Serwer logs says that is auth but can't login

[PawelConnectio]

Hi ,

on server tacacs+ side i have in log that user is authenticated (when password is correct ,if not i have failed to auth in log). I cant login into server , logs on client site :

Mar 23 14:14:54 server01 PAM-tacplus[13515]: 1 servers defined
Mar 23 14:14:54 server01 PAM-tacplus[13515]: server[0] { addr=X.X.X.X:49, key='mLpEMwtAmsJc9Tv' }
Mar 23 14:14:54 server01 PAM-tacplus[13515]: tac_service=''
Mar 23 14:14:54 server01 PAM-tacplus[13515]: tac_protocol=''
Mar 23 14:14:54 server01 PAM-tacplus[13515]: tac_prompt=''
Mar 23 14:14:54 server01 PAM-tacplus[13515]: tac_login=''
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: user [admin] obtained
Mar 23 14:14:54 server01 sshd[13515]: tacacs_get_password: called
Mar 23 14:14:54 server01 sshd[13515]: tacacs_get_password: obtained password
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: password obtained
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: tty [ssh] obtained
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: rhost [X.X.X.X] obtained
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: trying srv 0
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: active srv 0
Mar 23 14:14:54 server01 sshd[13515]: pam_sm_authenticate: exit with pam status: 0
Mar 23 14:14:54 server01 sshd[13515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=admin
Mar 23 14:14:56 server01 sshd[13515]: Failed password for admin from X.X.X.X port 50925 ssh2
Mar 23 14:15:01 server01 PAM-tacplus[13621]: user not authenticated by TACACS+
Mar 23 14:15:01 server01 PAM-tacplus[13622]: user not authenticated by TACACS+
Mar 23 14:15:01 server01 PAM-tacplus[13622]: TACACS+ service type not configured

Can anybody can help ?

[kravietz]

@PawelConnectio Please check the Quick start section in README especially as it comes to configuring service and protocol parameters for the PAM module. From the log above it seems like they were left empty and this is most likely reason for mismatch.

[PawelConnectio]

@kravietz Do you know what should be setup with TACACS+ CISCO ?

Edit: even if set something like service=ppp protocol=ip then in log :

PAM-tacplus[2042]: TACACS+ service type not configured

[kravietz]

@PawelConnectio This message is generated on our side pam_tacplus.c#197 and it is produced when the module didn't get any service from the configuration. This is confirmed by the previous log lines:

Mar 23 14:14:54 server01 PAM-tacplus[13515]: tac_service=''

Make sure that the file in /etc/pam.d looks like this:

#%PAM-1.0
auth       required     /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123
account    required     /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123 service=ppp protocol=ip
password   required     /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123
session    required     /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123 service=ppp protocol=ip

[ddspell]

@PawelConnectio Please check the Quick start section in README especially as it comes to configuring service and protocol parameters for the PAM module. From the log above it seems like they were left empty and this is most likely reason for mismatch.

I'm having the same message...
Aug 02 21:17:01 vagrant PAM-tacplus[1358]: user not authenticated by TACACS+
Aug 02 21:17:01 vagrant PAM-tacplus[1358]: TACACS+ service type not configured

I know I must be doing something wrong but I can't figure it out.
That tacacs service is running in a container and the service/protocol are configured as ssh/tcp.

The tacacs PAM config also has service and protocol set to ssh/tcp.

I've been reading about service and type, both in your README and the RFC but I guess I'm missing what it is saying.
The VM that's setup with libpam-tacacs.so does not have a tacacs_plus.cfg file. That's on the container that's providing the TACACS+ service. It is configured for ssh service and tcp protocol. What am I not understanding? Does something else need to be configured on the VM for libpam-tacplus to be configured?

As it is, I thought if I had /etc/pam.d/tacacs setup as in your example, but with ssh instead of ppp and tcp instead of ip, then all would be set. For that matter, I tried it as is and setup my tac_plus config to have ppp and ip, but it made no difference.

I've used pamtester and there doesn't appear to be an issue.
Where are service types configured?
The services file has a couple of lines for tacacs 49/tcp and 49/udp.

[ddspell]

    group = admin {
        service = ssh {
          protocol = tcp
        }
        default service = permit
        service = shell {
	  default command = permit
          set priv-lvl = 15
        }
    }

    user = vagrant {
        password = clear "goldfish"
        member = admin
    }

    user = admin {
        password = clear "swordfish"
        member = admin
    }

[ddspell]

I do see one difference that is shown in this thread compared to the README.

You added this line...
password required /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testkey123nezha.krvtz.net

[ddspell]

OK, here is what I've determined.
When I used pamtester, I specified that pam config found in /etc/pam.d, which I had named tacplus.
This explains why pamtester worked. I told it what config to use.

What I discovered is that pam was using the entries made by the apt package installer into the common-account, common-auth, common-password, common-session, and common-session-noninteractive. I guess I don't understand how pam needs to be setup.

The documentation in this project said to create a config, which I did, but in my use case, it doesn't work. Can you guide me in how it should be implemented? Do I leave the entries in the common configs and add the server, secret, service, and protocol parameters, or can I use a independent config in /etc/pam.d? If so, how do I enable it?

I tried doing pam-auth-update --enable tacplus, but that didn't work.