On 1/30/09, <b class="gmail_sendername">Alexander Czutka</b> <<a href="mailto:aczutka@brocade.com">aczutka@brocade.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="blue" lang="DE">
<div>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Hello Nathan,</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">it doesnīt work.</span></font></p></div></div></blockquote><div><br>What doesn't work? tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it?<br>
<br>I normally use a group and deny everything that is not explicitly allowed (a command blacklist):<br><br>group = mygroup {<br> default service = deny<br> cmd = show {<br> permit "ip <cr>"<br> deny .*<br>
}<br>}<br>user = myuser {<br> member = mygroup<br> login = cleartext "mypassword"<br>}<br><br>Nathan<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="blue" lang="DE"><div><p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB">user = user2 {</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"># member =
group2</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"># debug =
REGEX</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> login =
cleartext "user2"</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> enable =
cleartext "user2"</span></font></p><span class="q">
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> </span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> cmd = show {</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> permit
ip</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> deny
"ip ospf"</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;" lang="EN-GB"> </span></font><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">}</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
</span><p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"># END</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Regards,</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Alexander</span></font></p>
<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>
<div>
<div style="text-align: center;" align="center"><font face="Times New Roman" size="3"><span style="font-size: 12pt;">
<hr align="center" size="2" width="100%">
</span></font></div>
<p><b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">Von:</span></font></b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma;">
<a href="mailto:nschrenk@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">nschrenk@gmail.com</a> [mailto:<a href="mailto:nschrenk@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">nschrenk@gmail.com</a>] <b><span style="font-weight: bold;">Im Auftrag von </span></b>Nathan Schrenk<br>
<b><span style="font-weight: bold;">Gesendet:</span></b> Freitag, 30. Januar 2009
21:14<br>
<b><span style="font-weight: bold;">An:</span></b> Alexander Czutka<br>
<b><span style="font-weight: bold;">Cc:</span></b> <a href="mailto:tac_plus@shrubbery.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tac_plus@shrubbery.net</a><br>
<b><span style="font-weight: bold;">Betreff:</span></b> Re: [tac_plus] How can I
deny/permit ?</span></font></p>
</div><div><span class="q" id="q_11f293a689242261_3">
<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;"> </span></font></p>
<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;">On 1/30/09, <b><span style="font-weight: bold;">Alexander Czutka</span></b>
<<a href="mailto:aczutka@brocade.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">aczutka@brocade.com</a>> wrote:</span></font></p>
<div>
<blockquote style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color rgb(204, 204, 204); border-width: medium medium medium 1pt; padding: 0cm 0cm 0cm 6pt; margin-left: 4.8pt; margin-right: 0cm;">
<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;">Hello,<br>
<br>
Iīm trying to setup an authorization for a user.<br>
<br>
The user should be allowed to do a:<br>
<br>
- Show ip<br>
- show ip route<br>
<br>
But he shouldnīt execute the commands, which starts with:<br>
<br>
- Show ip ospf<br>
- Show ip pim<br>
<br>
I tried this, but it didnīt work:<br>
<br>
cmd = show {<br>
permit
ip<br>
deny ip
ospf<br>
}<br>
<br>
root@ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf<br>
Error: expecting '}' but found 'ospf' on line 40<br>
root@ubuntu-fdry:/#<br>
<br>
Is this possible ?</span></font></p>
</blockquote>
<div>
<p style="margin-bottom: 12pt;"><font face="Times New Roman" size="3"><span style="font-size: 12pt;"><br>
Try putting quotes around the tokens:<br>
<br>
cmd = show {<br>
permit
ip<br>
deny
"ip ospf" <br>
}</span></font></p>
</div>
<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;">Nathan</span></font></p>
</div>
<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;"> </span></font></p>
</span></div></div>
</div>
</blockquote></div><br>