diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-05-02 19:07:04 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-05-02 19:18:42 +0200 |
| commit | ceb7d3cb30a23b4b148bc71491b3817e9e6e2778 (patch) | |
| tree | 160ebe6294acb6a790790098b3861e58c0ca9ae4 /Pam.d.common-example | |
| download | libpam-tacplus-ceb7d3cb30a23b4b148bc71491b3817e9e6e2778.tar.gz libpam-tacplus-ceb7d3cb30a23b4b148bc71491b3817e9e6e2778.zip | |
Initial import of libpam-tacplus (1.4.3-cl3u4)
Diffstat (limited to 'Pam.d.common-example')
| -rw-r--r-- | Pam.d.common-example | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/Pam.d.common-example b/Pam.d.common-example new file mode 100644 index 0000000..a4064a1 --- /dev/null +++ b/Pam.d.common-example @@ -0,0 +1,53 @@ + +These are example changes for the /etc/pam.d/common-* files to use pam_tacplus +in the enhanced mode. I have have been unsuccessful (on ubuntu 14 or on debian +wheezy or jessie), in using pam-auth-update files, because they get inserted at +the incorrect locations. You also need to be sure that these changes do not +apply to su and sudo, because they must not reset the auid and sessionid. + +For all of these, debug is optional (but you'll probably want it during setup, unless you +are really lucky and everything just works). + +I've done all my testing against the linux tacacs+ server (debian wheezy package) with +nothing special in the configuration, other than adding some users. + +I recommend not using pam_loginuid.so with pam_tacplus, unless you have your +kernel set to make the loginuid immutable (indicated by auditctl supporting +the -loginuid-immutable option. + +The file debian/tacplus is appropriate for use with pam-auth-update. + +It's setup to only try tacacs for "user" accounts. If you change that (here +in the source, or on an end-system), be sure to do something to at least allow +root (uid==0) to login when the tacacs server is down or not reachable. +The rules are set so that if tacacs doesn't succeed it fall through to normal +unix method. + +The reason we check > 1000 is normally linux non-privileged userid's start +at 1000, and it's reasonable to assume a system has at least one non-privileged +local user, and not checking the local user is a performance win. +Change to suit your conventions. To minimize system impact, what +you really should use is the range of uid's for your tacacs0..15 accounts + +Note, the "success=2" below is dependent on what your pam.d files +look like. I recommend using pam-auth-update, which uses "success=end", +with pam-auth-update replacing "end" with the appropriate number of +rules to skip. + + auth [default=1 success=ignore] pam_succeed_if.so uid > 1000 quiet + auth [authinfo_unavail=ignore success=2 default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell + + account [default=1 success=ignore] pam_succeed_if.so uid > 1000 quiet + account [authinfo_unavail=ignore success=2 perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell + + session [default=1 success=ignore] pam_succeed_if.so uid > 1000 quiet + session [authinfo_unavail=ignore success=done default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell + +/etc/tacplus_servers will have the list of tacacs+ servers and their shared secret. E.g: +===== +secret=tacacskey +server=192.168.1.1 +===== + +It can also have any other options common to other libraries or clients that +want to parse it, such as debugging options. |