I have a TACACS+ server and an Ubuntu 20.04 vm client. I downloaded the package libpam-tacplus and did steps 7 and 8 from this answer. If the user exists on the vm I can successfully use the TACACS+ server for authentication.
It is required that the users only exist on the TACACS+ server an not inside the vm. To achieve that I downloaded this and installed/configured it following the instructions from the readme.
I connect via ssh to the vm, but i can't log in. The server log says "pap login succeeded" but the ssh console says "Access denied".
I suspect something is wrong with my pam.d files but I'm not sure what.
Here the relevant files/logs:
pam.d/tacacs
#%PAM-1.0
auth sufficient /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 timeout=5 secret=secretkey
account sufficient /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 timeout=5 secret=secretkey service=shell protocol=ssh
session sufficient /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 timeout=5 secret=secretkey service=shell protocol=ssh
pam.d/sshd
#%PAM-1.0
auth [success=0 default=ignore] /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 secret=secretkey
#auth include tacacs
account include tacacs
session include tacacs
#
#
#auth required pam_sepermit.so
#auth substack password-auth
#auth include postlogin
# Used with polkit to reauthorize users in remote sessions
#-auth optional pam_reauthorize.so prepare
#account required pam_nologin.so
#account include password-auth
#password include password-auth
# pam_selinux.so close should be the first session rule
#session required pam_selinux.so close
#session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
#session required pam_selinux.so open env_params
#session required pam_namespace.so
#session optional pam_keyinit.so force revoke
#session include password-auth
#session include postlogin
# Used with polkit to reauthorize users in remote sessions
#-session optional pam_reauthorize.so prepare
/var/log/auth.log after entering the username
Sep 3 13:52:22 ubuntuvm sshd[18024]: tacacsSSH
Sep 3 13:52:22 ubuntuvm sshd[18024]: tacacs name is tacacs_user, pw_dir = /home/tacacs_user, pw_shell =
Sep 3 13:52:22 ubuntuvm sshd[18024]: tacacsSSH 102
Sep 3 13:52:22 ubuntuvm sshd[18024]: Name copied to passwd structure is testuser
Sep 3 13:52:22 ubuntuvm sshd[18024]: Password copied to passwd structure is a
Sep 3 13:52:22 ubuntuvm sshd[18024]: PAM pam_parse: expecting non-zero; [... default=ignore]
Sep 3 13:52:22 ubuntuvm sshd[18024]: PAM pam_parse: expecting return value; [...sufficent]
/var/log/auth.log after entering the password
Sep 3 13:52:29 ubuntuvm PAM-tacplus[18024]: 1 servers defined
Sep 3 13:52:29 ubuntuvm PAM-tacplus[18024]: server[0] { addr=1.2.3.4, key='********' }
Sep 3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_service=''
Sep 3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_protocol=''
Sep 3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_prompt=''
Sep 3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_login=''
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: user [testuser] obtained
Sep 3 13:52:29 ubuntuvm sshd[18024]: tacacs_get_password: called
Sep 3 13:52:29 ubuntuvm sshd[18024]: tacacs_get_password: obtained password
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: password obtained
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: tty [ssh] obtained
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: rhost [1.2.3.5] obtained
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: trying srv 0
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: active srv 0
Sep 3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: exit with pam status: 0
Sep 3 13:52:29 ubuntuvm sshd[18024]: Failed password for testuser from 1.2.3.5 port 49413 ssh2
As TACACS+ Server I use this one: https://tacacsgui.com/
