Re: Tacacs and OpenSSH
On Thu, Jul 27, 2006 at 09:25:58AM -0400, Gary Schlachter wrote: I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous Invalid user debug messages. Is this possible with the current OpenSSH and/or some patch for it? I'm taking a look at what's involved in making this work (although I'm not convinced it's worth the risk). There's a patch that may help at http://bugzilla.mindrot.org/show_bug.cgi?id=1215 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Tacacs and OpenSSH
OpenSSH uses calls like getpwnam to identify if the user exists. You can not easily bypass these checks, other than creating your own NIS library (e.g. nis_tacacs) with dummy functions (e.g. point always to the same user, group, etc), which shouldn't be to hard to do. Markus Gary Schlachter [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous Invalid user debug messages. Is this possible with the current OpenSSH and/or some patch for it? Thanks in advance, Gary
Re: Tacacs and OpenSSH
Asif, Thank you for your offer. However, I fear you just answered my question. Your comment: Also make sure you do have a local user account and it is not locked. You must need a local account even though the authentication is done thru tacacs server. is exactly what is was trying to avoid. I was wanting to NOT have a local account on the server. I am trying to have sshd use the local account as defined on the TACACS server. I was hoping there was a way to configure OpenSSH to not look for a local account. I am able to authenticate perfectly if the local account is created on the server. Gary Asif Iqbal wrote: On 8/2/06, Gary Schlachter [EMAIL PROTECTED] wrote: Since I am told OpenSSH works with radius, it should work with TACACS as well. I believe I have the /etc/pam.d/sshd setup correctly as below: #%PAM-1.0 auth required pam_stack.so service=tacacs auth required pam_nologin.so accountsufficient pam_stack.so service=tacacs password required pam_stack.so service=tacacs sessionsufficient pam_stack.so service=tacacs sessionrequired pam_limits.so sessionoptional pam_console.so So my TACACS pam is getting called with the incoming user. OpenSSH complains that the incoming user is not found but continues processing. My pam authenticates the incoming user and sends back the response to OpenSSH to prompt for the password. I enter the password. Now the incoming request to my pam does not have the password that was entered but the hardcorded value in OpenSSH of INCORRECT which indicates that sshpam_authctxt-valid is 0. Obviously this fails from the TACACS server You want to make sure UsePAM is set to `yes' and you are using keyboard interactive for protocol 2 and challenge response for protocol 1. There are couple of log files that you can send me, if it exceeds the attachment size restriction of this mailing list, to take a look at. Change the loglevel to debug in sshd_config file. Then restart sshd. Now try to ssh in from a remote client. Collect all the logs related to `auth.*' (assuming your syslog fasciliy on sshd_config is set to auth) and post it here. You may also post the ssh_config of the remote client and sshd_config of the sshd server. I can use those test on my side. Also make sure you do have a local user account and it is not locked. You must need a local account even though the authentication is done thru tacacs server. I am wondering if I am missing something in the sshd_config configuration. Or is the interaction between the pam and sshd incorrect? Gary Asif Iqbal wrote: On 8/1/06, Gary Schlachter [EMAIL PROTECTED] wrote: Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system. I am using PAM with Radius Server Auth. So we should have similar setup. This is all I have in /etc/pam.conf (Solaris) for sshd to use only one pam_radius module and no other pam libraries. sshd auth required pam_radius_auth.so debug You may be using other pam libraries--specially the library that talks to /etc/passwd. BTW, I am the PAM developer. Thanks, Gary Asif Iqbal wrote: On 7/27/06, Gary Schlachter [EMAIL PROTECTED] wrote: I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous This is how I test Make sure ldd to sshd shows pam library in the list Modify the sshd_config file with the following two parameters Syslog Fascility auth Loglevel Debug restart OpenSSH touch a file /var/log/sshd.log. modify the syslog.conf with auth.debug point to /var/log/sshd.log and restart syslog. Now ssh
Re: Tacacs and OpenSSH
On 8/2/06, Gary Schlachter [EMAIL PROTECTED] wrote: Since I am told OpenSSH works with radius, it should work with TACACS as well. I believe I have the /etc/pam.d/sshd setup correctly as below: #%PAM-1.0 auth required pam_stack.so service=tacacs auth required pam_nologin.so accountsufficient pam_stack.so service=tacacs password required pam_stack.so service=tacacs sessionsufficient pam_stack.so service=tacacs sessionrequired pam_limits.so sessionoptional pam_console.so So my TACACS pam is getting called with the incoming user. OpenSSH complains that the incoming user is not found but continues processing. My pam authenticates the incoming user and sends back the response to OpenSSH to prompt for the password. I enter the password. Now the incoming request to my pam does not have the password that was entered but the hardcorded value in OpenSSH of INCORRECT which indicates that sshpam_authctxt-valid is 0. Obviously this fails from the TACACS server You want to make sure UsePAM is set to `yes' and you are using keyboard interactive for protocol 2 and challenge response for protocol 1. There are couple of log files that you can send me, if it exceeds the attachment size restriction of this mailing list, to take a look at. Change the loglevel to debug in sshd_config file. Then restart sshd. Now try to ssh in from a remote client. Collect all the logs related to `auth.