pam + tacacs configuration
Dan Yefimov
dan at nf15.lightwave.net.ru
Wed Oct 1 23:19:41 UTC 2008
On 02.10.2008 1:52, Nick Owen wrote:
> Greetings:
>
> I am trying to get pam_tacplus 1.2.9 working with pam-0.99.6.2-3.22.fc6.
> I had this working back in the pam_stack days, but can't seem to get it
> quite right using include.
>
> here is my /etc/pam.d/tacacs file:
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_tacplus.so debug
> server=10.100.0.102 secret=super_secret encrypt
> account sufficient /lib/security/pam_tacplus.so debug
> server=10.100.0.102 secret=super_secret encrypt service=shell protocol=ssh
> session sufficient /lib/security/pam_tacplus.so debug
> server=10.100.0.102 secret=super_secret encrypt service=shell protocol=ssh
>
> Here's my /etc/pam.d/sshd:
>
> #%PAM-1.0
> auth include tacacs
> #auth required pam_nologin.so
> account include tacacs
> #account required system-auth
> password required tacacs
^^^^^^^^
Here is the root of your problem :-)
> session include tacacs
> #session required system-auth
> #session required pam_limits.so
> #session optional pam_console.so
>
> And here's the output from /var/log/secure:
>
> Oct 1 17:21:40 vpn sshd[22767]: PAM unable to dlopen(/lib/security/tacacs)
> Oct 1 17:21:40 vpn sshd[22767]: PAM [error: /lib/security/tacacs:
> cannot open shared object file: No such file or directory]
> Oct 1 17:21:40 vpn sshd[22767]: PAM adding faulty module:
> /lib/security/tacacs
>
[skip]
> I can't seem to google up any info on configuring with modules using
> include. The logs seem to point to tacacs being in the wrong place. I
> also wonder if the source for tacplus needs to be updated.
>
You just forgot to replace 'required' with 'include' and didn't notice that :-)
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list