Currently, VyOS implements TACACS+ for Authentication, Authorization , and Accounting via Linux PAM, but this implementation has limitations.
In traditional TACACS+ usage, we expect detailed Authorization and Accounting (AAA) for each command executed. However, the PAM-based implementation in VyOS treats Authorization and Accounting differently:
- Authentication: Confirms if a user is real (common with traditional TACACS+).
- Authorization: Only involved in checking permissions to run a new shell or session via sudo. This differs from traditional command-level authorization.
- Accounting: Records when a user logs in and out, but does not provide detailed command-level accounting.
This PAM-based TACACS+ implementation does not align with the more detailed AAA functionalities often expected.
Proposed Enhancements:
- Authorization Enhancement: Implementing a mechanism for command-level authorization, as is typically expected in TACACS+ implementations.
- Accounting Enhancement: Record detailed Accounting information beyond session start and stop events.
These improvements would significantly enhance TACACS+ functionality and align it with traditional AAA expectations.