Hello all,
So I am running a custom Kirkstone build and I have successfully cross-compiled a pam_tacacs module into it. I have configured the common_* PAM files to use TACACS for serial console logins and it works as expected. I am having a really hard time getting the same to work for SSH logins (via dropbear). Modifying the dropbear file within the pam.d directory seems to have no effect at all. I am hoping that someone here has some kind of advice on how to proceed.
Thanks
Hi @morgan1361
I have not ever tried this myself but I did see this link which seems to imply that you need to patch the dropbear recipe in your local layer. Interestingly it seems that the kirkstone branch of openembedded-core contains a patch that looks an awful lot like the one on that wiki page so maybe the wiki page is out-of-date.
I’ll try a build locally and see what I can find. I won’t be able to actually test TACACS but I’ll see if I see anything obviously wrong in the dropbear/PAM configuration.
In the meantime, can you provide logs from your system? Specifically, if you stop the dropbear socket and run the service manually from the serial console, it may be instructive. On my setup I did the following
# systemctl stop dropbear.socket
# /usr/sbin/dropbear -FE -r /etc/dropbear/dropbear_rsa_host_key
[659] Oct 24 21:29:07 Not backgrounding
[663] Oct 24 21:29:19 Child connection from 192.168.17.41:44696
[663] Oct 24 21:29:19 Exit before auth from <192.168.17.41:44696>: Exited normally
[664] Oct 24 21:29:19 Child connection from 192.168.17.41:44698
[664] Oct 24 21:29:23 PAM password auth succeeded for 'root' from 192.168.17.41:44698
I tried to connect from my dev machine and you can see the PAM password auth succeeded. Hopefully that will tell us something.
Regards,
Drew Moseley