Authenticate Linux sshd with TACACS+ (Cisco ACS)
Our network engineering team uses multiple linux servers for syslog collection, configuration backups, tftp, etc...
We want to use TACACS+ on a Cisco ACS machine as our central authentication server where we can change passwords and account for user activity on these linux servers. We also need to fall back to the static password in case the tacacs+ service is down.
How do we make sshd
on CentOS authenticate against our Cisco ACS tacacs+ server?
NOTE: I am answering my own question
Assumptions
- We are compiling
pam_tacplus.so
from v1.3.7 of the pam_tacplus library - The Cisco ACS server is 192.0.2.27, and the secret tacacs+ key is
d0nttr3@d0nm3
Installation Instructions
- Add the linux server's hostname / ip address into Cisco ACS and restart the Cisco ACS service
- Download the tacacs+ PAM module from SourceForge.
- Install
pam
development package for your linux distro. RHEL / CentOS call itpam-devel
; Debian / Ubuntu call itlibpam-dev
(a virtual package name forlibpam0g-dev
). - Untar the tacacs+
pam
module into a temporary working directory (tar xvfz pam_tacplus-1.3.7.tar.gz
) -
cd
into the new folder created bytar
. - As root:
./configure; make; make install
-
As root, edit
/etc/pam.d/sshd
, and add this line as the first entry in the file:auth include tacacs
As root, create a new file called
/etc/pam.d/tacacs
:
#%PAM-1.0 auth sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 account sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh session sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh
Per-Server / Per-user Instructions
As root on each server, create a local linux user account that matches the tacacs+ username for all required users. The users can optionally use passwd
to set their local password to whatever they like as a last resort; however, if they set a local password, they will be able to login locally at any time without tacacs+
even if the service is available.
pam_tacplus Service information
The details of how the pam_tacplus.so
module works are in this pam-list
archived email