Unlike FreeRadius which is a very similar package, Gentoo currently doesn't ship a PAM configuration file for the tac_plus package by default. This means that out of the box the tac_plus ebuild won't work with PAM authentication on account of the missing config file. Debugging this problem is not entirely trivial as the end user authentication just fails in the application. The documentation/wiki at: http://wiki.gentoo.org/wiki/TACACS_Server_using_tac_plus gives an example of how to set tac_plus to use PAM authentication, but this doesn't actually work, as there's no tac_plus file installed in /etc/pam.d/ directory. This leads to cases where we may set PAM in the config file but it fails to authenticate. Back-ending tac_plus to PAM is fairly common especially for authentication management level access to a server or networking device. Adding a file called 'tac_plus' to the /etc/pam.d/ directory with these contents: auth include system-auth account include system-auth password include system-auth session include system-auth (which are the same as what FreeRadius ships in it's pam.d file) resolves the problem. Fedora and Redhat install this file by default, and for good reason. I believe we should too.
Could you please attach this PAM configuration file to the bug with the correct filename, and I will add an -r1 ebuild for you. (At your option you can supply an ebuild diff or leave this aspect to me)
Created attachment 399722 [details, diff] Add pam.d support to the ebuild
I've discovered since that there's actually a much smarter and more "Gentoo" way of doing this - there's a pam.eclass which creates the pam.d file automagically! I have attached my very minor patch to the ebuild which takes care of creating this file. With this patch there's no need to manually install the file as the ebuild generates and installs it. There's a case that there should be a "pam" USE flag, but that's probably a separate matter entirely and can build on this change if/when that's implemented anyway.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=591699ea45d46e23808c2286cc060c09e0a83c97 commit 591699ea45d46e23808c2286cc060c09e0a83c97 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-03-30 21:28:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-30 21:45:43 +0000 net-nds/tac_plus: install PAM configuration file Thanks-to: Reuben Farrelly <reuben-gentoo-bugzilla@reub.net> Closes: https://bugs.gentoo.org/474860 Signed-off-by: Sam James <sam@gentoo.org> net-nds/tac_plus/tac_plus-4.0.4.27a-r1.ebuild | 67 +++++++++++++++++++++++++++ 1 file changed, 67 insertions(+)
