summaryrefslogtreecommitdiff
path: root/Pam.d.common-example
blob: a4064a126572b9a1b550842b91d3f664b941019c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

These are example changes for the /etc/pam.d/common-* files to use pam_tacplus
in the enhanced mode.  I have have been unsuccessful (on ubuntu 14 or on debian
wheezy or jessie), in using pam-auth-update files, because they get inserted at
the incorrect locations.  You also need to be sure that these changes do not
apply to su and sudo, because they must not reset the auid and sessionid.

For all of these, debug is optional (but you'll probably want it during setup, unless you
are really lucky and everything just works).

I've done all my testing against the linux tacacs+ server (debian wheezy package) with
nothing special in the configuration, other than adding some users.

I recommend not using pam_loginuid.so with pam_tacplus, unless you have your
kernel set to make the loginuid immutable (indicated by auditctl supporting
the -loginuid-immutable option.

The file debian/tacplus is appropriate for use with pam-auth-update.

It's setup to only try tacacs for "user" accounts.  If you change that (here
in the source, or on an end-system), be sure to do something to at least allow
root (uid==0) to login when the tacacs server is down or not reachable.
The rules are set so that if tacacs doesn't succeed it fall through to normal
unix method.

The reason we check > 1000 is normally linux non-privileged userid's start
at 1000, and it's reasonable to assume a system has at least one non-privileged
local user, and not checking the local user is a performance win.
Change to suit your conventions.  To minimize system impact, what
you really should use is the range of uid's for your tacacs0..15 accounts

Note, the "success=2" below is dependent on what your pam.d files
look like.  I recommend using pam-auth-update, which uses "success=end",
with pam-auth-update replacing "end" with the appropriate number of
rules to skip.

	auth [default=1 success=ignore] pam_succeed_if.so uid > 1000 quiet
	auth [authinfo_unavail=ignore success=2 default=ignore]	pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell

	account [default=1 success=ignore] pam_succeed_if.so uid > 1000 quiet
	account [authinfo_unavail=ignore success=2 perm_denied=bad default=ignore]	pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell

	session [default=1 success=ignore] pam_succeed_if.so uid > 1000 quiet
	session [authinfo_unavail=ignore success=done default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell

/etc/tacplus_servers will have the list of tacacs+ servers and their shared secret. E.g:
=====
secret=tacacskey
server=192.168.1.1
=====

It can also have any other options common to other libraries or clients that
want to parse it, such as debugging options.