Why

Multi-factor authentication is neat. It adds a level of security, and we should all be concerned about security–especially with regards to our critical infrastructure elements.

The Stack

Shrubbery’s tac_plus daemon is the approach I decided to take. I utilize its PAM capabilities to enable MFA with OpenLDAP and Google Authenticator.

ansible-role-mfa-tacacs

Ansible is my preferred framework for automation. I wrote an Ansible role that installs tac_plus and google-authenticator for me because doing anything more than once is pretty boring.

You’ll need to clone the repository and place the roles/tacacs folder in your /etc/ansible/roles/ directory.

Next, you’ll want to update the variables in /etc/ansible/roles/tacacs/vars/main.yml to match your environment.

Note: I use Ansible to control my tac_plus configuration file, which uses the variables in /etc/ansible/roles/tacacs/vars/main.yml. I’ve only tested for Junos. If you modify this for another vendor, please open a pull request to make this role better!

Once you’ve done that, you can just add the tacacs role to a playbook. If you don’t have one or if you’re just getting started with Ansible, here’s an example:

---

- name: Install TACACS+
  hosts: tacacs.example.com
  sudo: yes
  roles:
    - tacacs

Google Authenticator

You’ll need to generate your Google Authenticator token. Type google-authenticator on the server you just installed it on. I just answered yes to everything, but feel free to configure it to your liking. The output should include instructions on how to set your phone up as well (usually a QR code). You can look here, though, if it doesn’t.

Note: To increase redundancy, you should copy $HOME/.google_authenticator to a second server with tac_plus and google-authenticator installed. It should be the same file with the same path (i.e., $HOME/.google_authenticator).

TODO

Obviously, my role is missing a few things. The Red Hat-specific packages aren’t there, and some of the paths should be modified for Red Hat installations. I welcome the pull requests.

There’s also a way to allow roles to be installed via ansible-galaxy. I need to get around to adapting for that as well.

Next Steps

This Ansible role will set you up the TACACS+, but you’ll still need to do some of the other setup. You can find a halfway decent guide to setting up tac_plus on my legacy site here.

It will be migrated to this domain eventually. Promise.

END!

Thanks for reading. Please open issues on the GitHub page. If you want to contribute, please open pull requests.

This post is part of the #30in30 challenge.