[tac_plus] Re: DEFAULT user option not working?
john heasley
heas at shrubbery.net
Tue Dec 12 23:11:13 UTC 2006
Mon, Dec 11, 2006 at 07:32:08PM +0000, Robert Lister:
>
> Hi,
>
> I've been fiddling with your implementation of tac_plus for a while, and I
> cannot seem to get the user = DEFAULT option to work correctly. (I have
> specified that I want user = DEFAULT to be in a member of a group, but that
> group does not seem to get applied.)
>
> If I put usernames directly into the config file, it works.
>
> (Ideally what I am trying to do is to have the user AND the group looked up
> in the passwd file, and then assign in the tac_plus config what I want to
> happen for users in that group, but I don't think tac_plus can do that for
> example if the GID in the passwd file is "103" then have a corresponding
> group = 103 entry to tell tac_plus what access that user should get.)
correct; tac_plus has no knowledge of the GID field of a passwd(5) file.
> I'd be grateful if you are able to tell me where I'm going wrong.
>
> I've tried lots of different things in the config file, and I believe I have
> done everything right if I understand the man page correctly. I've tried
> different passwd files, but I just can't seem to crack it...
>
> My config looks like:
>
> #
> # tac_plus configuration
> #
>
> key = "<key>"
>
> default authentication = file /linx/tacacs/passwd.remote
>
> acl=all {
> permit = .*
> }
>
> acl=collectors {
> permit = ^195\.66\.232\.(254|239|223|247)$
> deny = .*
> }
>
>
> group = test {
> acl = collectors
> }
>
>
> user = fred {
> login = cleartext "crap"
> member = test
> }
>
>
> user = DEFAULT {
> default service = permit
> member = test
> acl = collectors
> }
>
>
> If I try to login as "fred" to a router that is not in the acl, then
> I correctly get denied access to the router.
>
> If I try to login as a user listed in the passwd file, then no group appears
> to be found, and I get access (where I shouldn't get access, to a router
> that's not in the acl.) It seems the DEFAULT stuff is just being ignored
> completely?
Yeah, I think there is bug here. Let me duplicate it here.
More information about the tac_plus
mailing list