Authenticate Linux sshd with TACACS+ (Cisco ACS)

Assumptions

• We are compiling pam_tacplus.so from v1.3.7 of the pam_tacplus library
• The Cisco ACS server is 192.0.2.27, and the secret tacacs+ key is d0nttr3@d0nm3

Installation Instructions

1. Add the linux server's hostname / ip address into Cisco ACS and restart the Cisco ACS service
2. Download the tacacs+ PAM module from SourceForge.
3. Install pam development package for your linux distro. RHEL / CentOS call it pam-devel; Debian / Ubuntu call it libpam-dev (a virtual package name for libpam0g-dev).
4. Untar the tacacs+ pam module into a temporary working directory (tar xvfz pam_tacplus-1.3.7.tar.gz)
5. cd into the new folder created by tar.
6. As root: ./configure; make; make install

7. As root, edit /etc/pam.d/sshd, and add this line as the first entry in the file:

   auth include tacacs

8. As root, create a new file called /etc/pam.d/tacacs:

    #%PAM-1.0
    auth       sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3
    account    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh
    session    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh

Per-Server / Per-user Instructions

As root on each server, create a local linux user account that matches the tacacs+ username for all required users. The users can optionally use passwd to set their local password to whatever they like as a last resort; however, if they set a local password, they will be able to login locally at any time without tacacs+ even if the service is available.

pam_tacplus Service information

The details of how the pam_tacplus.so module works are in this pam-list archived email