diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 81 |
1 files changed, 32 insertions, 49 deletions
@@ -1,6 +1,4 @@ - -pam_tacplus v1.3.8 -Jul 1 2013 +# pam_tacplus This PAM module support the following functions: @@ -17,45 +15,44 @@ encrypted. This module is an attempt to provide most useful part of TACACS+ functionality to applications using the PAM interface on Linux. -Recognized options: -~~~~~~~~~~~~~~~~~~~ +## Recognized options: -Option Management group Description ---------------- ----------------------- ---------------------------------- -debug ALL output debugging information via - syslog(3); note, that the debugging - is heavy, including passwords! +| Option | Management group | Description | +|------------------- | ---------------- | ----------- | +| debug | ALL | output debugging information via + syslog(3); note, that the debugging + is heavy, including passwords! | -secret=STRING ALL can be specified more than once; +| secret=STRING | ALL | can be specified more than once; secret key used to encrypt/decrypt - packets sent/received from the server + packets sent/received from the server | -server=HOSTNAME auth, session can be specified more than once; -server=IP_ADDR adds a TACACS+ server to the servers -server=HOSTNAME:PORT list -server=IP_ADDR:PORT +| server=HOSTNAME | auth, session | can be specified more than once; + server=IP_ADDR adds a TACACS+ server to the servers + server=HOSTNAME:PORT list | + server=IP_ADDR:PORT -timeout=INT ALL connection timeout in seconds - default is 5 seconds +| timeout=INT | ALL | connection timeout in seconds + default is 5 seconds | -login=STRING auth TACACS+ authentication service, +| login=STRING | auth | TACACS+ authentication service, this can be "pap", "chap" or "login" - at the moment. Default is pap. + at the moment. Default is pap. | -prompt=STRING auth Custom password prompt. If you want +| prompt=STRING | auth | Custom password prompt. If you want to use a space use '_' character - instead. + instead. | -acct_all session if multiple servers are supplied, +| acct_all | session | if multiple servers are supplied, pam_tacplus will send accounting start/stop packets to all servers - on the list + on the list | -service account, session TACACS+ service for authorization - and accounting +| service | account, session | TACACS+ service for authorization + and accounting | -protocol account, session TACACS+ protocol for authorization - and accounting +| protocol | account, session | TACACS+ protocol for authorization + and accounting | The last two items are widely described in TACACS+ draft [1]. They are required by the server, but it will work if they don't match the real @@ -63,9 +60,9 @@ service authorized :) During PAM account the AV pairs returned by the TACACS+ servers are made available to the PAM environment, so you can use i.e. pam_exec.so to do something with these AV pairs. -Example configuration: -~~~~~~~~~~~~~~~~~~~~~~ +## Example configuration: +``` #%PAM-1.0 auth required /lib/security/pam_tacplus.so debug server=1.1.1.1 secret=SECRET-1 account required /lib/security/pam_tacplus.so debug secret=SECRET-1 service=ppp protocol=lcp @@ -73,10 +70,9 @@ account sufficient /lib/security/pam_exec.so /usr/local/bin/showenv.sh password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow use_authtok session required /lib/security/pam_tacplus.so debug server=1.1.1.1 server=2.2.2.2 secret=SECRET-1 secret=SECRET-2 service=ppp protocol=lcp +``` - -More on server lists: -~~~~~~~~~~~~~~~~~~~~~ +## More on server lists: 1. Having more that one TACACS+ server defined for given management group has following effects on authentication: @@ -116,8 +112,7 @@ authorization. on all of them at the same time -Short introduction to PAM via TACACS+: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +## Short introduction to PAM via TACACS+: This diagram should show general idea of how the whole process looks: @@ -155,8 +150,7 @@ Consider `login' application: 7. When user logs out, pam_sm_close_session() sends STOP packet to the server. The whole session is closed. -Limitations: -~~~~~~~~~~~~ +## Limitations: Many of them for now :) @@ -165,18 +159,7 @@ Many of them for now :) * utilize PAM_SERVICE item obtained from PAM for TACACS+ services * clean options and configuration code -References: -~~~~~~~~~~~ - -TACACS+ -1. ftp://ftpeng.cisco.com/pub/tacplus/tac_plus.rfc.1.76.txt -2. ftp://ftpeng.cisco.com/pub/tacplus/tac_plus.3.0.12.alpha.tar.Z - -PAM -3. http://parc.power.net/morgan/Linux-PAM/index.html - -Authors: -~~~~~~~ +## Authors: Pawel Krawczyk <pawel.krawczyk@hush.com> http://ipsec.pl |