Passwd changing with pam_tacplus? #35
Comments
|
joakim-tjernlund [email protected] wrote:
It shouldn't be too hard to add, the infrastructure is all there, if the Dave Olson |
|
I implemented it on my fork. It diverged a bit from this repo but has full support for password change, changing from prompt when password expired. All tested against Cisco ACS backend and OpenSSH on client. |
|
On Thu, 2015-10-01 at 08:46 -0700, Guy Thouret wrote:
This is really great! Also it should be pushed upstream, any plans to do that? Jocke |
|
I diverged a bit from upstream during development so it's not going to merge easily. I intended to clean things up and rebase the feature from upstream but never found the time to do it. Looking through my commits most changes are separated fairly well so shouldn't be too much work. I don't have a test environment set up any more to test this though. |
|
I had done this too. You could also make it occur at first auth, which policies with Cisco ACS often require. One of the biggest changes from what I recall was how the interaction with PAM/OpenSSH worked. You have to support challenge/response in OpenSSH for the exchange with the backend to work as expected. |
|
benschumacher, do you have source online somewhere? |
|
Let me upload what I've got in some form. I've been intending to put together PRs, but haven't quite found the time, and have changed focus in my day job, so not so much support there from my new team. |
|
benschumacher, did you commit your source somewhere? |
From what I can tell TACACS+ supports changing passwd on the server.
Is there any support for this? If not, could it be added?
The text was updated successfully, but these errors were encountered: