目录
1 介绍
AAA是认证(Authentication)、授权(Authorization)和计费(Accounting)的简称,是网络安全中进行访问控制的一种安全管理机制,提供认证、授权和计费三种安全服务。
TACACS & TACACS+:Terminal Access Controller Access Control,System终端访问控制器访问控制系统。通过一个或多个中心服务器为路由器、网络访问控制器以及其它网络处理设备提供了访问控制服务。TACACS支持独立的认证(Authentication)、授权(Authorization)和计费(Accounting)功能。
2 安装
2.1 Ubuntu 安装
Ubuntu 20.04 之后不再支持tacacs,最好是使用Ubuntu18.04
1、安装
# 下载并安装 TACACS+
### 不能使用apt来安装,Ubuntu 20.04 之后不再支持
### 可以在Ubuntu 18.04 或者同样版本的镜像上安装
apt-get update
apt-get install tacacs+
## 配置文件
vim tac_plus.conf
---------------------------------------------------
key = "tacacs123" #tacacs?key
accounting syslog;
accounting file = /var/log/tacacs_accounting.log #tail -f /var/log/tacacs_accounting.log
default authentication = file /etc/passwd
acl = network_admin {
# allow access from all sources
#permit = ^10\.
permit = ^115\.
permit = [0-9]{1,3}\.
# implicit deny (ie: anything else)
}
group = admin {
default service = permit
acl = network_admin
service = exec {
priv-lvl = 15
}
cmd = display {
permit .*
}
}
group = operator {
acl = network_admin
service = exec {
priv-lvl = 1
}
cmd = display {
permit .*
}
cmd = show {
permit .*
}
}
group = ro {
acl = network_admin
service = exec {
priv-lvl = 15
}
cmd = display {
permit .*
}
cmd = show {
permit .*
}
cmd = interface {
permit .*
}
cmd = undo {
permit shutdown
}
cmd = configure {
permit .*
}
cmd = no {
permit shutdown
}
cmd = exit {
permit .*
}
cmd = quit {
permit .*
}
cmd = screen-length {
permit .*
}
cmd = terminal {
permit .*
}
cmd = set {
permit cli.*
}
cmd = ping {
permit .*
}
cmd = tracert {
permit .*
}
cmd = admin {
permit show
}
cmd = shutdown {
permit .*
}
}
user = chen_admin { #chen_admin:账号
login = des aPzSgJMfBUGB2 #使用 tac_pwd,生成账号密码:7FLiiVJUDhin2
# expires = "Feb 20 2032"
member = admin #权限
}
user = chen_ro {
login = des temjCCsjBECmU
# expires = "Feb 20 2032"
member = ro #权限
}
####### 生成密码
tac_pwd
Password to be encrypted: admin@123
aPzSgJMfBUGB2
tac_pwd
Password to be encrypted: test123
temjCCsjBECmU
## 启动守护进程
/etc/init.d/tacacs_plus restart
* Restarting TACACS+ authentication daemon tacacs+ [ OK ]
2、配置文件解释
cat /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
### TACACS+ 账户的日志文件
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
## TACACS+ 密钥
key = testing123
# Use /etc/passwd file to do authentication
#default authentication = file /etc/passwd
# You can use feature like per host key with different enable passwords
#host = 127.0.0.1 {
# key = test
# type = cisco
# enable = <des|cleartext> enablepass
# prompt = "Welcome XXX ISP Access Router \n\nUsername:"
#}
# We also can define local users and specify a file where data is stored.
# That file may be filled using tac_pwd
#user = test1 {
# name = "Test User"
# member = staff
# login = file /etc/tacacs/tacacs_passwords
#}
# We can also specify rules valid per group of users.
#group = group1 {
# cmd = conf {
# deny
# }
#}
# Another example : forbid configure command for some hosts
# for a define range of clients
#group = group1 {
# login = PAM
# service = ppp
# protocol = ip {
# addr = 10.10.0.0/24
# }
# cmd = conf {
# deny .*
# }
#}
user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
2.2 Docker 安装 - 通过自己构建镜像安装
这里提供了打包tacacs镜像所有需要的资料,可下载:tacacs资料包
可以把web展示打包进镜像中也可以打包,根据自己的需求进行修改。
1、Dockerfile 文件
mkdir /opt/tacacs
cd /opt/tacacs
# 1、Dockerfile 文件
vim Dockerfile
# Use Base Ubuntu image
FROM ubuntu:18.04
# Author of this Dockerfile
MAINTAINER Andrew Roderos
# Update & upgrades
RUN apt-get update && apt-get upgrade -y
# Install tacacs+ and Google Authenticator
RUN apt-get install tacacs+ libpam-google-authenticator -y
# Clear local repo
RUN apt-get clean
# Create a user with home directory
RUN useradd -m -d /home/andrew -s /bin/bash andrew
# Add password to andrew account
RUN echo "andrew:test" | chpasswd
# Copy Google secret key from host's volume to tacacs+ container
COPY .google_authenticator /home/andrew
# Change file owner
RUN chown andrew:andrew /home/andrew/.google_authenticator
# Copy tac_plus configuration file from host to the container
COPY tac_plus.conf /etc/tacacs+/tac_plus.conf
# Add tac_plus PAM
RUN touch /etc/pam.d/tac_plus
RUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plus
RUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus
# Run tac_plus as foreground process and use /etc/tacacas+/tac_plus.conf as the config file
#CMD ["tac_plus", "-G", "-C", "/etc/tacacs+/tac_plus.conf"]
# Install nginx, php-fpm
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ENV TZ=Asia/Shanghai
#### 配置变量 DEBIAN_FRONTEND ,可以使以下安装不需要输入直接进行安装
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get -y install nginx php php-fpm net-tools supervisor curl php-mysql php-common php-gd php-cli
COPY nginx.conf /etc/nginx/nginx.conf
### webui是web页面的压缩包,需要环境:php、MySQL(默认是MySQL5.7)
ADD webui_v1.7b1.tar /usr/local/nginx
RUN mkdir /run/php ; chown www-data:www-data /run/php
# Install mysql
RUN apt-get update;apt-get install mysql-server -y
COPY tac_plus.sql /usr/local/nginx/tac_plus.sql
COPY start.sh /usr/local/nginx/start.sh
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
2、提供 Dockerfile相关配置文件
以下文件都在/opt/tacacs 目录下
.google_authenticator文件获取
# 安装
apt-get install libpam-google-authenticator -y
# 生成 Google Authenticator 密钥
google-authenticator
##### 以下是输出内容
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@template%3Fsecret%3DB4BFA57AJCLCZT2SIQLVBWJWFY%26issuer%3Dtemplate
# 下面是一个二维码的图片
Your new secret key is: B4BFA57AJCLCZT2SIQLVBWJWFY
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
22392718
78251317
47207995
37394412
76581106
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
## 把生成的配置文件拿过来
mv /root/.google_authenticator .
tac_plus.conf 文件
cat tac_plus.conf
key = "tacacs123" #tacacs?key
accounting syslog;
accounting file = /var/log/tacacs_accounting.log #tail -f /var/log/tacacs_accounting.log
default authentication = file /etc/passwd
acl = network_admin {
# allow access from all sources
#permit = ^10\.
permit = ^115\.
permit = [0-9]{1,3}\.
