Wednesday, March 19, 2014

Authenticate Linux sshd with TACACS+ server

Step 1: Download and install the pam_tacplus module using the source code from git repository
            Go to the URL https://github.com/jeroennijhof/pam_tacplus/
            Click on the "Download ZIP" button and save the file.
            unzip pam_tacplus-master.zip;
            cd pam_tacplus-master;
            autoreconf --install
            autoconf
            automake --add-missing
            make;
            make install

Step 2: Add the following line in /etc/pam.d/sshd
            auth       include      tacacs

Step 3: Create and edit the file "/etc/pam.d/tacacs". Set the server and secret to match your TACACS+ server.
            #%PAM-1.0
            auth       sufficient   /usr/local/lib/security/pam_tacplus.so  debug   server=172.19.1.206 secret=MYKEY
            account    sufficient   /usr/local/lib/security/pam_tacplus.so  debug   server=172.19.1.206  secret=MYKEY    service=shell   protocol=ssh
session    sufficient   /usr/local/lib/security/pam_tacplus.so  debug   server=172.19.1.206 secret=MYKEY    service=shell   protocol=ssh

Step 4: Create a local users. You may set password for local login to fall back if the TACACS server is unavailable.

Reference: http://serverfault.com/questions/425020/authenticate-linux-sshd-with-tacacs-cisco-acs


Posted by at

2 comments:

  1. WvNMay 25, 2014 at 11:28 AM

    Hello there, have you implemented such a system in your environment?

    I am struggeling to get it done.

    Thanks in advance

    ReplyDelete
  2. senMay 27, 2015 at 2:30 AM

    Yes we had implemented in a demo setup.

    ReplyDelete

Subscribe to: Post Comments (Atom)