # Using hostname localhost.localdomain

[thin]  9:42:07.266 File:acutil.c Line:222 # AllocateNewUser(): User allocated at: fe0b7140.

[thin]  9:42:07.266 File:acnetsub.c Line:668 # CreateSocket(): success. socket 4, port 51178, addr 192.168.101

[thin]  9:42:07.266 File:udpmsg.c Line:741 # message type = 103

[thin]  9:42:07.266 File:loadbal.c Line:196 # Entering get_server_idx  

[thin]  9:42:07.266 File:loadbal.c Line:349 # Entering EvaluateServers()

[thin]  9:42:07.266 File:loadbal.c Line:388 # Entering set_run_priorities

[thin]  9:42:07.266 File:loadbal.c Line:498 # set_run_priorities_by_proximity() entry

[thin]  9:42:07.266 File:loadbal.c Line:566 # set_run_priorites_by_proximity() useable best_turnaround 1

[thin]  9:42:07.266 File:loadbal.c Line:599 # set_run_priorites_by_proximity() total_best_servers 1

[thin]  9:42:07.266 File:loadbal.c Line:475 # set_run_priorities() exiting

[thin]  9:42:07.266 File:loadbal.c Line:358 # EvaluateServers() selected = 1, emergency = 0

[thin]  9:42:07.266 File:loadbal.c Line:327 # get_server_idx() returning server index 0  192.168.1.101  

[thin]  9:42:07.267 File:udpmsg.c Line:109 # message type = 91

[thin]  9:42:07.268 File:udpmsg.c Line:109 # message type = 101

******************************

I am wondering what the udpmsg.c message type 91,103, and 101 are as I feel they are the key to fixing this problem

I'm hitting the right PAM module and I'm close to getting SecureID tokens to working with TACACS but I'm missing that one needed part for it to work.  SecureID is a requirement for the company so using TACACAS without it is out of the question

Thank you in advance for your help. 

Johnny

[Marc Huber]

Hi Johnny,

On 22.01.14 16:19, Johnny Massengill wrote:
> I have installed the PAM module for SecureID on my TACACS server. my
> tac_plus.cfg looks like this:

I'm not using SecureID myself, so I won't be able to help you with that.

First, remember that PAM is actually an *interactive* authentication
system. A PAM module may ask you to enter username, password, or
anything else.

However, the algorithm I'm using can only cope with username and
password, and, as neither the username nor the password prompt is even
standardized anywhere, the algorithm falls back to evaluating the ECHO
flag: If a PAM module expects an username, then the ECHO flag is
(usually) set, while it isn't for passwords (have a look at the
pam_conv() function in mavis/pammavis.c for details).

If a PAM module conforms to standard behavior (asks for username,
username will be echoed, asks for password, password will not be echoed)
then everything's fine and works as expected. Your RSA pam module,
however, might simply not fall into that category.

A possible work-around could be to use RADIUS to interface to the RSA
server.

Cheers,

Marc

[Johnny Massengill]

Marc,

I have RADIUS installed JUST in case I had to go in that direction....

I'll go have a look in the documentation to see the RADIUS examples.  

[Johnny Massengill]

On Wednesday, January 22, 2014 10:19:53 AM UTC-5, Johnny Massengill wrote:

Marc,

you might find this interesting.  I logged back into the switch and I used my SecurID token code at the password prompt and it worked to let me in the switch.....It could just be a change in verbiage in a file.  

If it seems like it is going to work, I'll post further information as I find it out.

Johnny