Skip to main content

How to configure a linux box with PAM and TACACS+ for WiKID Strong Authentication

These instructions are designed to help you configure and test using the WiKID TACACS+ protocol module via Linux PAM. This document has been updated to cover pam .99 and higher. The pam_stack module has been replaced by include.

First, edit your /etc/pam.d/sshd file to allow TACACS+ authentication:

auth       include      tacacs
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth

Next, install pam_tacplus:

You can download it here:
http://echelon.pl/pubs/pam_tacplus-1.2.9.tar.gz (UPDATE:  looks like it has been removed. If anyone finds it, let us know.)

$ tar xvfz pam_tacplus-1.2.9.tar.gz
$ make
# make install

Finally, create /etc/pam.d/tacacs:

#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh

NB: If the tacacs listener is not starting on the WiKID server, run:

/opt/WiKID/bin/tac_plus -C /opt/WiKID/private/tacacs.conf

 

That should be it!

Keywords:



 

Copyright © WiKID Systems, Inc. 2024 | Two-factor Authentication