I've setup a tacacs+ server and a PAM tacacs client from here- https://github.com/kravietz/pam_tacplus/tree/main.
When user ssh into the tacacs client machine, I want authentication from tacacs+ server and allow execution of only those commands in shell which are allowed in the tacacs+ server config.
Authentication works but I can't get shell commands authorisation to work.
What changes would I have to do for this to work.
This is the tacacs+ server config where I have allowed only ls command:
key = testkey123
user = testuser1 {
cmd = ls {
permit .*
}
global = cleartext "testpass123"
service = ppp protocol = ip {
addr=1.2.3.4
}
}
I have also created a local user on the client with the same credential as in the server config.
This is the PAM test module that I defined at /etc/pam.d:
#%PAM-1.0
auth sufficient /lib/security/pam_tacplus.so server=127.0.0.1 secret=testkey123
account sufficient /lib/security/pam_tacplus.so server=127.0.0.1 secret=testkey123 service=ppp protocol=ip
session sufficient /lib/security/pam_tacplus.so server=127.0.0.1 secret=testkey123 service=ppp protocol=ip
In the PAM sshd module present in /etc/pam.d I have added:
auth include test
account include test
session include test
In the tacacs+ config, I have allowed only "ls" command, but all commands can be executed. The client doesn't seem to authorise permitted commands from the server.
