[tac_plus] Duo 2fa /w tac plus

krux krux at thcnet.net
Tue Oct 8 17:37:21 UTC 2019 

Yea, you just tie it into PAM, either in /etc/pam.d/common-auth or 
/etc/pam.d/tac_plus

Here's an example config using /etc/pam.d/common-auth, then 
/etc/pam.d/tac_plus is like any other service under PAM which includes 
common-auth

https://pastebin.com/Fx80HyXk

That example we also have Kerberos for centralized authentication so 
UIDs are all over 5000.  Key points is that it requires both a valid 
Kerberos authentication and a valid DUO authentication in order to 
authenticate.  And any time you mess with PAM, always always always do 
the following:

1. backups!
2. maintain a session as root at a shell and to your testing from a new 
session
3. test for successful authentications
4. test that you can sudo to root
5. test that authentication failures _actually fail_

Failure to do the above and you'll be practicing how to break into your 
system via single user mode.

And as for your /etc/tacacs+/tac_plus.conf, standard way of getting 
TACACS to use PAM for authentication.

user = username {
   member = SOME_GROUP
   login = PAM
   pap = PAM
}


Other notes, you have to be ready to authenticate via DUO when you 
login.  Setting a TACACS timeout of about 30 seconds on your network 
devices seems to be the sweet spot for enough time for your admins to 
remember that oh they have to be expecting DUO to pop up on their 
device, and two not so long that if you need to get in with a local 
account in the event TACACS is unavailable, they are not in agony 
waiting for the server timeout.


On 2019-10-07 16:18, Drew Weaver wrote:
> Has anyone figured out how you can use Duo (owned by Cisco) as part of
> pam during the tac+ auth process? We really would like 2fa for all
> logins that arent used for config backups or route lookup APIs.
> 
> Any info would be most appreciated.
> 
> -Drew
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20191007/5594d521/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list