pam_tacacs will nicht so, wie ich will

Moin,

also die Doku zu pam, pam.conf und pam_tacacs ist eigentlich
recht eindeutig - und doch funktioniert der Login via SSH nicht.
Den Dummy User "tacacs" gibt es natürlich, und direkt an der
Konsole kann ich mich auch erfolgreich mit meinem TACACS-User
einloggen, alles super. Nur per ssh geht's halt nicht. Wer weiß Rat?

Danke & Gruß,

Malte von dem Hagen

<-----<sshd_config>----->
Protocol 2
PAMAuthenticationViaKbdInt yes

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
<-----</sshd_config>----->

<-----<pam.conf>----->
# If the user can authenticate with S/Key, that's sufficient; allow clear
# password. Try kerberos, then try plain unix password.
login auth sufficient pam_tacplus.so
template_user=tacacs
login auth sufficient pam_skey.so
login auth sufficient pam_opie.so
no_fake_prompts
login auth requisite pam_cleartext_pass_ok.so
login auth required pam_unix.so
try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required pam_permit.so

# Same requirement for ftpd as login
ftpd auth sufficient pam_skey.so
ftpd auth sufficient pam_opie.so
no_fake_prompts
#ftpd auth required pam_opieaccess.so
ftpd auth requisite pam_cleartext_pass_ok.so
#ftpd auth sufficient pam_kerberosIV.so
try_first_pass
#ftpd auth sufficient pam_krb5.so
try_first_pass
ftpd auth required pam_unix.so
try_first_pass

# OpenSSH with PAM support requires similar modules. The session one is
# a bit strange, though...
sshd auth sufficient pam_tacplus.so
template_user=tacacs
sshd auth sufficient pam_skey.so
sshd auth sufficient pam_opie.so
no_fake_prompts
sshd auth required pam_unix.so
try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so

# "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login'
telnetd auth required pam_unix.so
try_first_pass

# Don't break startx
xserver auth required pam_permit.so

# XDM is difficult; it fails or moans unless there are modules for each
# of the four management groups; auth, account, session and password.
xdm auth required pam_unix.so
#xdm auth sufficient pam_kerberosIV.so
try_first_pass
#xdm auth sufficient pam_krb5.so
try_first_pass
xdm account required pam_unix.so
try_first_pass
xdm session required pam_deny.so
xdm password required pam_deny.so

# GDM (GNOME Display Manager)
gdm auth required pam_unix.so
#gdm auth sufficient pam_kerberosIV.so
try_first_pass
#gdm auth sufficient pam_krb5.so
try_first_pass
gdm account required pam_unix.so
try_first_pass
gdm session required pam_permit.so
gdm password required pam_deny.so

# Mail services
imap auth required pam_unix.so
try_first_pass
pop3 auth required pam_unix.so
try_first_pass

# If we don't match anything else, default to using getpwnam().
other auth sufficient pam_tacplus.so
template_user=tacacs
other auth sufficient pam_skey.so
other auth required pam_unix.so
try_first_pass
other account required pam_unix.so
try_first_pass
<-----</pam.conf>----->

<-----<Fehlermeldung auf Konsole>----->
pam_tacplus: pam_sm_authenticate: TACACS+ Authetication failed
login: PAM option: template_user=tacacs invalid
sshd: PAM option: template_user=tacacs invalid
<-----</Fehlermeldung auf Konsole>----->

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message