Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Authenticating Solaris 10 ssh with TACACS+ - Query

  • 10-07-2009 10:11AM
    #1
    mr kr0nik
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭


    Hi everyone,
    I have a Solaris 10 server that I'm trying to authenticate with a TACACS+ server. I have installed and compiled the pam module for TACACS.

    I've managed to get it working but was wondering about the following:
    If I lose connectivity to my TACACS+ server all ssh logins are unavailable. What do I need to add to my pam.conf file to allow the server to check locally prior to checking TACACS+.

    Basically I have created users and their home directories but no passwords. They are contained on TACACS. I would like to have a non-root user/password defined on the server so I can log in in the event of a TACACS+ problem. At the moment the ssh section of my pam.conf file is as follows:

    sshd-kbdint auth required pam_tacplus.so debug server=XXX.XXX.XXX.XXX secret=test encrypt first_hit
    sshd-kbdint account required pam_tacplus.so debug server=XXX.XXX.XXX.XXX secret=test encrypt service=ssh protocol=tcp first_hit
    sshd-kbdint session required pam_tacplus.so debug server=XXX.XXX.XXX.XXX secret=test encrypt service=ssh protocol=tcp first_hit

    I would have thought that some statement before these with "auth sufficient" would do.

    please bear in mind that I'm not too familiar with pam in Solaris. So I googled and used the above. They seem to work fine.


Advertisement