The following section describes how to set up TACACS+ authentication service that will be used to log in to Address Manager using SSH.
Attention:
- Performing an upgrade to a later version of Address Manager does not remove the
TACACS+ configuration file (
tacacs_config.sh
); however, the configuration for TACACS+ authentication for shell access will be removed and must be configured after the upgrade has been performed. - Before you begin, BlueCat strongly recommends creating a "Break Glass" account to ensure that Address Manager can be accessed in case of accidental configuration.
- You must have an operating TACACS+ server in order to proceed with the steps outlined in this section.
- SSH users authenticating using TACACS+ will not be running in a restrictive
shell environment. If a TACACS+ user must run supported commands, the TACACS+
user must use
sudo
before the command.
Configuring the initial TACACS+ setup
Run the TACACS+ setup script to configure the TACACS+ server information.
To run the TACACS+ setup script:
- Log in to Address Manager using SSH and the root account.
- Run the following
commands:
tacacs_setup.sh -h <TACACS server IP address/hostname> \ -s <TACACS shared secret> \ -a <TACACS auth service, pap, chap, or login>
For example:tacacs_setup.sh -h 192.168.0.1 -s bcnSharedSecret -a chap
Configuring the TACACS+ groups and users
Once you have configured the TACACS+ server information, you must configure the TACACS+ groups and users to allow them to log in to Address Manager.
To configure TACACS+ groups and users:
- Create a user.csv file with the following
format:
username, groupname, sudo commands, paths accessible to the user
The following is an example of the content and format of the user.csv file:user01,group01,"/usr/bin/tail, /usr/local/sbin/rndc, /bin/cat","/var" user02,group01,"/usr/bin/ls, /sbin/reboot","/var" user03,group02,"/usr/bin/ls, /sbin/reboot" user04,group03,"","/var"
- Create a group.csv file with the following
format:
groupname, sudo commands, path where commands are run
The following is an example of the content and format of the group.csv file:group01,"/sbin/ifup, /sbin/ifdown","/tmp" group02,/sbin/ifup group03,/sbin/ifdown
Note: Commands used to grant TACACS+ groups and users are not restricted to the examples presented. You can configure commands as required.Attention: BlueCat strongly recommends reviewing the accessible paths and commands that are granted to the TACACS+ groups and users, as they can provide access equivalent to the root user. - Log in to Address Manager using SSH and the root account.
- Run the following commands to create the group configuration, followed by the
user
configuration:
tacacs_config.sh group.csv
tacacs_config.sh user.csv
Attention: The samesudo
command cannot be used for the user if the command is being used by the group, even if the user belongs to the group. For example, if user01 belongs to group01 and group01 usessudo run /bin/cat
in the group configuration file, user01 cannot usesudo run /bin/cat
.
Once you have run the tacacs_config.sh
command to configure the
users and groups, authorized users and groups can now access SSH using TACACS+
authentication.
Removing the TACACS+ configuration
To remove the TACACS+ configuration:
- Create a delete.csv file with the following
content:
CONFIRM_TO_DELETE_ALL_TACACS_USERS
- Log in to Address Manager using SSH and the root account.
- Run the following
command:
tacacs_config.sh delete.csv
- Disable TACACS+ service by running the following
command:
tacacs_setup.sh -r
Once you have run the tacacs_setup.sh
command, the TACACS+
authentication is disabled for SSH connections.