From 5d712700d6b8db43e36ad5f2a9f8792203bb12d0 Mon Sep 17 00:00:00 2001 From: zsdc Date: Wed, 13 Sep 2023 13:16:20 +0300 Subject: TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+ In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- src/pam-configs/tacplus-mandatory | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 src/pam-configs/tacplus-mandatory (limited to 'src/pam-configs/tacplus-mandatory') diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory new file mode 100644 index 000000000..92da02327 --- /dev/null +++ b/src/pam-configs/tacplus-mandatory @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login -- cgit v1.2.3