[tac_plus] Re: Working Command Authorization Script

[john heasley]

Fri, Apr 03, 2009 at 05:58:32PM +0100, Barry Stephen (YDD08) Derwent Shared Services:
> I posted the other day about providing some users different levels of
> access depending on the specific device they logged onto, in my case
> Access versus Distribution & Core switches.
> 
> Having read previous responses from various people I have managed to
> create a working authorization script which checks what NAS a user
> logged onto and if the NAS/Switch is in a specific list the commands are
> checked against a list and only those commands are permitted. For all
> other NASes (those not in the list) all commands are allowed.
> 
> It took me a while to realise that the script is effectively taking on
> the role of the tacacs+ deamon to some extent, that is to say that it is
> not returning config/options to the tac_plus deamon in config file
> format but direct to the NAS/switch. In any case, in this example we
> simply say allow or deny rather than passing any AV pairs back to the
> NAS.
> 
> It is important to parse STDIN to see what command the NAS is requesting
> auth for.
> 
> I am using the after authorization method as the before authorization
> method seemed a little harder to get working.
> 
> This is my tac_plus.conf definition for these group of people:
> 
> # Read/Write Access to non distribution devices - All commands
> authorised
> group = rw-except-distribution {
>         default service = permit
>         service = exec {
>                 priv-lvl=15
>                 idletime=15
>                 timeout=0
>         }
>         after authorization "/usr/bin/perl /etc/tac_plus_auth.pl $user
> $name $address"
> }
> 
> I pass username, nas ip address and client ip address to my script but
> only use nas address ($name) in my script. In my case $name is the NAS
> IP address but possibly may not be in all cases.

That is right, unless it resolves.  I've added $ip in the code just now,
so that both are available.