[tac_plus] Re: DEFAULT user option not working?

john heasley heas at shrubbery.net
Tue Dec 12 23:11:13 UTC 2006


Mon, Dec 11, 2006 at 07:32:08PM +0000, Robert Lister:
> 
> Hi,
> 
> I've been fiddling with your implementation of tac_plus for a while, and I 
> cannot seem to get the user = DEFAULT option to work correctly. (I have 
> specified that I want user = DEFAULT to be in a member of a group, but that 
> group does not seem to get applied.)
> 
> If I put usernames directly into the config file, it works.
> 
> (Ideally what I am trying to do is to have the user AND the group looked up 
> in the passwd file, and then assign in the tac_plus config what I want to 
> happen for users in that group, but I don't think tac_plus can do that for 
> example if the GID in the passwd file is "103" then have a corresponding 
> group = 103 entry to tell tac_plus what access that user should get.)

correct; tac_plus has no knowledge of the GID field of a passwd(5) file.

> I'd be grateful if you are able to tell me where I'm going wrong.
> 
> I've tried lots of different things in the config file, and I believe I have 
> done everything right if I understand the man page correctly. I've tried 
> different passwd files, but I just can't seem to crack it...
> 
> My config looks like:
> 
> #
> # tac_plus configuration
> #
> 
> key = "<key>"
> 
> default authentication = file /linx/tacacs/passwd.remote
> 
> acl=all {
>         permit = .*
>         }
> 
> acl=collectors {
>         permit = ^195\.66\.232\.(254|239|223|247)$
>         deny = .*
>         }
> 
> 
> group = test {
>         acl = collectors
>         }
> 
> 
> user = fred {
>         login = cleartext "crap"
>         member = test
>         }
> 
> 
> user = DEFAULT {
>     default service = permit
>     member = test
>     acl = collectors
> }
> 
> 
> If I try to login as "fred" to a router that is not in the acl, then 
> I correctly get denied access to the router.
> 
> If I try to login as a user listed in the passwd file, then no group appears 
> to be found, and I get access (where I shouldn't get access, to a router 
> that's not in the acl.) It seems the DEFAULT stuff is just being ignored 
> completely?

Yeah, I think there is bug here.  Let me duplicate it here.



More information about the tac_plus mailing list