tac_plus-ng: pammavis and authen_type=<pap|chap|mschap|...>

Question

tac_plus-ng: pammavis and authen_type=<pap|chap|mschap|...>

beranf opened this issue a year ago · 12 comments

Hi Marc,
I have an issue with authenticate over pammavis. If tacacs authentication request packet contains authen_type=pap , then pammavis never authenticate such request.

If tacacs authentication request contains:

authen_type=pap:
- pammavis authentication .... NOT
- linux gids membership loading ... NOT
- example: F5 BigIP device supports only PAP, debug log: one_external_authen_source__pammavis_F5BigIP_authen_pap.txt
authen_type=mschap or authen_type=chap:
- pammavis authentication .... NOT
- linux gids membership loading ... Ok
- example Fortigate device automatically tries PAP->MSCHAP->CHAP, debug log: one_external_authen_source__pammavis_Fortigate_authen_pap-mschap-chap.txt
authen_type=ascii (typically for Cisco IOS):
- pammavis authentication .... Ok
- linux gids membership loading ... Ok

My tac_plus-ng.cfg (configuration snippet):

	mavis module = groups {
		resolve gids = yes
		groups filter = /^(tacacs_)/
		script out {
			   # copy the already filtered UNIX group access list to TACMEMBER
				eval $GIDS =~ /^tacacs_(.*)$/
				set $TACMEMBER = $1
		}
	}

	mavis module = external {
		exec = /usr/local/sbin/pammavis pammavis -s ssh
	}

	user backend = mavis
	login backend = mavis chpass
	pap backend = mavis
        pap password mapping=login

I have also tried to use pap password mapping=login which should do PAP authentication requests will be mapped to ASCII Login requests but it does not have any impact for authentication process.

Please, could you check and validate if pammavis module really cannot authenticate the PAP method?

Thank you in advanced.
Regards,
Filip

Answer 1 · 2023-08-25T12:12:14.000Z

Hi Filip,

does

printf "4 youruser\n8 yourpassword\n49 AUTH\n=\n" | pammavis

work? pammavis doen't know about the actual authentication method only cares about user, password and tactype.

Cheers,

Marc

Answer 2 · 2023-08-25T13:45:35.000Z

Hi Marc, unfortunately it doesn't:

[root@dst01-nacs01-al92test event-driven-servers]# printf "4 test_fb\n8 Abc123\n49 AUTH\n=\n"
4 test_fb
8 Abc123
49 AUTH
=
[root@dst01-nacs01-al92test event-driven-servers]# printf "4 test_fb\n8 Abc123\n49 AUTH\n=\n" | pammavis
4 test_fb
8 Abc123
49 AUTH
17 Authentication failure
6 NAK
=0

Linux user settings:

cat /etc/passwd | grep test_fb
test_fb:x:1012:1012:test user:/home/test_fb:/usr/bin/passwd

cat /etc/group | grep test_fb
test_fb:x:1012:
net_admin:x:2000:test_fb
tacacs_gr_superadmin:x:1999:test2_fb,test_fb

Login to linux pty with credentials test_fb/Abc123 is working fine:

[root@dst01-nacs01-al92test event-driven-servers]# ssh test_fb@localhost
test_fb@localhost's password:
Last login: Fri Aug 25 15:37:42 2023 from ::1
Changing password for user test_fb.
Current password:
New password:

It seems pammavis the latest version is installed:

[root@dst01-nacs01-al92test event-driven-servers]# ls -la /usr/local/sbin/pammavis
-rwxr-xr-x. 1 root root 35784 Aug 24 21:17 /usr/local/sbin/pammavis

[root@dst01-nacs01-al92test event-driven-servers]# diff /usr/local/sbin/pammavis ./build/linux-5.14.0-162.23.1.el9_1.x86_64-x86_64/fakeroot/usr/local/sbin/pammavis
[root@dst01-nacs01-al92test event-driven-servers]#

Installed tac_plus-ng version:

[root@dst01-nacs01-al92test ~]# /usr/local/sbin/tac_plus-ng -v
tac_plus-ng version e5b093e1b4ea935e3b815106d9e5855fc7a1776e/PCRE2/CRYPTO/ARES/CURL/SSL

Regards,
Filip

Answer 3 · 2023-08-25T15:07:11.000Z

Hi Filip,

there are a couple of options that come to mind:

try running pammavis as root, there might be a permission issue that could require sudo
validate that the password is correct and neither password nor account are expired
check PAM functionality with pamtester

The pammavis code has not undergone any relevant changes for a very long time, I'm pretty sure that it works just fine.

