If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)

Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Authenticating Solaris 10 ssh with TACACS+ - Query

mr kr0nik · 2009-07-10 09:11:06

Hi everyone, I have a Solaris 10 server that I'm trying to authenticate with a TACACS+ server. I have installed and compiled the pam module for TACACS. I've managed to get it working but was wondering about the following: If I lose connectivity to my TACACS+ server all ssh logins are unavailable. What do I need to add to…

10-07-2009 10:11am

#1

mr kr0nik

Registered Users Posts: 755 ✭✭✭

Join Date: October 2006

Posts: 714

Hi everyone,
I have a Solaris 10 server that I'm trying to authenticate with a TACACS+ server. I have installed and compiled the pam module for TACACS.

I've managed to get it working but was wondering about the following:
If I lose connectivity to my TACACS+ server all ssh logins are unavailable. What do I need to add to my pam.conf file to allow the server to check locally prior to checking TACACS+.

Basically I have created users and their home directories but no passwords. They are contained on TACACS. I would like to have a non-root user/password defined on the server so I can log in in the event of a TACACS+ problem. At the moment the ssh section of my pam.conf file is as follows:

sshd-kbdint auth required pam_tacplus.so debug server=XXX.XXX.XXX.XXX secret=test encrypt first_hit
sshd-kbdint account required pam_tacplus.so debug server=XXX.XXX.XXX.XXX secret=test encrypt service=ssh protocol=tcp first_hit
sshd-kbdint session required pam_tacplus.so debug server=XXX.XXX.XXX.XXX secret=test encrypt service=ssh protocol=tcp first_hit

I would have thought that some statement before these with "auth sufficient" would do.

please bear in mind that I'm not too familiar with pam in Solaris. So I googled and used the above. They seem to work fine.

0