0

I'd like to know to to authorize (only allow a set of commands) users on Linux console (bash). I'm so far able to authenticate ssh users over TACACS+ but authorization is not working.

This is my tac_plus.conf file, really simplified for testing:

accounting file = /tmp/tacacs.acc
#default authentication = file /etc/passwd

user=bart {
    default service = deny
    pap  = cleartext "bart"

     service = ppp protocol = lcp {
          priv-lvl = 15
          idletime = 10
     }

    cmd = telnet {
             # permit specified telnets
             permit 131\.108\.13\.[0-9]+
             permit 128\.[0-9]+\.12\.3
    }        
}

How do I interface with PAM (if that's the way to go) to only authorize the user to use the commands speficied by TACACS? I've configured PAM like this:

account sufficient pam_tacplus.so debug server=192.168.56.19 service=ppp protocol=lcp
auth sufficient pam_tacplus.so debug server=192.168.56.19
password sufficient pam_tacplus.so debug server=192.168.56.19
session sufficient pam_tacplus.so debug server=192.168.56.19 secret=testing123 service=ppp protocol=lcp

Also, any idea whay this works over SSH but not over local console login?

thanks!

Ignacio Verona
  • 141
  • 5

1 Answers1

0

After some research I realized that what I wanted to achieve does not seem to be supported.

CLI command level ACL is not allowed in linux through TACACS so I ended up using TACACS for authentication (using PAM with LDAP for user/passwd storage) and LDAP for authorization (group membership).

Ignacio Verona
  • 141
  • 5