freemode.net

TACACS + Linux    [ Software ]

I've recently had to set up TACACS+ authentication on some Linux boxes (in place of NIS, LDAP, or other distributed auth systems), so here's a bit of documentation - as much for my own records as for anyone else to use:

Setting up TACACS+ authentication from a Linux box to a Cisco SecureACS 3.2 server
Version 1.0, last updated 20040309 edobbs

Tested with RedHat 9.0/x86 and Debian 3.0/x86

Results:

• Allows SSH access to local accounts with valid passwords ('root') if allowed by local configuration


• Allows TACACS authentication for any accounts with names that match those in TACACS


• Local TACACS-only accounts do not (and SHOULD not) have a local password assigned


• Normal login-restriction utilities ('touch /etc/nologin') work as normal

Steps:

• Download pam_tacplus from http://echelon.pl/pubs/pam_tacplus-1.2.9.tar.gz


• Install PAM dev libraries : under Debian, '# apt-get install libpam0g-dev', under RedHat, 'rpm -Uvh pam-devel-X.YY-ZZ.arch.rpm'


• '$ tar xvfz pam_tacplus-1.2.9.tar.gz'


• '$ make'


• '# make install'


• Create TACACS+ client on SecureACS server with 'MySecret' secret key


• Create /etc/pam.d/tacacs (1.2.3.4 = primary TACACS server, 1.2.3.8 = secondary TACACS server; the '\' character indicates that the line wraps):

#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug server=1.2.3.4  \
server=1.2.3.8 secret=MySecret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug server=1.2.3.4  \
server=1.2.3.8 secret=MySecret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug server=1.2.3.4  \
server=1.2.3.8 secret=MySecret encrypt service=shell protocol=ssh

• Debian: edit /etc/pam.d/ssh, insert '@include tacacs' just above '@include common-auth':

# PAM configuration for the Secure Shell service
# Disallow non-root logins when /etc/nologin exists.
auth       required     pam_nologin.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# TACACS authentication
@include tacacs
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session

• RedHat: edit /etc/pam.d/sshd to appear as listed below:

#%PAM-1.0
auth       sufficient   pam_stack.so service=tacacs
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_stack.so service=tacacs
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    sufficient   pam_stack.so service=tacacs
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

• Test and verify correct operation


• Remove the 'debug' argument to the PAM library from the /etc/pam.d/ssh[d] file for production use