I have established a TACACS+ server and a PAM TACACS client using the resources available here. I am using TACACS+ to authenticate Linux users using pam_tacplus.so
.
Upon user SSH access to the TACACS client machine (Ubuntu 18.04), my objective is to authenticate users through the TACACS+ server and permit the execution of only those commands in the shell that are sanctioned within the TACACS+ server configuration.
Although authentication is functioning correctly, I am encountering challenges in enabling shell command authorization.
This is the tacacs+ server config in /etc/tacacs+/tac_plus.conf
:
group = admingroup {
default service = permit
service = exec {
priv-lvl = 12
}
}
user = test {
member = admingroup
global = cleartext "12345"
}
user = test_user {
global = cleartext "12345"
cmd = ls {
permit .*
}
}
I have also created a local user on the client machine with same username as in the server config.
In the PAM sshd module present in /etc/pam.d
I have added:
auth sufficient /lib/security/pam_tacplus.so debug server=192.168.95.161 secret=test_123 service=system protocol=tcp
account sufficient /lib/security/pam_tacplus.so debug server=192.168.95.161 secret=test_123 service=system protocol=tcp
session sufficient /lib/security/pam_tacplus.so debug server=192.168.95.161 secret=test_123 service=system protocol=tcp
In the TACACS+ config, I have allowed test_user can execute only ls
command, but all commands can be executed. The client doesn't seem to authorize permitted commands from the server.
Is there any way to implement authorization and accounting through TACACS+?