NSS+Pam+Tacacs+ firs session fails

Question

I have device that i want to autorize to using TACACS+ server.
I have TACACS version: tac_plus version F4.0.4.26
I have tacacs server with next configuration

accounting file = /var/log/tac_plus.acct
key = testing123
default authentication = file /etc/passwd

user = sf {
default service = permit
login = cleartext 1234
}

user = DEFAULT {
#       login = PAM
        service = ppp protocol = ip {}
}

on device i have NSS with config:

/etc/nsswitch.conf

passwd:     files  rf
group:      files
shadow:     files
hosts:      files   dns
networks:   files   dns
protocols:  files
services:   files
ethers:     files
rpc:        files

and pam.d with sshd file in it

# SERVER 1
auth    required                                                                        /lib/security/pam_rf.so
auth    [success=done auth_err=die default=ignore]      /lib/security/pam_tacplus.so            server=172.18.177.162:49 secret=testing123 timeout=5
account sufficient                                      /lib/security/pam_tacplus.so            server=172.18.177.162:49 service=ppp protocol=ip timeout=5
session required                                    /lib/security/pam_rf.so
session sufficient                                      /lib/security/pam_tacplus.so            server=172.18.177.162:49 service=ppp protocol=ip timeout=5
password required                                                                       /lib/security/pam_rf.so

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
auth include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Standard Un*x authorization.
account include common-account

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Standard Un*x session setup and teardown.
session include common-session

# Standard Un*x password updating.
password   include common-password

and the problem, while i connect to device first time vie TeraTerm, i see that inputed user name was added in session start to /etc/passwd and /etc/shadow but logging not succeed and in tacacs server i see in logs

Mon Dec 17 19:00:05 2018 [25418]: session.peerip is 172.17.236.2
Mon Dec 17 19:00:05 2018 [25418]: forked 5385
Mon Dec 17 19:00:05 2018 [5385]: connect from 172.17.236.2 [172.17.236.2]
Mon Dec 17 19:00:05 2018 [5385]: Found entry for alex in shadow file
Mon Dec 17 19:00:05 2018 [5385]: verify
IN $6$DUikjB1i$4.cM87/pWRZg2lW3gr3TZorAReVL7JlKGA/2.BRi7AAyHQHz6bBenUxGXsrpzXkVvpwp0CrtNYAGdQDYT2gaZ/
Mon Dec 17 19:00:05 2018 [5385]:
IN encrypts to $6$DUikjB1i$AM/ZEXg6UAoKGrFQOzHC6/BpkK0Rw4JSmgqAc.xJ9S/Q7n8.bT/Ks73SgLdtMUAGbLAiD9wnlYlb84YGujaPS/
Mon Dec 17 19:00:05 2018 [5385]: Password is incorrect
Mon Dec 17 19:00:05 2018 [5385]: Authenticating ACLs for user 'DEFAULT' instead of 'alex'
Mon Dec 17 19:00:05 2018 [5385]: pap-login query for 'alex' ssh from 172.17.236.2 rejected
Mon Dec 17 19:00:05 2018 [5385]: login failure: alex 172.17.236.2 (172.17.236.2) ssh

after that if i close TeraTerm and opening it again and trying to connect, connection established successfully, after that if i close TeraTerm and open again, the same problem appears each seccond try.

what may be a problem with it, i am driving crazy already

score 0 · Answer 1 · answered Jan 07 '19 at 08:23

after deeply discovering problem, i fount out that iit was my fault, i compiled my name service using g++ instead of gcc.

Because of name service using

#include <pwd.h>

that defines interface for functions like nss_service_getpwnam_r and others, that was written in C, therefore i was must to:

 extern "C" {
   #include <pwd.h>
}

or to compile my program using GCC, hope in once someone will face same problem it will help him / her. good luck

NSS+Pam+Tacacs+ firs session fails

/etc/nsswitch.conf

1 Answers1