so I configured pam with tacplus to authenticate ssh connections against a tacacs server, but now when users log in (to local accounts not using the tacplus authentication) they cant use other commands such as passwd and su which are being restricted by pam. Here is what I see in /var/logmessages:

Aug 11 09:38:07 linux PAM-warn[26364]: function=[pam_sm_chauthtok] service=[passwd] terminal=[<unknown>] user=[cdeedc] ruser=[<unknown>] rhost=[<unknown>]


Where do I need ot make changes so that these additional commands are not looking to pam for authorization, or how do I authorize users to execute these commands using PAM?

right now /etc/pam.d/passwd is as it was when I installed pam the the exception of commenting every line out in an attempt to kill the authorization:

#%PAM-1.0
#auth required pam_unix2.so nullok
#account required pam_unix2.so
#password required pam_pwcheck.so nullok
#password required pam_unix2.so nullok use_first_pass use_authtok
#password required pam_make.so /var/yp
#session required pam_unix2.so


TIA

Umm... the same way you configured pam for ssh?

Why do you want to do this? Do want remote user to authenticate w/ tacacs (Your cisco router, right) and local users not to authenticate at all? Why not have everyone authenticate to the router? (I'm total unfamiliar with tacacs)

Good Luck,
chris

I figured it out.......stupid me

Im running suse and in yast you can set a security level for the box

I set it to paranoid, which apparently supercedes file permissions that you have set and disables certain commands (like su)

my pam configuration was fine i just had to crank the suse security setting backa notch