Forum Discussion
Nimbostratusssh public key auth with tacacs+ enabled
I have configured tacacs+ authentication in LTM box that is running 10.2 software - works like a charm. But I have also configured one local account and trying to get ssh public key to work. I get log like this:
Feb 8 21:28:26 local/lb1-1 notice sshd[19611]: pam_tacplus: user not authenticated by TACACS+
Feb 8 21:28:26 local/lb1-1 crit sshd[19612]: fatal: Access denied for user test by PAM account configuration
Feb 8 21:28:26 local/lb1-1 info sshd(pam_audit)[19611]: user=test(test) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Feb 8 21:28:26 2012" end="Wed Feb 8 21:28:26 2012".
Feb 8 21:28:26 local/lb1-1 info sshd(pam_audit)[19611]: 01070417:6: AUDIT - user test - RAW: sshd(pam_audit): user=test(test) partition=[All] level=Administrator tty=ssh host=194.126.115.33 attempts=1 start="Wed Feb 8 21:28:26 2012" end="Wed Feb 8 21:28:26 2012".
is it by design like this?
If I disable remote authentication, then I can log in without password. Tried to change "terminal access" from advanced shell to tmsh as well, but it did not help...
Any ideas?
6 Replies
- nitass
Employee
is it by design like this?yes, i understand it is by design.
Note: As with all remote authentication configurations, if the configured TACACS+ server is unavailable to answer authentication requests, the BIG-IP system will use the local user account database for authentication; in addition, only locally-defined user accounts, such as the default admin WebUI account and the root command line account, will be able to log in to the system.sol8811: Configuring remote TACACS+ authentication for local BIG-IP administrative users
http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html 
TK_45015Thanks for the answer....saved my time :)
Andy_Litzinger_Did this change in 10.2? I was able to login with a local user via public key auth and with tacacs+ defined while i was running 10.1. yesterday i upgraded to 10.2.3 and I'm getting the same errors in my /var/log/secure logs as TK:
Feb 28 10:20:17 local/MY-BIGIP crit sshd[13317]: fatal: Access denied for user my_user by PAM account configuration
it seems like there should be an update you can make to /config/bigip/pam.d/sshd to allow this to work? or maybe someplace else?
alois_2269I have the same error. Tried the documentation:
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.htmlbigipsshdaccept
But did not carefully read the prerequisites:
You must meet the following prerequisites to use this procedure:
- You are familiar with SSH protocol
- You are familiar with the vi text editor
- Your BIG-IP system is configured to use the local user directory for system authentication
I tried following procedures:
- Switch off the remote authenticaton -> ssh-key auth works :-)
- turn on remote authentication -> ssh-key auth does not work anymore :-(
Any suggestions ? Seems no local auth will work if remote-auth is running/configured.
- Did this change in 10.2? I was able to login with a local user via public key auth and with tacacs+ defined while i was running 10.1. yesterday i upgraded to 10.2.3 and I'm getting the same errors in my /var/log/secure logs as TK:
Feb 28 10:20:17 local/MY-BIGIP crit sshd[13317]: fatal: Access denied for user my_user by PAM account configuration
it seems like there should be an update you can make to /config/bigip/pam.d/sshd to allow this to work? or maybe someplace else?- alois_2269
I have the same error. Tried the documentation:
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.htmlbigipsshdaccept
But did not carefully read the prerequisites:
You must meet the following prerequisites to use this procedure:
- You are familiar with SSH protocol
- You are familiar with the vi text editor
- Your BIG-IP system is configured to use the local user directory for system authentication
I tried following procedures:
- Switch off the remote authenticaton -> ssh-key auth works :-)
- turn on remote authentication -> ssh-key auth does not work anymore :-(
Any suggestions ? Seems no local auth will work if remote-auth is running/configured.