# implicit deny (ie: anything else)
}
group = admin {
default service = permit
acl = network_admin
service = exec {
priv-lvl = 15
}
cmd = display {
permit .*
}
}
group = operator {
acl = network_admin
service = exec {
priv-lvl = 1
}
cmd = display {
permit .*
}
cmd = show {
permit .*
}
}
group = ro {
acl = network_admin
service = exec {
priv-lvl = 15
}
cmd = display {
permit .*
}
cmd = show {
permit .*
}
cmd = interface {
permit .*
}
cmd = undo {
permit shutdown
}
cmd = configure {
permit .*
}
cmd = no {
permit shutdown
}
cmd = exit {
permit .*
}
cmd = quit {
permit .*
}
cmd = screen-length {
permit .*
}
cmd = terminal {
permit .*
}
cmd = set {
permit cli.*
}
cmd = ping {
permit .*
}
cmd = tracert {
permit .*
}
cmd = admin {
permit show
}
cmd = shutdown {
permit .*
}
}
user = chen_admin { #chen_admin:账号
login = des aPzSgJMfBUGB2 #使用 tac_pwd,生成账号密码:7FLiiVJUDhin2
# expires = "Feb 20 2032"
member = admin #权限
}
user = chen_ro {
login = des temjCCsjBECmU
# expires = "Feb 20 2032"
member = ro #权限
}
supervisord.conf 配置文件
cat > supervisord.conf << EOF
[supervisord]
nodaemon=true
[program:nginx]
command=nginx
autostart=true
autorestart=true
[program:php-fpm]
command=/usr/sbin/php-fpm7.2 --nodaemonize --fpm-config /etc/php/7.2/fpm/php-fpm.conf
autostart=true
autorestart=true
[program:tac_plus]
command=tac_plus -G -C /etc/tacacs+/tac_plus.conf
autostart=true
autorestart=true
[program:mysql]
command=service mysql start
autostart=true
autorestart=true
[program:mysql-import]
command=/bin/bash /usr/local/nginx/start.sh
autostart=true
autorestart=true
EOF
#### 在webui解压之后需要把其中的 tac_plus.sql 导入到数据库中
#### 执行的前提是:MySQL服务已经启动
cat start.sh
#!/bin/bash
echo "Waiting for MySQL to be ready..."
while ! mysqladmin ping -h localhost -u root --silent; do
sleep 1
done
echo "MySQL is ready, importing data..."
mysql -uroot < /usr/local/nginx/tac_plus.sql
tac_plus.sql
这里需要注意:webui压缩包中提供的tac_plus.sql需要修改,下面是已经修改好的内容
上传到 /opt/tacacs 即可
nginx.conf文件
cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
server {
listen 81;
server_name localhost;
location / {
root /usr/local/nginx;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/local/nginx;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}
3、构建镜像
docker build -t tacacs:v1 .
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tacacs v1 9d57b17b34a1 19 seconds ago 572MB
4、运行
docker run -td --name tacplus -p 30080:81 -v /opt/tacacs/tac_plus.conf:/etc/tacacs+/tac_plus.conf -v /opt/tacacs/nginx.conf:/etc/nginx/nginx.conf tacacs:v1
5、查看
默认用户名密码:admin/system 这个是由 tac_plus.sql 中语句指定的,可以自己修改
Client ACL:用于设置ip访问tac_plus server的权限
NAS ACL: 用于设置用户和组的权限
Attributes:用于设置不同厂商交换机的权限级别的属性
Commands: 用于设置命令分类
Nas:添加交换机路由器的管理ip
Nas Group:添加交换机分组(类似nas)
Users:添加用户
User Group:添加用户组(类似user)
Vendor:交换机厂商管理
Reports:可以查看aaa登录审计等日志信息
2.3 各文件说明
1、Dockerfile文件说明
# 基础镜像
FROM ubuntu:18.04
# 作者
MAINTAINER Alyssa
# 更新
RUN apt-get update && apt-get upgrade -y
# 安装 tacacs+ and Google Authenticator
RUN apt-get install tacacs+ libpam-google-authenticator -y
# 清除本地repo
RUN apt-get clean
# 创建一个user
RUN useradd -m -d /home/andrew -s /bin/bash andrew
# 修改密码
RUN echo "andrew:test" | chpasswd
