Category: security

Freeware TACACS+ on CentOS

On By DrewIn security, tech

A while back I had a need to deploy a TACACS+ server in an isolated environment, as a stopgap pending connection of that environment to my main environment.

For those not already in the know, TACACS+ is a technology that one can use to centralize authentication for network devices like switches, routers, load balancers, etc. so one does not have to go around and set up individual local accounts on each device, a big pain. That said, even with a TACACS+ setup, it’s still best practice to have at least one local account as a fallback just in case something happens to your TACACS+ server (so you don’t get locked out in an emergency).

After some research, the most reasonable choice for my specific use case was the freeware tac_plus TACACS+ daemon package from Shrubbery Networks, deployed on a CentOS 7 virtual machine. The setup docs we used:

Doc: https://networklessons.com/uncategorized/how-to-install-tacacs-on-linux-centos/

Forum comments with some more helpful details: https://forum.networklessons.com/t/how-to-install-tacacs-on-linux-centos/1010

Set up the VM as a barebones deployment with only SSH and TACACS+ ports allowed inbound. After some research and monkeying, found that there are multiple ways to set up authentication for this server; the use case that was the best fit for us was to just use the /etc/tac_plus.conf file to store that information. This presented the problem of the server admin having access to the auth credentials, not something the docs covered.

After some more research, found that the tac_plus server can leverage the encryption capabilities of the OS to protect credential information in that tac_plus.conf file. If Python is installed on the VM, one can use a fairly straightforward AES256 hash script to encrypt the credentials. Users can run that Python script from a different machine for their regular and enable passwords and provide the hashes to the VM admin for account setup.

The script in question (found on Internet forums, don’t remember source):

python -c ‘import crypt; print(crypt.crypt(“<password>”, crypt.mksalt(crypt.METHOD_SHA256)))’

Specifying a hash for credentials in the user account section of tac_plus.conf:

login = des <hash>
enable = des <hash>

Note that the keyword “des” is just a hook that tac_plus uses to say “just use the OS’s encryption capabilities to process this.” It’s not literally telling the OS that this is specifically a DES hash. One can use any encryption method that the OS supports.