Forum Discussion

Kevin_Davies's avatar
Oct 29, 2018

Enabling TACACS+ locks out public key auth local admins

After enabling TACACS+ for local administrator authentication on a BIG-IP all non-default local admin users using public key authentication can no longer login. I suspect this is because remote user authentication only permits TMSH where as public key authentication tries to start BASH which may no longer be permitted. Is their are workaround or a way to fix this?

 

  • Mr Kevin, I gave you a possible workaround, but I want to document here for users with a similar problem.

     

    I have never found out why, but for some reason, when you turn on remote authentication for management access, the user (Other External Users) that represents the users authenticated remotely can only have tmsh or no shell.

     

    I searched the db keys and tmsh commands, I could not find anything that would change that behaviour.

     

    The workaround I use for that is to create the user locally with the same name as the remote user. Because the system is using remote authentication, it will not ask for the password, but will allow changing the terminal to advanced shell (as long you use a role that has that, like administrator).

     

    Creating all users remotely and locally duplicates the work, this is why for some protocols there is a possibility to have the shell information in the remote server.

     

    https://support.f5.com/csp/article/K14324

     

    However, I don't know if there is something similar for TACACS+.

     

  • inshaj's avatar
    inshaj
    Icon for Nimbostratus rankNimbostratus

    Is tehre any possible way to revert back through a console cable.?