# 把密钥文件复制到镜像的指定目录下
COPY .google_authenticator /home/andrew
# Change file owner
RUN chown andrew:andrew /home/andrew/.google_authenticator
# Copy tac_plus configuration file from host to the container
COPY tac_plus.conf /etc/tacacs+/tac_plus.conf
# Add tac_plus PAM
RUN touch /etc/pam.d/tac_plus
RUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plus
RUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus
#### 在Dockerfile中,想要实现启动多个服务,可以使用 Supervisor,直接使用apt安装即可
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ENV TZ=Asia/Shanghai
#### 配置变量 DEBIAN_FRONTEND ,可以使以下安装不需要输入直接进行安装
ENV DEBIAN_FRONTEND=noninteractive
### 想要webui启动服务,需要安装nginx, php-fpm,MySQL
RUN apt-get -y install nginx php php-fpm net-tools supervisor curl php-mysql php-common php-gd php-cli
COPY nginx.conf /etc/nginx/nginx.conf
### webui是web页面的压缩包,需要环境:php、MySQL(默认是MySQL5.7)
ADD webui_v1.7b1.tar /usr/local/nginx
RUN mkdir /run/php ; chown www-data:www-data /run/php
# 安装 mysql 5.7
RUN apt-get update;apt-get install mysql-server -y
COPY tac_plus.sql /usr/local/nginx/tac_plus.sql
COPY start.sh /usr/local/nginx/start.sh
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
2、supervisord.conf
Supervisor简单说明:
- Supervisor 是一个客户端/服务器系统,允许其用户监视和控制类似UNIX的操作系统上的多个进程。
- Supervisor 是用 Python 开发的一套通用的进程管理程序,能将一个普通的命令行进程变为后台daemon,并监控进程状态,异常退出时能自动重启。
- 它是通过fork/exec的方式把这些被管理的进程当作supervisor的子进程来启动,这样只要在supervisor的配置文件中,把要管理的进程的可执行文件的路径写进去即可。也实现当子进程挂掉的时候,父进程可以准确获取子进程挂掉的信息的,可以选择是否自己启动和报警。supervisor还提供了一个功能,可以为supervisord或者每个子进程,设置一个非root的user,这个user就可以管理它对应的进程
在这里要说明的是文件中的配置:
[program:mysql-import]
command=/bin/bash /usr/local/nginx/start.sh
autostart=true
autorestart=true
### 这部分的功能是在MySQL启动之后,把webui的sql导入到MySQL中,所以在shell脚本中,监控到服务启动执行再执行
3、nginx.conf
webui的环境是nginx、PHP、MySQL,所以在 nginx.conf中进行配置
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
# 在这里注意的是,需要注释下面这个 include,这个目录下定义了一个默认的server,端口是80,与我们安装的环境的Apache2冲突,导致报错。所以这里直接注销掉。
2.4 扩展:Ubuntu18.4 上安装MySQL8.0
# 1、安装必要的软件包
sudo apt install dirmngr ca-certificates software-properties-common apt-transport-https curl lsb-release -y
# 2、将 GPG 密钥和仓库导入到 Ubuntu 系统
curl -fsSL http://repo.mysql.com/RPM-GPG-KEY-mysql-2022 | sudo gpg --dearmor | sudo tee /usr/share/keyrings/mysql.gpg > /dev/null
# 3、导入 MySQL 8.0 仓库
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-8.0" | sudo tee -a /etc/apt/sources.list.d/mysql.list
# 4、(可选)如果您是开发人员或具有特定需求,可以选择导入 MySQL 源代码仓库
echo "deb-src [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-8.0" | sudo tee -a /etc/apt/sources.list.d/mysql.list
# 5、(可选)开发人员还可以使用以下命令导入 MySQL 工具仓库
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-tools" | sudo tee -a /etc/apt/sources.list.d/mysql.list
echo "deb-src [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-tools" | sudo tee -a /etc/apt/sources.list.d/mysql.list
# 6、更新。如果提示需要导入key,可添加参数:--allow-insecure-repositories 认为仓库是安全的,不需要提供key凭证
sudo apt update
# 7、安装 MySQL 8.0
sudo apt install mysql-community-server
#### 其他的配置和正常的安装MySQL8就一样了
结论
- tacacs++ 在Ubuntu20.04之后默认不支持,所以使用Ubuntu18.04进行安装,或者在Ubuntu22.04使用源码包安装(源码包暂时未找到,有知道地址的欢迎留言)
- 在打包 tacacs++ 镜像时,可根据自己的需要进行修改
- webui的环境是LNMP,MySQL版本最好是5.7
- 在把webui中的sql文件导入数据库时,有内容需要修改,注意不能在打包镜像时直接执行。