Forum Discussion

TK_45015's avatar
TK_45015
Icon for Nimbostratus rankNimbostratus
Feb 08, 2012

ssh public key auth with tacacs+ enabled

Hi Gurus!

 

 

I have configured tacacs+ authentication in LTM box that is running 10.2 software - works like a charm. But I have also configured one local account and trying to get ssh public key to work. I get log like this:

 

 

 

Feb 8 21:28:26 local/lb1-1 notice sshd[19611]: pam_tacplus: user not authenticated by TACACS+

 

 

Feb 8 21:28:26 local/lb1-1 crit sshd[19612]: fatal: Access denied for user test by PAM account configuration

 

Feb 8 21:28:26 local/lb1-1 info sshd(pam_audit)[19611]: user=test(test) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Feb 8 21:28:26 2012" end="Wed Feb 8 21:28:26 2012".

 

Feb 8 21:28:26 local/lb1-1 info sshd(pam_audit)[19611]: 01070417:6: AUDIT - user test - RAW: sshd(pam_audit): user=test(test) partition=[All] level=Administrator tty=ssh host=194.126.115.33 attempts=1 start="Wed Feb 8 21:28:26 2012" end="Wed Feb 8 21:28:26 2012".

 

 

 

 

is it by design like this?

 

If I disable remote authentication, then I can log in without password. Tried to change "terminal access" from advanced shell to tmsh as well, but it did not help...

 

 

 

Any ideas?

 

6 Replies

  • is it by design like this?yes, i understand it is by design.

     

     

    Note: As with all remote authentication configurations, if the configured TACACS+ server is unavailable to answer authentication requests, the BIG-IP system will use the local user account database for authentication; in addition, only locally-defined user accounts, such as the default admin WebUI account and the root command line account, will be able to log in to the system.sol8811: Configuring remote TACACS+ authentication for local BIG-IP administrative users

     

    http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html
  • Did this change in 10.2? I was able to login with a local user via public key auth and with tacacs+ defined while i was running 10.1. yesterday i upgraded to 10.2.3 and I'm getting the same errors in my /var/log/secure logs as TK:

     

     

    Feb 28 10:20:17 local/MY-BIGIP crit sshd[13317]: fatal: Access denied for user my_user by PAM account configuration

     

     

    it seems like there should be an update you can make to /config/bigip/pam.d/sshd to allow this to work? or maybe someplace else?
    • alois_2269's avatar
      alois_2269
      Icon for Nimbostratus rankNimbostratus

      I have the same error. Tried the documentation:

       

      https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.htmlbigipsshdaccept

       

      But did not carefully read the prerequisites:

       

      You must meet the following prerequisites to use this procedure:

       

      • You are familiar with SSH protocol
      • You are familiar with the vi text editor
      • Your BIG-IP system is configured to use the local user directory for system authentication

      I tried following procedures:

       

      • Switch off the remote authenticaton -> ssh-key auth works :-)
      • turn on remote authentication -> ssh-key auth does not work anymore :-(

      Any suggestions ? Seems no local auth will work if remote-auth is running/configured.

       

  • Did this change in 10.2? I was able to login with a local user via public key auth and with tacacs+ defined while i was running 10.1. yesterday i upgraded to 10.2.3 and I'm getting the same errors in my /var/log/secure logs as TK:

     

     

    Feb 28 10:20:17 local/MY-BIGIP crit sshd[13317]: fatal: Access denied for user my_user by PAM account configuration

     

     

    it seems like there should be an update you can make to /config/bigip/pam.d/sshd to allow this to work? or maybe someplace else?
    • alois_2269's avatar
      alois_2269
      Icon for Nimbostratus rankNimbostratus

      I have the same error. Tried the documentation:

       

      https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.htmlbigipsshdaccept

       

      But did not carefully read the prerequisites:

       

      You must meet the following prerequisites to use this procedure:

       

      • You are familiar with SSH protocol
      • You are familiar with the vi text editor
      • Your BIG-IP system is configured to use the local user directory for system authentication

      I tried following procedures:

       

      • Switch off the remote authenticaton -> ssh-key auth works :-)
      • turn on remote authentication -> ssh-key auth does not work anymore :-(

      Any suggestions ? Seems no local auth will work if remote-auth is running/configured.