*' (assuming your syslog fasciliy on sshd_config is set to auth) and post it here. You may also post the ssh_config of the remote client and sshd_config of the sshd server. I can use those test on my side. Also make sure you do have a local user account and it is not locked. You must need a local account even though the authentication is done thru tacacs server. I am wondering if I am missing something in the sshd_config configuration. Or is the interaction between the pam and sshd incorrect? Gary Asif Iqbal wrote: On 8/1/06, Gary Schlachter [EMAIL PROTECTED] wrote: Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system. I am using PAM with Radius Server Auth. So we should have similar setup. This is all I have in /etc/pam.conf (Solaris) for sshd to use only one pam_radius module and no other pam libraries. sshd auth required pam_radius_auth.so debug You may be using other pam libraries--specially the library that talks to /etc/passwd. BTW, I am the PAM developer. Thanks, Gary Asif Iqbal wrote: On 7/27/06, Gary Schlachter [EMAIL PROTECTED] wrote: I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous This is how I test Make sure ldd to sshd shows pam library in the list Modify the sshd_config file with the following two parameters Syslog Fascility auth Loglevel Debug restart OpenSSH touch a file /var/log/sshd.log. modify the syslog.conf with auth.debug point to /var/log/sshd.log and restart syslog. Now ssh with your tacacs account and see if your tacacs server receiving any connection logs from you as well as your /var/log/sshd.log file. If all fails I would ask the tacacs pam module developer about the issue. Thanks in advance, Gary -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
Re: Tacacs and OpenSSH
On 8/1/06, Gary Schlachter [EMAIL PROTECTED] wrote: Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system. BTW, I am the PAM developer. hey, You will see in /etc/pam.d/sshd(on redhat) following lines auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth and in /etc/pam.d/login you will see these lines auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so # pam_selinux.so open should be the last session rule sessionrequired pam_selinux.so multiple open /etc/pam.d/login is used when you want to login into the system and it also depends what type of authentication is there on your system by default /etc/passwd (with shadow) so you have to change the settings in /etc/pam.d/sshd to make it work with TACACS server. Regards Ankush Grover ~ ~ ~ ~
Re: Tacacs and OpenSSH
On 8/1/06, Gary Schlachter [EMAIL PROTECTED] wrote: Thank you for your reply. The PAM is getting called which in turn contacts the TACACS server. However, my problem is that OpenSSH is authenticating the user against /etc/passwd instead of letting the user be authenticated by the TACACS server. I am looking for a way to configure SSH to stop the /etc/passwd authentication. When the user is in /etc/passwd a but does not have a local password and is defined on the TACACS server, TACACS authenticates the user correctly. I am looking for a way to not have to configure the same user id on both the TACACS server and the local system. I am using PAM with Radius Server Auth. So we should have similar setup. This is all I have in /etc/pam.conf (Solaris) for sshd to use only one pam_radius module and no other pam libraries. sshd auth required pam_radius_auth.so debug You may be using other pam libraries--specially the library that talks to /etc/passwd. BTW, I am the PAM developer. Thanks, Gary Asif Iqbal wrote: On 7/27/06, Gary Schlachter [EMAIL PROTECTED] wrote: I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous This is how I test Make sure ldd to sshd shows pam library in the list Modify the sshd_config file with the following two parameters Syslog Fascility auth Loglevel Debug restart OpenSSH touch a file /var/log/sshd.log. modify the syslog.conf with auth.debug point to /var/log/sshd.log and restart syslog. Now ssh with your tacacs account and see if your tacacs server receiving any connection logs from you as well as your /var/log/sshd.log file. If all fails I would ask the tacacs pam module developer about the issue. Thanks in advance, Gary -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
Re: Tacacs and OpenSSH
On 7/27/06, Gary Schlachter [EMAIL PROTECTED] wrote: I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous This is how I test Make sure ldd to sshd shows pam library in the list Modify the sshd_config file with the following two parameters Syslog Fascility auth Loglevel Debug restart OpenSSH touch a file /var/log/sshd.log. modify the syslog.conf with auth.debug point to /var/log/sshd.log and restart syslog. Now ssh with your tacacs account and see if your tacacs server receiving any connection logs from you as well as your /var/log/sshd.log file. If all fails I would ask the tacacs pam module developer about the issue. Thanks in advance, Gary -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
Tacacs and OpenSSH
I know this question has been asked several times over the years but I have not seen a definitive answer/solution if one exists. If one does not exist or I need to develop one, then I can stop looking! I am attempting to integrate a Tacacs+ PAM with OpenSSH. I would like to have the PAM authenticate the User ID as well as the password. Thus the users do not exist in /etc/passwd. I am not using NIS or any other system for user ids. The Tacacs server is the only place the user ids exist. Ultimately when the user authenticates via Tacacs, I will switch the user to a known user in /etc/passwd and provide the logging in user with a specific TTY interface via the shell. When attempting this on linux with OpenSSH 4.3p2 compiled with with_pam and seemingly the correct sshd_config options, I received the infamous Invalid user debug messages. Is this possible with the current OpenSSH and/or some patch for it? Thanks in advance, Gary