Fallback to local authentication

[mmehra]

When TACACS+ server is not reachable, it might be desirable to fall back to local authentication. In order to achieve it, pam_tacplus needs to return PAM_IGNORE return code instead of PAM_ERROR. Following diff provides this support

[~: pam_tacplus]# git diff
diff --git a/pam_tacplus.c b/pam_tacplus.c
index f29f45e..b62093e 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -291,6 +291,7 @@ int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
                if (tac_fd < 0) {
                        _pam_log(LOG_ERR, "connection failed srv %d: %m", srv_i);
                        active_server.addr = NULL;
+                       status = PAM_IGNORE;
                        continue;
                }
                if (tac_authen_send(tac_fd, user, pass, tty, r_addr,
@@ -587,7 +588,7 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
         than TACACS+ */
        if (active_server.addr == NULL) {
                _pam_log(LOG_ERR, "user not authenticated by TACACS+");
-               return PAM_AUTH_ERR;
+               return PAM_IGNORE;
        }
        if (ctrl & PAM_TAC_DEBUG)
                syslog(LOG_DEBUG, "%s: active server is [%s]", __FUNCTION__,

We can then configure following in /etc/pam.d/tacacs so that SSHD fallsback to local authentication when TACACS+ server is not reachable. When the server is reachable, SSHD always honours TACACS+ auth response

auth    [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ...
account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ...

[daveolson53]

On Tue, Feb 27, 2018 at 20:31 Manish Mehra ***@***.***> wrote: When TACACS+ server is not reachable, it might be desirable to fall back to local authentication. In order to achieve it, pam_tacplus needs to return PAM_IGNORE return code instead of PAM_ERROR. Following diff provides this support

I’ve had feefback that some people would like this, and others that feel quite strongly that falling back to local auth is a major issue. Sounds like we need to make this a clear and obvious configuration choice, not hardcoded in the source. [~: pam_tacplus]# git diff

diff --git a/pam_tacplus.c b/pam_tacplus.c index f29f45e..b62093e 100644 --- a/pam_tacplus.c +++ b/pam_tacplus.c @@ -291,6 +291,7 @@ int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, if (tac_fd < 0) { _pam_log(LOG_ERR, "connection failed srv %d: %m", srv_i); active_server.addr = NULL; + status = PAM_IGNORE; continue; } if (tac_authen_send(tac_fd, user, pass, tty, r_addr, @@ -587,7 +588,7 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, than TACACS+ */ if (active_server.addr == NULL) { _pam_log(LOG_ERR, "user not authenticated by TACACS+"); - return PAM_AUTH_ERR; + return PAM_IGNORE; } if (ctrl & PAM_TAC_DEBUG) syslog(LOG_DEBUG, "%s: active server is [%s]", __FUNCTION__, We can then configure following in /etc/pam.d/tacacs so that SSHD fallsback to local authentication when TACACS+ server is not reachable. When the server is reachable, SSHD always honours TACACS+ auth response auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ... account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#112>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AI2zGI-Q6lhDj92ORs_RBjaNmnTxX900ks5tZNaZgaJpZM4SWD3v> .

-- Dave Olson olson@cumulusnetworks.com

[mmehra]

Config knob might not be needed after all. Here is what can be done with PAM constructs

When fallback to local auth is desired:

[root@gotham: ~]# head /etc/pam.d/sshd 
auth     include     tacacs
account  include     tacacs

[root@gotham: ~]# head /etc/pam.d/tacacs
auth    [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ...
account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ...

When fallback to local auth is not desired:

[root@gotham: ~]# head /etc/pam.d/sshd 
auth     include     tacacs
auth     requisite   pam_deny.so
account  include     tacacs

[root@gotham: ~]# head /etc/pam.d/tacacs
auth  sufficient /lib/security/pam_tacplus.so ...
account sufficient /lib/security/pam_tacplus.so ...

[daveolson53]

Manish Mehra <notifications@github.com> wrote:

Config knob might not be needed after all. Here is what can be done with PAM constructs When fallback to local auth is desired:

Yes, that's possible, but it's not very system admin friendly. In my version of the libpam-tacplus code, I've moved to using pam-auth-update, and the admin no longer needs to edit the pam.d files. I really think we want this to be an option to pam_tacplus.so, not a change to pam.d files (in my version, I support setting options to pam_tacplus from a config file, not just the options on the various lines in /etc/pam.d/ files.). For the mainline, it could still just be an option on the pam_tacplus.so lines, and not require changes to add deny, etc., which get even more problematic when you have multiple authentication methods (tacacs, radius, ldap) present. Doable, but I really think an explicit option is better.

***@***.***: ~]# head /etc/pam.d/sshd auth include tacacs account include tacacs ***@***.***: ~]# head /etc/pam.d/tacacs auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so ... account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so ... When fallback to local auth is not desired: ***@***.***: ~]# head /etc/pam.d/sshd auth include tacacs auth requisite pam_deny.so account include tacacs ***@***.***: ~]# head /etc/pam.d/tacacs auth sufficient /lib/security/pam_tacplus.so ... account sufficient /lib/security/pam_tacplus.so ...

Dave Olson olson@cumulusnetworks.com

[mmehra]

Sure, we can even go with explicit option and depending on the config option return PAM_IGNORE or PAM_FAILURE

[stancufm]

Unfortunately, for me it didn't work with authinfo_unavail=bad.
In logs i found that i was keep receiving "pam_sm_authenticate: exit with pam status: 9". After i've changed to
auth [default=bad success=done ignore=ignore authinfo_unavail=ignore] /usr/local/lib/pam_tacplus.so is working.
Tests were made with tacacs server running (where user has password1 set), and for fallback scenario i've stopped the tac_plus service from server and use local password2 defined.