Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Tacacs and OpenSSH

from [Asif Iqbal] Network Security [Permanent Link]
Subject: Re: Tacacs and OpenSSH
Date: Tue, 1 Aug 2006 08:37:31 -0400
On 8/1/06, Gary Schlachter <Gary.Schlachter@tavve.com> wrote: 
Thank you for your reply.  The PAM is getting called which in turn
contacts the TACACS server.  However, my problem is that OpenSSH is
authenticating the user against /etc/passwd instead of letting the user
be authenticated by the TACACS server.  I am looking for a way to
configure SSH to stop the /etc/passwd authentication.  When the user is
in /etc/passwd a but does not have a local password and is defined on
the TACACS server, TACACS authenticates the user correctly.   I am
looking for a way to not have to configure the same user id on both the
TACACS server and the local system.


I am using PAM with Radius Server Auth. So we should have similar setup.

This is all I have in /etc/pam.conf (Solaris) for sshd to use only one
pam_radius module and no other pam libraries.

sshd auth required      pam_radius_auth.so debug

You may be using other pam libraries--specially the library that talks
to /etc/passwd.

BTW, I am the PAM developer.

Thanks,
Gary

Asif Iqbal wrote:
> On 7/27/06, Gary Schlachter <Gary.Schlachter@tavve.com> wrote:
>>        I know this question has been asked several times over the years
>> but I have not seen a definitive answer/solution if one exists.  If one
>> does not exist or I need to develop one, then I can stop looking!  I am
>> attempting to integrate a Tacacs+ PAM with OpenSSH.  I would like to
>> have the PAM authenticate the User ID as well as the password.  Thus the
>> users do not exist in /etc/passwd.  I am not using NIS or any other
>> system for user ids.  The Tacacs server is the only place the user ids
>> exist. Ultimately when the user authenticates via Tacacs, I will switch
>> the user to a known user in /etc/passwd and provide the logging in user
>> with a specific TTY interface via the shell.  When attempting this on
>> linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the
>> correct sshd_config options, I received the infamous
>
> This is how I test
>
> Make sure ldd to sshd shows pam library in the list
>
> Modify the sshd_config file with the following two parameters
>
> Syslog Fascility auth
> Loglevel Debug
>
> restart OpenSSH
>
> touch a file /var/log/sshd.log.
>
> modify the syslog.conf with auth.debug point to /var/log/sshd.log and
> restart syslog.
>
> Now ssh with your tacacs account and see if your tacacs server
> receiving any connection logs from you as well as your
> /var/log/sshd.log file.
>
> If all fails I would ask the tacacs pam module developer about the issue.
>
>
>>
>> Thanks in advance,
>> Gary
>>
>>
>
>




--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How do I silence the banner?, Chris de Vidal
Next by Date:  RE: Incremental delay in ssh, Patrick Morris
Previous by Thread:  Re: Tacacs and OpenSSH, Gary Schlachter
Next by Thread:  Re: Tacacs and OpenSSH, Gary Schlachter
Indexes:  [Date] [Thread] [Top] [All Lists]