[tac_plus] DEFAULT user option not working?
Robert Lister
robl at linx.net
Mon Dec 11 19:32:08 UTC 2006
Hi,
I've been fiddling with your implementation of tac_plus for a while, and I
cannot seem to get the user = DEFAULT option to work correctly. (I have
specified that I want user = DEFAULT to be in a member of a group, but that
group does not seem to get applied.)
If I put usernames directly into the config file, it works.
(Ideally what I am trying to do is to have the user AND the group looked up
in the passwd file, and then assign in the tac_plus config what I want to
happen for users in that group, but I don't think tac_plus can do that for
example if the GID in the passwd file is "103" then have a corresponding
group = 103 entry to tell tac_plus what access that user should get.)
I'd be grateful if you are able to tell me where I'm going wrong.
I've tried lots of different things in the config file, and I believe I have
done everything right if I understand the man page correctly. I've tried
different passwd files, but I just can't seem to crack it...
My config looks like:
#
# tac_plus configuration
#
key = "<key>"
default authentication = file /linx/tacacs/passwd.remote
acl=all {
permit = .*
}
acl=collectors {
permit = ^195\.66\.232\.(254|239|223|247)$
deny = .*
}
group = test {
acl = collectors
}
user = fred {
login = cleartext "crap"
member = test
}
user = DEFAULT {
default service = permit
member = test
acl = collectors
}
If I try to login as "fred" to a router that is not in the acl, then
I correctly get denied access to the router.
If I try to login as a user listed in the passwd file, then no group appears
to be found, and I get access (where I shouldn't get access, to a router
that's not in the acl.) It seems the DEFAULT stuff is just being ignored
completely?
Here is what happens when I login to a router that I'm not supposed to
be able to login to:
spitfire tacacs # tac_plus -g -d8 -d16 -d32 -d64 -d128 -d256 -C /linx/tacacs/tac_plus.conf
Reading config
Version F4.0.4.13 Initialized 1
tac_plus server F4.0.4.13 starting
uid=0 euid=0 gid=0 egid=0 s=4
session.peerip is 195.66.232.230
session request from 195.66.232.230 sock=5
connect from 195.66.232.230 [195.66.232.230]
Waiting for packet
cfg_get_hvalue: name=195.66.232.230 attr=key
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
Read AUTHEN/START size=37
validation request from 195.66.232.230
PACKET: key=<key>
version 192 (0xc0), type 1, seq no 1, encryption 1
session_id 4208708661 (0xfadbcc35), Data length 25 (0x19)
End header
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=0 port_len=4 (0x4), rem_addr_len=13 (0xd)
data_len=0
User:
port:
tty2
rem_addr:
195.66.232.38
data:
End packet
Authen Start request
choose_authen returns 1
cfg_get_hvalue: name=195.66.232.230 attr=prompt
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
Writing AUTHEN/GETUSER size=55
PACKET: key=<key>
version 192 (0xc0), type 1, seq no 2, encryption 1
session_id 4208708661 (0xfadbcc35), Data length 43 (0x2b)
End header
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa 0xa Username:
data:
End packet
cfg_get_hvalue: name=195.66.232.230 attr=key
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
Waiting for packet
cfg_get_hvalue: name=195.66.232.230 attr=key
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
Read AUTHEN/CONT size=21
PACKET: key=<key>
version 192 (0xc0), type 1, seq no 3, encryption 1
session_id 4208708661 (0xfadbcc35), Data length 9 (0x9)
End header
type=AUTHEN/CONT
user_msg_len 4 (0x4), user_data_len 0 (0x0)
flags=0x0
User msg:
robl
User data:
End packet
cfg_get_value: name=robl isuser=1 attr=login rec=1
cfg_get_value: no user/group named robl
cfg_get_pvalue: returns NULL
choose_authen chose default_fn
Calling authentication function
cfg_get_value: name=robl isuser=1 attr=nopassword rec=1
cfg_get_value: no user/group named robl
cfg_get_intvalue: returns 0
cfg_get_value: name=robl isuser=1 attr=login rec=1
cfg_get_value: no user/group named robl
cfg_get_pvalue: returns NULL
Writing AUTHEN/GETPASS size=28
PACKET: key=<key>
version 192 (0xc0), type 1, seq no 4, encryption 1
session_id 4208708661 (0xfadbcc35), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
cfg_get_hvalue: name=195.66.232.230 attr=key
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
Waiting for packet
cfg_get_hvalue: name=195.66.232.230 attr=key
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
Read AUTHEN/CONT size=25
PACKET: key=<key>
version 192 (0xc0), type 1, seq no 5, encryption 1
session_id 4208708661 (0xfadbcc35), Data length 13 (0xd)
End header
type=AUTHEN/CONT
user_msg_len 8 (0x8), user_data_len 0 (0x0)
flags=0x0
User msg:
<pass>
User data:
End packet
cfg_get_value: name=robl isuser=1 attr=login rec=1
cfg_get_value: no user/group named robl
cfg_get_pvalue: returns NULL
cfg_get_value: name=robl isuser=1 attr=global rec=1
cfg_get_value: no user/group named robl
cfg_get_pvalue: returns NULL
tac_passwd_lookup: open /linx/tacacs/passwd.remote 6
tac_passwd_lookup: close /linx/tacacs/passwd.remote 6
verify <pass> .sd7/jvP6lDCQ
<pass> encrypts to .sd7/jvP6lDCQ
Password is correct
Password has not expired
cfg_get_value: name=robl isuser=1 attr=acl rec=1
cfg_get_value: no user/group named robl
cfg_get_pvalue: returns NULL
login query for 'robl' tty2 from 195.66.232.230 accepted
Writing AUTHEN/SUCCEED size=18
PACKET: key=<key>
version 192 (0xc0), type 1, seq no 6, encryption 1
session_id 4208708661 (0xfadbcc35), Data length 6 (0x6)
End header
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
cfg_get_hvalue: name=195.66.232.230 attr=key
cfg_get_hvalue: no host named 195.66.232.230
cfg_get_phvalue: returns NULL
--
Robert Lister - London Internet Exchange - http://www.linx.net/
robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE
More information about the tac_plus
mailing list