Ubuntu SSH Authentication with TACACSGUI

Ubuntu SSH Authentication with TACACSGUI

November 01, 2022

 --Assumptions--

what is tacacsgui??? find out in this link :  tacacsgui.com

how to install and how to administering tacac not include - explore by yourself

in this scenario we will use tacacs as authentication for ssh of ubuntu server ( hope you understand what i mean. ) then we can go ... 

--preparation--

--tacacs
* device already add on tacacsgui including secret key

* and user also

--ubuntu
* Download the tacacs+ PAM module from SourceForge. or github
* Install pam development package for your linux distro. 
RHEL / CentOS call it pam-devel; Debian /Ubuntu call it libpam-dev (a virtual package name for libpam0g-dev).
* Un-tar the tacacs+ pam module into a temporary working directory (tar xvfz tacplus-1.6.1.tar.gz)
* cd into the new folder created by tar.
* As root: auto.sh ; ./configure; make;  and  make install
* make sure no error on installation  of PAM module

--implement--

Configure sshd config with editing /etc/pam.d/sshd, and add this line as the first entry in the file:

# PAM configuration for the Secure Shell service

auth       include      tacacsauth

Then create a new file called /etc/pam.d/tacacsauth :
auth       sufficient   /usr/local/lib/security/pam_tacplus.so debug server=x.x.x.x secret=1234  login=login prompt=: service=ssh protocol=tcp
account    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=x.x.x.x secret=1234 service=ssh protocol=tcp
password   required    /usr/local/lib/security/pam_tacplus.so debug server=x.x.x.x secret=1234
*note : x.x.x.x is your tacacsgui IP

--final--
restart ssh service 
systemctl restart sshd.service
create a local linux user account that matches the tacacsgui username for all required users. 
The users can optionally use passwd to set their local password to whatever they like as a last resort; however, 
if they set a local password, they will be able to login locally at any time without tacacs+ even if the service is available.
sudo adduser jajal
--test and drive--




* do with your own risk.....
Next
« Prev Post
Previous
Next Post »

1 comments:

Click here for comments

comment please ... ConversionConversion EmoticonEmoticon

Thanks for your comment
Subscribe to: Post Comments (Atom)