Authenticate Linux sshd with TACACS+ (Cisco ACS)

ssh linux authentication cisco tacacs+

Our network engineering team uses multiple linux servers for syslog collection, configuration backups, tftp, etc...

We want to use TACACS+ on a Cisco ACS machine as our central authentication server where we can change passwords and account for user activity on these linux servers. We also need to fall back to the static password in case the tacacs+ service is down.

How do we make sshd on CentOS authenticate against our Cisco ACS tacacs+ server?

NOTE: I am answering my own question


Assumptions

  • We are compiling pam_tacplus.so from v1.3.7 of the pam_tacplus library
  • The Cisco ACS server is 192.0.2.27, and the secret tacacs+ key is d0nttr3@d0nm3

Installation Instructions

  1. Add the linux server's hostname / ip address into Cisco ACS and restart the Cisco ACS service
  2. Download the tacacs+ PAM module from SourceForge.
  3. Install pam development package for your linux distro. RHEL / CentOS call it pam-devel; Debian / Ubuntu call it libpam-dev (a virtual package name for libpam0g-dev).
  4. Untar the tacacs+ pam module into a temporary working directory (tar xvfz pam_tacplus-1.3.7.tar.gz)
  5. cd into the new folder created by tar.
  6. As root: ./configure; make; make install

  7. As root, edit /etc/pam.d/sshd, and add this line as the first entry in the file:

    auth include tacacs

  8. As root, create a new file called /etc/pam.d/tacacs:

    #%PAM-1.0
    auth       sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3
    account    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh
    session    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh

Per-Server / Per-user Instructions

As root on each server, create a local linux user account that matches the tacacs+ username for all required users. The users can optionally use passwd to set their local password to whatever they like as a last resort; however, if they set a local password, they will be able to login locally at any time without tacacs+ even if the service is available.

pam_tacplus Service information

The details of how the pam_tacplus.so module works are in this pam-list archived email

Related

Nginx duplicate default server error
How to use new-smbshare with Powershell 3.0 on Windows 7?
How can I generate a command for start-stop-daemon that will kill the process if it doesn't term during a timeout period?
NAT: If two hosts initiate a connection to the same IP:PORT, with the same source PORT, how does the router handle it?
New event log nowhere to be found after creating in PowerShell
IMAP standard folder names - "Junk" or "Spam"
Tridion 2011 SP1 OData Web Service
How to use 'disk from remote desktop connection' on Windows Server Core?
Find locked out accounts in Active Directory (a way that actually works!)
mdadm --zero-superblock on disks with other partitions on them
How to keep subtree removal (`rm -rf`) from starving other processes for Disk I/O?
Root filesystem filling up, no big files