0

I am using TACACS+ to authenticate Linux users using pam_tacplus.so PAM module and it works without issues.

I have modified the pam_tacplus module to meet some of my custom requirements.

I know by default, TACACS+ does not have any means to support linux groups or access level control over linux bash commands, however, I was wondering is there any way that some information could be passed from TACACS+ server side to let the pam_tacplus.so module which can be used to allow/deny , or modify the user group on the fly [from pam module itself].

Example: If I could pass the priv-lvl number from server to the client and which could be used for some decision making at the PAM module.

PS: I would prefer a method which involved no modification at the server side [code], all modification should be done at Linux side ie pam_tacplus module.

Thanks for any help.

chandank
  • 847
  • 3
  • 14
  • 31
  • Could you elaborate on why running a separate LDAP server is inadequate for your needs? It seems to me that by the time all of this custom code is implemented, written, and tested, you could have just gotten this implemented via scripting on a LDAP server with remote groups. – Andrew B Feb 21 '15 at 20:48
  • I can't use LDAP server. The requirement is to make tacacs+ itself do authentication and authorization. do you know how could be specify parameter in tac_plus.conf file to force tacacs+ server send any AVP or custom messages. I guess prompt might do that I not able to get it working – chandank Feb 23 '15 at 14:54

1 Answers1

0

Eventually I got it working.

Issue 1:

The issue I faced was there is very few documentation available to configure TACACS+ server for a non CISCO device.

Issue 2:

The tac_plus version that I am using

tac_plus -v
tac_plus version F4.0.4.28

does not seem to support

service = shell protocol = ssh

option in tac_plus.conf file.

So eventually I used

service = system  {
                default attribute = permit
                priv-lvl = 15
        }

On the client side (pam_tacplus.so),

I sent the AVP service=system at authorization phase(pam_acct_mgmt), which forced the service to return priv-lvl defined at the configuration file, which I used to device privilege level of the user.

NOTE: In some documentations it is mentioned that service=system is not used anymore. So this option may not work with CISCO devices.

HTH

chandank
  • 847
  • 3
  • 14
  • 31