Forum Discussion
TK_45015
Nimbostratus
Nimbostratusssh public key auth with tacacs+ enabled
Hi Gurus!
I have configured tacacs+ authentication in LTM box that is running 10.2 software - works like a charm. But I have also configured one local account and trying to get ssh public key to work. I get log like this:
Feb 8 21:28:26 local/lb1-1 notice sshd[19611]: pam_tacplus: user not authenticated by TACACS+
Feb 8 21:28:26 local/lb1-1 crit sshd[19612]: fatal: Access denied for user test by PAM account configuration
Feb 8 21:28:26 local/lb1-1 info sshd(pam_audit)[19611]: user=test(test) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Feb 8 21:28:26 2012" end="Wed Feb 8 21:28:26 2012".
Feb 8 21:28:26 local/lb1-1 info sshd(pam_audit)[19611]: 01070417:6: AUDIT - user test - RAW: sshd(pam_audit): user=test(test) partition=[All] level=Administrator tty=ssh host=194.126.115.33 attempts=1 start="Wed Feb 8 21:28:26 2012" end="Wed Feb 8 21:28:26 2012".
is it by design like this?
If I disable remote authentication, then I can log in without password. Tried to change "terminal access" from advanced shell to tmsh as well, but it did not help...
Any ideas?
nitassEmployee
is it by design like this?yes, i understand it is by design.
Note: As with all remote authentication configurations, if the configured TACACS+ server is unavailable to answer authentication requests, the BIG-IP system will use the local user account database for authentication; in addition, only locally-defined user accounts, such as the default admin WebUI account and the root command line account, will be able to log in to the system.sol8811: Configuring remote TACACS+ authentication for local BIG-IP administrative users
http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html
TK_45015Thanks for the answer....saved my time :)
Andy_Litzinger_Did this change in 10.2? I was able to login with a local user via public key auth and with tacacs+ defined while i was running 10.1. yesterday i upgraded to 10.2.3 and I'm getting the same errors in my /var/log/secure logs as TK:
Feb 28 10:20:17 local/MY-BIGIP crit sshd[13317]: fatal: Access denied for user my_user by PAM account configuration
it seems like there should be an update you can make to /config/bigip/pam.d/sshd to allow this to work? or maybe someplace else?
alois_2269I have the same error. Tried the documentation:
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.htmlbigipsshdaccept
But did not carefully read the prerequisites:
You must meet the following prerequisites to use this procedure:
- You are familiar with SSH protocol
- You are familiar with the vi text editor
- Your BIG-IP system is configured to use the local user directory for system authentication
I tried following procedures:
- Switch off the remote authenticaton -> ssh-key auth works :-)
- turn on remote authentication -> ssh-key auth does not work anymore :-(
Any suggestions ? Seems no local auth will work if remote-auth is running/configured.
- Did this change in 10.2? I was able to login with a local user via public key auth and with tacacs+ defined while i was running 10.1. yesterday i upgraded to 10.2.3 and I'm getting the same errors in my /var/log/secure logs as TK:
Feb 28 10:20:17 local/MY-BIGIP crit sshd[13317]: fatal: Access denied for user my_user by PAM account configuration
it seems like there should be an update you can make to /config/bigip/pam.d/sshd to allow this to work? or maybe someplace else?- alois_2269
I have the same error. Tried the documentation:
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.htmlbigipsshdaccept
But did not carefully read the prerequisites:
You must meet the following prerequisites to use this procedure:
- You are familiar with SSH protocol
- You are familiar with the vi text editor
- Your BIG-IP system is configured to use the local user directory for system authentication
I tried following procedures:
- Switch off the remote authenticaton -> ssh-key auth works :-)
- turn on remote authentication -> ssh-key auth does not work anymore :-(
Any suggestions ? Seems no local auth will work if remote-auth is running/configured.