Cheers,

Marc

Answer 4 · 2023-08-25T15:53:26.000Z

Hi Marc,

[root@dst01-nacs01-al92test pamtester]# pamtester login test_fb authenticate
Password:
pamtester: successfully authenticated
[root@dst01-nacs01-al92test pamtester]#
[root@dst01-nacs01-al92test pamtester]#
[root@dst01-nacs01-al92test pamtester]#
[root@dst01-nacs01-al92test pamtester]#
[root@dst01-nacs01-al92test pamtester]# printf "4 test_fb\n8 Abc123\n49 AUTH\n=\n"  | pammavis
4 test_fb
8 Abc123
49 AUTH
17 Authentication failure
6 NAK
=0
[root@dst01-nacs01-al92test pamtester]#

Actually it seems there is some issue on pammavis side (both pamtester and pammavis got the same password "Abc123"). I'll try to troubleshoot deeply somehow.

Regards,
Filip

Answer 5 · 2023-08-25T20:44:32.000Z

Hi Filip,

does pamtester login test_fb acct_mgmt look sane, too?

Cheers,

Marc

Answer 6 · 2023-08-25T21:58:39.000Z

Hi Marc,

[root@dst01-nacs01-al92test ~]# pamtester -v login test_fb acct_mgmt
pamtester: invoking pam_start(login, test_fb, ...)
pamtester: performing operation - acct_mgmt
pamtester: account management done.

Regards,

Filip

Answer 7 · 2023-08-27T22:07:22.000Z

Hi Marc,
I identified in my tac_plus-ng.cfg a typo: pammavis -s ssh instead of correct pammavis -s sshd. This typo I probably created in my tac_plus-ng.cfg when I tuned other config section. All the time I have been using chained two external back-ends: primary LDAP (MS AD) and secondary PAM (pammavis). PAM authentication I probably didn't use for months until last week when I needed it in some scenario.

So I have just fixed my tac_plus-ng.cfg to pammavis -s sshd and now PAM authentication works fine for mavistest
mavistest_passed.txt
and tac_plus-ng daemon.

Nevertheless your recommended debug command printf "4 youruser\n8 yourpassword\n49 AUTH\n=\n" | pammavis, still does not work:

[root@dst01-nacs01-al92test tac_plus]# printf "4 test_fb\n8 Abc123\n49 AUTH\n=\n"  | pammavis
4 test_fb
8 Abc123
49 AUTH
17 Authentication failure
6 NAK
=0
[root@dst01-nacs01-al92test tac_plus]#

Regards,
Filip

Answer 8 · 2023-08-28T15:46:14.000Z

Hi Filip,

if the PAM configuration of your local system rejects unknown service names you need to add a valid service name for testing, too. Default is "pammavis -s mavis", and if "-s ssh" works with tac_plus-ng it will work for pammavis.

Cheers,

Marc

Answer 9 · 2023-08-28T17:27:03.000Z

Hi Marc,

thanks for explaining! I understand, your debug command already works fine too:

[root@dst01-nacs01-al92test tac_plus]# printf "4 test_fb\n8 Abc123\n49 AUTH\n=\n"  | pammavis -s sshd
4 test_fb
8 Abc123
49 AUTH
9 1012
10 1012
24 1012,2000,1999
19 /home/test_fb
54 /bin/bash
6 ACK
36 Abc123
=0

So, sorry for this ticket it wasn't a bug, it was about my typo in tac_plus-ng.cfg and confusion how to correctly use pammavis command.

Regards,
Filip

Answer 10 · 2023-08-28T18:26:31.000Z

Hi Filip,

no problem. Just out of interest, what system (or distribution) do you run the software on? My reference is typically Ubuntu (which falls back to the "other" PAM service), but that looks quite distribution specific now.

Thanks,

Marc

Answer 11 · 2023-08-28T20:05:00.000Z

Hi Marc,

I run the tac_plus-ng software on the AlmaLinux 9.2 x86_64 distribution.

Regards,
Filip

Answer 12 · 2023-08-29T17:14:35.000Z

Hi Filip,

thanks, I've had a look, AlmaLinux indeed defaults to pam_deny.so (and I'd bet that's true for all of the RH clones).

I've added a warning to pammavis yesterday in case the service file in /etc/pam.d/ doesn't exist. While that's not perfect, most systems seem to have settled to that scheme.

Cheers,

Marc