PAM and dynamic user member check

[bantify]

Hi Marc,
I'm interested to use tac_plus-ng in my network.

But not getting good documentation.

Does it support PAM authentication and also dynamic group checking?

If pam user belongs to netadmins and use priv-lvl = 15 otherwise priv-lvl = 1

Looking forward for your reply.

Regards.

[MarcJHuber]

Hi,

yes, PAM (in the basic variant with user and password) is supported.

Sample basic configuration:

https://github.com/MarcJHuber/event-driven-servers/blob/master/tac_plus-ng/sample/tac_plus-ng-demo-pam.cfg

More complex (includes user group ("member") checking:

https://github.com/MarcJHuber/event-driven-servers/blob/master/tac_plus-ng/sample/tac_plus-ng.cfg

Cheers,

Marc

[bantify]

@MarcJHuber Thanks,

I used it and successfully login in HPE, Extreme, Juniper and F5 devices using PAM.

My profile is like below:

profile demo-profile { script { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } if (service == junos-exec) { if (cmd == "") set local-user-name = tacadmin permit } if (service == exec) { if (cmd == "") set priv-lvl = 15 permit } } }

But could not figure the dynamic member checking.

Could you please help?

Regards.
Banik

[MarcJHuber]

Hi,

the second link I gave should detail group evaluation. Using two separate profiles (say, priv15 and priv1) and a rule set for profile assignment based on group membership should meet your requirement:

profile priv15 { ... }

profile priv1 { ... }

group netadmins

ruleset {
    rule {
        script {
            if (member == netadmins)
                profile = priv15
            else
                profile = priv1
            permit
    }
}

Cheers,

Marc

[bantify]

Thanks for quick replied:

My config like below:

id = spawnd {
        background = no
        single process = yes   # not suitable for production
        listen { port = 49 } # standard port would be 49
}



id = tac_plus-ng {
        log authzlog { destination = /var/log/tac_plus_authz.log }
        log authclog { destination = /var/log/tac_plus_authc.log }
        log acctlog  { destination = /var/log/tac_plus_acct.log }
        accounting log = acctlog
        authentication log = authclog
        authorization log = authzlog
#       Single--threaded backend,:
        mavis module demo = external { exec = /usr/local/sbin/pammavis pammavis -s sshd }
#       mavis module demo = external { exec = /usr/bin/sudo sudo /usr/local/sbin/pammavis -s sshd }
#       Multi-threaded backend:
#       mavis module demo-mt  = external-mt { exec = /usr/local/sbin/pammavis-mt pammavis-mt -s sshd }
#       mavis module demo-mt = external-mt { exec = /usr/bin/sudo sudo /usr/local/sbin/pammavis-mt -s sshd }
#
        user backend = mavis    # retrieve user data from backend
        login backend = mavis   # use backend for user login authentication
        pap password = login    # map pap password to login password

#       Device, profile and ruleset definitions:
        device world { address = 0.0.0.0/0 key = mykey }
        group netadmins
        #profile demo-profile { script { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } } }
        #profile demo-profile { script { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } if (service == junos-exec) { if (cmd == "") set local-user-name = tacadmin permit } } }
        profile demo-profile { script { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } 
                                        if (service == junos-exec) { if (cmd == "") set local-user-name = tacadmin permit }
                                        if (service == exec) { if (cmd == "") set priv-lvl = 15 permit } } }      
        #ruleset { rule demo-rule { script { profile = demo-profile permit } } }
        ruleset { rule demo-rule { script {if ( member == netadmins ) profile = demo-profile permit } } }

My group is netadmins.

My rule is like:
ruleset { rule demo-rule { script {if ( member == netadmins ) profile = demo-profile permit } } }

User belongs to goup netadmins:

[root@metroc-p-qv-ipa-3 sample]# id ericsson_nbanik
uid=451000269(ericsson_nbanik) gid=451000269(ericsson_nbanik) groups=451000269(ericsson_nbanik),451000000(admins),451000220(qvtusers-support),451000087(qvtadmins-medi),451000067(qvtadmins-mwfe),451000089(qvtadmins-jenkins),451000005(qvtusers),451000006(qvtadmins),451000059(qvtadmins-webdb),451000069(qvtadmins-mwbe),64966(qapps),451000063(qvtadmins-webapps),451000111(qvtusers-jmeter),451000226(ericadmins),451000084(qvtusers-cp),451000066(qvtusers-q-api),451000086(res_staff),451000083(qvtadmins-cp),451000090(qvtusers-jenkins),451000060(qvtusers-webdb),451000110(qvtadmins-jmeter),451000070(qvtusers-mwbe),451000062(qvtusers-hpd),451000072(qvtusers-inv-form),451000071(qvtadmins-inv-form),451000074(qvtusers-rbs),451000065(qvtadmins-q-api),451000219(qvtadmins-support),451000334(qvtusers-hds),451000061(qvtadmins-hpd),451000064(qvtusers-webapps),451000073(qvtadmins-rbs),451000068(qvtusers-mwfe),451000088(qvtusers-medi),451013001(netadmins)

Debug log says, group check false:

625475: 23:22:27.887 1/42fa2743: 10.74.3.216 AUTHOR, priv_lvl=15
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 authen_type=ascii (1)
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 authen_method=tacacs+ (6)
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 service=login (1)
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 user_len=15 port_len=5 rem_addr_len=14 arg_cnt=2
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 user (len: 15): ericsson_nbanik
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 port (len: 5): ssh15
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 rem_addr (len: 14): 192.168.104.42
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 arg[0] (len: 13): service=shell
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 arg[1] (len: 4): cmd=
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 ---<end packet>---
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 evaluating ACL demo-rule
625475: 23:22:27.887 1/42fa2743: 10.74.3.216  line 58: [member] member 'netadmins' => false
625475: 23:22:27.887 1/42fa2743: 10.74.3.216  line 58: [permit]
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 ACL demo-rule: match
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 [email protected]: ACL demo-rule: permit (profile: n/a)
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 Writing AUTHOR/FAIL size=18
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 ---<start packet>---
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 key used: mykey
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 version: 192, type: 2, seq no: 2, flags: unencrypted
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 session id: 42fa2743, data length: 6
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 packet body (len: 6):
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 0000 10 00 00 00 00 00                                 ......
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 AUTHOR/REPLY, status=16 (AUTHOR/FAIL) 
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 msg_len=0, data_len=0, arg_cnt=0
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 msg (len: 0): 
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 data (len: 0): 
625475: 23:22:27.887 1/42fa2743: 10.74.3.216 ---<end packet>---

What's wrong here?

Appreciate your support.

[MarcJHuber]

Hi,

you're probably missing the "groups" module on top of the PAM "external" module. Copy-paste from sample/tac_plus-ng.cfg:

	mavis module = groups {
		resolve gids = yes
		resolve gids attribute = TACMEMBER
		groups filter = /^(guest|staff|ubuntu)$/
	}

Cheers,

Marc

[bantify]

@MarcJHuber

Appreciate your help.

It perfectly works and full fill my expectations.

I was exactly looking for this for last 1 week and I found it.

Such a nice tool you build.

Regards and Thanks

[MarcJHuber]

Hi,

you're welcome, good that it's working!

Cheers,

Marc