[tac_plus] Re: Let's discuss some new features

john heasley heas at shrubbery.net
Fri May 2 17:02:53 UTC 2008 

Wed, Apr 30, 2008 at 10:54:14AM +0200, Kiss Gabor (Bitman):
> Dear folks,
> 
> I plan to do some enhancements of tac_plus daemon.
> It would be lovely if network manager can assign individual
> attributes based not only on username but
> - host (NAS) address/name

Are you implying DNS?  I do not think that DNS/names and security work well
together.  I also think that authentication daemons should not be dependant
upon DNS, which may be broken.

> - terminal line (console, async/modem, vty etc.)

this too seems dodgy, afaik there is not standard way of representing these
by name and and two implementations (or versions) could be different.

> - connection time (workdays, weekend, day and night etc.)
> 
> However this requires more sophisticated database backend practically
> speaking a relational database. Sqlite seems to be a good choice.
> Configure script would accept --with-sqlite option on systems
> where libsqlite is available. At startup or when catching HUP signal
> daemon read the usual configuration file and fills database
> with approprate record. Database could be in memory entirely (i.e. no
> external file) so daemon would be acting as a black box that
> cannot be distinguish from the current one.

I prefer not sqllite.  berkeley db is a better choice IMO, since it does
rely on any additional sources.  though i suppose it could be distributed
with tacacs.  at least sqlite's license is digestible.

> Lookout is the same but there is a V8 engine under the hood. :-)
> 
> Moreover I wish to keep backward compaibility of config file.
> So I'm thinking on some new syntax elements that could describe
> the above functionality.

as for the config file, i'd like to see the parser rewritten in yacc/lex,
but i have nothing working yet.

> I mean somethink like this:
> 
> -----------------------------------
> acl = local_net_acl {
> 	permit = ^172\.16\.192\.
> }
> 
> user = melany_local {
> 	ifhost = local_net_acl {
> 		service = exec {
> 			priv-lvl = 15
> 		}
> 	}
> 	service = exec {
> 		priv-lvl = 2
> 	}
> 	member = working_girl
> }
> 
> time = business_hours {
> 	permit = Mo-Fr,8-15:30
> }
> 
> group = working_girl {
> 	iftime = business_hours {
> 		default service = permit
> 	}
> 	default service = deny
> }
> -----------------------------------
> 
> What is your opinion?
> 
> Gabor
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list