[j-nsp] tacacs+

Wed Aug 10 04:38:38 EDT 2005

Hi,

Im trying to set up tacacs+ for user auth on a j4300 with tac_plus.

I have a basic setup for tac_plus:

group = tier1
{
  service = junos-exec
  {
    local-user-name = tier1
    allow-commands = "configure interface network routing snmp system trace view firewall"
    allow-configuration = ""
    deny-commands = ""
    deny-configuration = ""
  }
}

user = testuser
{
  member = tier1
}

Following the doc's at 
http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-system-basics/html/sys-mgmt-authentication3.html

I create a local user called tier1 on the juniper.
All works well. 

Next I add a second group, tier2 with a few more privs and add that to the tac_plus.conf file.

group = tier2
{
  service = junos-exec
  {
    local-user-name = tier2
    allow-commands = "admin clear configure interface interface-control
                        network reset routing routing-control
                        snmp snmp-control system system-control trace
                        trace-control view maintenance firewall
                        firewall-control secret rollback"
    allow-configuration = ""
    deny-commands = ""
    deny-configuration = ""
  }
}

I change the testuser to the new group. I can now login, but I remain with the perm's of the first user.
This is all tied in with /var/etc/pam.conf and a "template_user=tier1" directive. I read up some more and the docs say 
that if the template_user is omitted then auth will fail.

"If this option is omitted, and there is no username in the system databases equal to the supplied one (as determined by 
call to getpwnam(3)), the authentication will fail."

The juniper documentation says that the local-user-name is the "template_user" that is passed.

"local-user-name	Indicates the name of the user template used by this user when logging in to a device."

When I remove the "template_user" directive from pam.conf auth fails.
Im not sure that the local-user-name is actually being passed correctly as the "template_user".

the output of tac_plus running in debug during the auth request looks similar for having the template user there or not.

login query for 'testuser' unknown-port from x.x.x.x accepted
connect from x.x.x.x [x.x.x.x]
Start authorization request
user testuser No identifiable service/protocol in authorization request
authorization query for 'testuser' unknown from testuser rejected
connect from x.x.x.x [x.x.x.x]

So, a. is there a way to bypass pam for tacacs+ with ssh auth and will this work, or break ssh fully if pam is disabled.
and b. is there a way to test that the local-user-name is being passed correctly?

Thanks

-- 
andy    andy at shady.org
-----------------------------------------------
Never argue with an idiot. They drag you down 
to their level, then beat you with experience.
----------------------------------------------- 