Authenticate Linux sshd with TACACS+ (Cisco ACS)

Our network engineering team uses multiple linux servers for syslog collection, configuration backups, tftp, etc...

We want to use TACACS+ on a Cisco ACS machine as our central authentication server where we can change passwords and account for user activity on these linux servers. We also need to fall back to the static password in case the tacacs+ service is down.

How do we make sshd on CentOS authenticate against our Cisco ACS tacacs+ server?


NOTE: I am answering my own question


Assumptions

  • We are compiling pam_tacplus.so from v1.3.7 of the pam_tacplus library
  • The Cisco ACS server is 192.0.2.27, and the secret tacacs+ key is d0nttr3@d0nm3

Installation Instructions

  1. Add the linux server's hostname / ip address into Cisco ACS and restart the Cisco ACS service
  2. Download the tacacs+ PAM module from SourceForge.
  3. Install pam development package for your linux distro. RHEL / CentOS call it pam-devel; Debian / Ubuntu call it libpam-dev (a virtual package name for libpam0g-dev).
  4. Untar the tacacs+ pam module into a temporary working directory (tar xvfz pam_tacplus-1.3.7.tar.gz)
  5. cd into the new folder created by tar.
  6. As root: ./configure; make; make install
  7. As root, edit /etc/pam.d/sshd, and add this line as the first entry in the file:

    auth include tacacs

  8. As root, create a new file called /etc/pam.d/tacacs:

    #%PAM-1.0
    auth       sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3
    account    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh
    session    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh

Per-Server / Per-user Instructions

As root on each server, create a local linux user account that matches the tacacs+ username for all required users. The users can optionally use passwd to set their local password to whatever they like as a last resort; however, if they set a local password, they will be able to login locally at any time without tacacs+ even if the service is available.

pam_tacplus Service information

The details of how the pam_tacplus.so module works are in this pam-list archived email