[j-nsp] tacacs+

Sat Aug 13 17:05:20 EDT 2005

try to set local-user-name to remote for both groups (tier1,tier2) - /hannes

On Wed, Aug 10, 2005 at 09:38:38AM +0100, andy wrote:
| Hi,
| 
| Im trying to set up tacacs+ for user auth on a j4300 with tac_plus.
| 
| I have a basic setup for tac_plus:
| 
| group = tier1
| {
|   service = junos-exec
|   {
|     local-user-name = tier1
|     allow-commands = "configure interface network routing snmp system trace view firewall"
|     allow-configuration = ""
|     deny-commands = ""
|     deny-configuration = ""
|   }
| }
| 
| user = testuser
| {
|   member = tier1
| }
| 
| Following the doc's at 
| http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-system-basics/html/sys-mgmt-authentication3.html
| 
| I create a local user called tier1 on the juniper.
| All works well. 
| 
| Next I add a second group, tier2 with a few more privs and add that to the tac_plus.conf file.
| 
| group = tier2
| {
|   service = junos-exec
|   {
|     local-user-name = tier2
|     allow-commands = "admin clear configure interface interface-control
|                         network reset routing routing-control
|                         snmp snmp-control system system-control trace
|                         trace-control view maintenance firewall
|                         firewall-control secret rollback"
|     allow-configuration = ""
|     deny-commands = ""
|     deny-configuration = ""
|   }
| }
| 
| I change the testuser to the new group. I can now login, but I remain with the perm's of the first user.
| This is all tied in with /var/etc/pam.conf and a "template_user=tier1" directive. I read up some more and the docs say 
| that if the template_user is omitted then auth will fail.
| 
| "If this option is omitted, and there is no username in the system databases equal to the supplied one (as determined by 
| call to getpwnam(3)), the authentication will fail."
| 
| The juniper documentation says that the local-user-name is the "template_user" that is passed.
| 
| "local-user-name	Indicates the name of the user template used by this user when logging in to a device."
| 
| When I remove the "template_user" directive from pam.conf auth fails.
| Im not sure that the local-user-name is actually being passed correctly as the "template_user".
| 
| the output of tac_plus running in debug during the auth request looks similar for having the template user there or not.
| 
| login query for 'testuser' unknown-port from x.x.x.x accepted
| connect from x.x.x.x [x.x.x.x]
| Start authorization request
| user testuser No identifiable service/protocol in authorization request
| authorization query for 'testuser' unknown from testuser rejected
| connect from x.x.x.x [x.x.x.x]
| 
| So, a. is there a way to bypass pam for tacacs+ with ssh auth and will this work, or break ssh fully if pam is disabled.
| and b. is there a way to test that the local-user-name is being passed correctly?
| 
| 
| Thanks
| 
| -- 
| andy    andy at shady.org