Configuring TACACS+ shell authentication - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0

The following section describes how to set up TACACS+ authentication service that will be used to log in to Address Manager using SSH.

Attention:
  • Performing an upgrade to a later version of Address Manager does not remove the TACACS+ configuration file (tacacs_config.sh); however, the configuration for TACACS+ authentication for shell access will be removed and must be configured after the upgrade has been performed.
  • Before you begin, BlueCat strongly recommends creating a "Break Glass" account to ensure that Address Manager can be accessed in case of accidental configuration.
  • You must have an operating TACACS+ server in order to proceed with the steps outlined in this section.
  • SSH users authenticating using TACACS+ will not be running in a restrictive shell environment. If a TACACS+ user must run supported commands, the TACACS+ user must use sudo before the command.

Configuring the initial TACACS+ setup

Run the TACACS+ setup script to configure the TACACS+ server information.

To run the TACACS+ setup script:
  1. Log in to Address Manager using SSH and the root account.
  2. Run the following commands:
    tacacs_setup.sh -h <TACACS server IP address/hostname> \
    -s <TACACS shared secret> \
    -a <TACACS auth service, pap, chap, or login>
    For example:
    tacacs_setup.sh -h 192.168.0.1 -s bcnSharedSecret -a chap

Configuring the TACACS+ groups and users

Once you have configured the TACACS+ server information, you must configure the TACACS+ groups and users to allow them to log in to Address Manager.

To configure TACACS+ groups and users:
  1. Create a user.csv file with the following format:
    username, groupname, sudo commands, paths accessible to the user
    The following is an example of the content and format of the user.csv file:
    user01,group01,"/usr/bin/tail, /usr/local/sbin/rndc, /bin/cat","/var"
    user02,group01,"/usr/bin/ls, /sbin/reboot","/var"
    user03,group02,"/usr/bin/ls, /sbin/reboot"
    user04,group03,"","/var"
  2. Create a group.csv file with the following format:
    groupname, sudo commands, path where commands are run
    The following is an example of the content and format of the group.csv file:
    group01,"/sbin/ifup, /sbin/ifdown","/tmp"
    group02,/sbin/ifup
    group03,/sbin/ifdown
    Note: Commands used to grant TACACS+ groups and users are not restricted to the examples presented. You can configure commands as required.
    Attention: BlueCat strongly recommends reviewing the accessible paths and commands that are granted to the TACACS+ groups and users, as they can provide access equivalent to the root user.
  3. Log in to Address Manager using SSH and the root account.
  4. Run the following commands to create the group configuration, followed by the user configuration:
    tacacs_config.sh group.csv
    tacacs_config.sh user.csv
    Attention: The same sudo command cannot be used for the user if the command is being used by the group, even if the user belongs to the group. For example, if user01 belongs to group01 and group01 uses sudo run /bin/cat in the group configuration file, user01 cannot use sudo run /bin/cat.

Once you have run the tacacs_config.sh command to configure the users and groups, authorized users and groups can now access SSH using TACACS+ authentication.

Removing the TACACS+ configuration

To remove the TACACS+ configuration:
  1. Create a delete.csv file with the following content:
    CONFIRM_TO_DELETE_ALL_TACACS_USERS
  2. Log in to Address Manager using SSH and the root account.
  3. Run the following command:
    tacacs_config.sh delete.csv
  4. Disable TACACS+ service by running the following command:
    tacacs_setup.sh -r

Once you have run the tacacs_setup.sh command, the TACACS+ authentication is disabled for SSH connections.