[tac_plus] Re: Let's discuss some new features

Sat May 3 12:34:11 UTC 2008

> > I plan to do some enhancements of tac_plus daemon.
> > It would be lovely if network manager can assign individual
> > attributes based not only on username but
> > - host (NAS) address/name
> 
> Are you implying DNS?  I do not think that DNS/names and security work well
> together.  I also think that authentication daemons should not be dependant
> upon DNS, which may be broken.

I don't intend to use DNS more intensively than the current version does.
User may choose if he want IP addresses to be resolved or not.

> > - terminal line (console, async/modem, vty etc.)
> 
> this too seems dodgy, afaik there is not standard way of representing these
> by name and and two implementations (or versions) could be different.

It is up to the user.
I just give him the loaded gun. It is him who must pull the trigger. :-)

BTW loaded gun.
I've got a new idea! TACACS+ server could also measure the time
passed between prompt and user response as well as password errors.
It is possible to make decisions on this. E.g. daemon can think
that 10+ second reponse time is like a panic code on PIN locked doors.
User is forced to enter and security guards must be alarmed.
(I'm not serious. :-)

> > - connection time (workdays, weekend, day and night etc.)
> > 
> > However this requires more sophisticated database backend practically
> > speaking a relational database. Sqlite seems to be a good choice.
> > Configure script would accept --with-sqlite option on systems
> > where libsqlite is available. At startup or when catching HUP signal
> > daemon read the usual configuration file and fills database
> > with approprate record. Database could be in memory entirely (i.e. no
> > external file) so daemon would be acting as a black box that
> > cannot be distinguish from the current one.
> 
> I prefer not sqllite.  berkeley db is a better choice IMO, since it does
> rely on any additional sources.  though i suppose it could be distributed

Like tcpwrapper or S/Key. It is just an additional and _optional_
library. I'd keep the original config search routines for
backward compatibility.
Berkeley DB has less functionality than any relational database system.

> with tacacs.  at least sqlite's license is digestible.

> as for the config file, i'd like to see the parser rewritten in yacc/lex,

Oh well. This is my another secret plan. :-)
I just did not dare to suggest two dramatical code change at the same time.

> but i have nothing working yet.

I respect the power of YACC but I not an expert of formal languages.
Creating a new parser is beyond me if I am alone.

Gabor