From kkokdae at gmail.com Sat Aug 1 03:42:38 2009 From: kkokdae at gmail.com (kkokdae at gmail.com) Date: Sat, 01 Aug 2009 03:42:38 +0000 Subject: [tac_plus] I Want Privilege Level Control Message-ID: <00163645752000deb204700c54fe@google.com> Cisco 2950 <-> Fedora Core 9(tacacs server) I Want Privilege Level Control [tac_plus.cfg] default authentication = pam pap user = asd { login = cleartext "asd" service = exec { priv-lvl = 15 } } [switch config] aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ aaa authorization commands 15 defauolt group tacacs+ switch from the login was successful. but, does not apply to the privilege level. Help me... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090801/a50bbd3c/attachment.html From tmurch at toniccomputers.com Mon Aug 3 14:55:32 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Mon, 3 Aug 2009 10:55:32 -0400 Subject: [tac_plus] tac_plus config Message-ID: Hello so I am trying to get this up and running correctly but I am not sure on a few things. What I am trying to accomplish is as follows: user tom would have access to switches 1-5 and routers 1-10. Tom will also be able to enable on all these switches and routers. The enable password is different on some routers how do I define that? user matt would have access to switches 1-5 and routers 1-10 but only able to enable on switches 1-5 and routers 1-4. Any help would be greatly appreciated as I am a tad confused on how to do this or if it is even possible. Thanks in advance Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14d/attachment.html From john at sackheads.org Mon Aug 3 15:34:30 2009 From: john at sackheads.org (John Payne) Date: Mon, 3 Aug 2009 11:34:30 -0400 Subject: [tac_plus] Re: I Want Privilege Level Control In-Reply-To: <00163645752000deb204700c54fe@google.com> References: <00163645752000deb204700c54fe@google.com> Message-ID: <2E6411F5-9BCD-4EB0-8B41-0BBB30EDAF3E@sackheads.org> On Jul 31, 2009, at 11:42 PM, kkokdae at gmail.com wrote: > Cisco 2950 <-> Fedora Core 9(tacacs server) > > I Want Privilege Level Control > > [tac_plus.cfg] > default authentication = pam pap > > user = asd { > login = cleartext "asd" > service = exec { > priv-lvl = 15 > } > } > > [switch config] > aaa authentication login default group tacacs+ local > aaa authorization exec default group tacacs+ > aaa authorization commands 15 defauolt group tacacs+ > > > switch from the login was successful. > but, does not apply to the privilege level. > Help me... aaa authentication enable default group tacacs+ enable none You might also want: aaa authorization config-commands to do per command authorization From heas at shrubbery.net Mon Aug 3 15:46:02 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 3 Aug 2009 08:46:02 -0700 Subject: [tac_plus] Re: tac_plus config In-Reply-To: References: Message-ID: <20090803154602.GA9279@shrubbery.net> Mon, Aug 03, 2009 at 10:55:32AM -0400, Tom Murch: > Hello > > so I am trying to get this up and running correctly but I am not sure on a > few things. What I am trying to accomplish is as follows: > > user tom would have access to switches 1-5 and routers 1-10. Tom will also > be able to enable on all these switches and routers. The enable password is > different on some routers how do I define that? > > user matt would have access to switches 1-5 and routers 1-10 but only able > to enable on switches 1-5 and routers 1-4. user tom { } acl = badmatt { deny 192\.168\.0\.1 # disallow enable on this tacacs client permit .* } user matt { enableacl = badmatt } > Any help would be greatly appreciated as I am a tad confused on how to do > this or if it is even possible. > > Thanks in advance > > Tom > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14d/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From tmurch at toniccomputers.com Tue Aug 4 12:21:47 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Tue, 4 Aug 2009 08:21:47 -0400 Subject: [tac_plus] Re: tac_plus config In-Reply-To: <20090803154602.GA9279@shrubbery.net> References: <20090803154602.GA9279@shrubbery.net> Message-ID: great that worked so the only other thing I do not understand is how to let tom enable on all routers and switches when there are 5 different enable passwords between all the equipment? On Mon, Aug 3, 2009 at 11:46 AM, john heasley wrote: > Mon, Aug 03, 2009 at 10:55:32AM -0400, Tom Murch: > > Hello > > > > so I am trying to get this up and running correctly but I am not sure > on a > > few things. What I am trying to accomplish is as follows: > > > > user tom would have access to switches 1-5 and routers 1-10. Tom will > also > > be able to enable on all these switches and routers. The enable password > is > > different on some routers how do I define that? > > > > user matt would have access to switches 1-5 and routers 1-10 but only > able > > to enable on switches 1-5 and routers 1-4. > > user tom { } > acl = badmatt { > deny 192\.168\.0\.1 # disallow enable on this tacacs client > permit .* > } > user matt { enableacl = badmatt } > > > Any help would be greatly appreciated as I am a tad confused on how to do > > this or if it is even possible. > > > > Thanks in advance > > > > Tom > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14d/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090804/5fb54404/attachment.html From dan.schmidt at uplinkdata.com Tue Aug 4 19:21:09 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 4 Aug 2009 13:21:09 -0600 Subject: [tac_plus] Re: tac_plus config In-Reply-To: References: <20090803154602.GA9279@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> Why would you want to do such a thing? The enable password should be linked to the account, with enable = cleartext 'badmatt' or enable = file /etc/passwd. He should have the same enable password, but different levels of access. You should be able to do this in the tac_plus config, but if you really want to get granular, you can use an after authentication script like mine on tacacs.org. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch Sent: Tuesday, August 04, 2009 6:22 AM To: john heasley Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: tac_plus config great that worked so the only other thing I do not understand is how to let tom enable on all routers and switches when there are 5 different enable passwords between all the equipment? On Mon, Aug 3, 2009 at 11:46 AM, john heasley wrote: > Mon, Aug 03, 2009 at 10:55:32AM -0400, Tom Murch: > > Hello > > > > so I am trying to get this up and running correctly but I am not sure > on a > > few things. What I am trying to accomplish is as follows: > > > > user tom would have access to switches 1-5 and routers 1-10. Tom will > also > > be able to enable on all these switches and routers. The enable password > is > > different on some routers how do I define that? > > > > user matt would have access to switches 1-5 and routers 1-10 but only > able > > to enable on switches 1-5 and routers 1-4. > > user tom { } > acl = badmatt { > deny 192\.168\.0\.1 # disallow enable on this tacacs client > permit .* > } > user matt { enableacl = badmatt } > > > Any help would be greatly appreciated as I am a tad confused on how to do > > this or if it is even possible. > > > > Thanks in advance > > > > Tom > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14 d/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090804/5fb5440 4/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From tmurch at toniccomputers.com Fri Aug 21 15:29:14 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Fri, 21 Aug 2009 11:29:14 -0400 Subject: [tac_plus] Re: tac_plus config In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> Message-ID: ok so here is what i have user tom { login = cleartext 'tom' enable = cleartext 'tom12' } acl = badmatt { login = cleartext 'matt' enable = cleartext 'matt12' deny 192\.168\.0\.1 # disallow enable on this tacacs client permit .* } user matt { enableacl = badmatt } Will this work so that Tom and Matt can both enable on all things except the 192.168.0.1 that matt is acl from? Tom On Tue, Aug 4, 2009 at 3:21 PM, Schmidt, Daniel wrote: > Why would you want to do such a thing? The enable password should be > linked to the account, with enable = cleartext 'badmatt' or enable = > file /etc/passwd. He should have the same enable password, but > different levels of access. You should be able to do this in the > tac_plus config, but if you really want to get granular, you can use an > after authentication script like mine on tacacs.org. > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch > Sent: Tuesday, August 04, 2009 6:22 AM > To: john heasley > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: tac_plus config > > great that worked so the only other thing I do not understand is how to > let > tom enable on all routers and switches when there are 5 different enable > passwords between all the equipment? > > On Mon, Aug 3, 2009 at 11:46 AM, john heasley > wrote: > > > Mon, Aug 03, 2009 at 10:55:32AM -0400, Tom Murch: > > > Hello > > > > > > so I am trying to get this up and running correctly but I am not > sure > > on a > > > few things. What I am trying to accomplish is as follows: > > > > > > user tom would have access to switches 1-5 and routers 1-10. Tom > will > > also > > > be able to enable on all these switches and routers. The enable > password > > is > > > different on some routers how do I define that? > > > > > > user matt would have access to switches 1-5 and routers 1-10 but > only > > able > > > to enable on switches 1-5 and routers 1-4. > > > > user tom { } > > acl = badmatt { > > deny 192\.168\.0\.1 # disallow enable on this tacacs client > > permit .* > > } > > user matt { enableacl = badmatt } > > > > > Any help would be greatly appreciated as I am a tad confused on how > to do > > > this or if it is even possible. > > > > > > Thanks in advance > > > > > > Tom > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14 > d/attachment.html > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090804/5fb5440 > 4/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090821/9834383c/attachment.html From heas at shrubbery.net Fri Aug 21 16:09:33 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 21 Aug 2009 16:09:33 +0000 Subject: [tac_plus] Re: tac_plus config In-Reply-To: References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> Message-ID: <20090821160933.GA23193@shrubbery.net> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch: > ok so here is what i have > > user tom { > login = cleartext 'tom' > enable = cleartext 'tom12' > } > > acl = badmatt { > login = cleartext 'matt' > enable = cleartext 'matt12' > deny 192\.168\.0\.1 # disallow enable on this tacacs client > permit .* > } > user matt { enableacl = badmatt } > > Will this work so that Tom and Matt can both enable on all things except the > 192.168.0.1 that matt is acl from? yes, but login and enable are not valid in acl {}. From tmurch at toniccomputers.com Fri Aug 21 16:55:22 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Fri, 21 Aug 2009 12:55:22 -0400 Subject: [tac_plus] Re: tac_plus config In-Reply-To: References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> <20090821160933.GA23193@shrubbery.net> Message-ID: so it works great except the enable password is not working on a per user basis is there something i need to change to make that work? On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch wrote: > yeah thats a miss type on part. Let me go try this out. > > On Fri, Aug 21, 2009 at 12:09 PM, john heasley wrote: > >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch: >> > ok so here is what i have >> > >> > user tom { >> > login = cleartext 'tom' >> > enable = cleartext 'tom12' >> > } >> > >> > acl = badmatt { >> > login = cleartext 'matt' >> > enable = cleartext 'matt12' >> > deny 192\.168\.0\.1 # disallow enable on this tacacs client >> > permit .* >> > } >> > user matt { enableacl = badmatt } >> > >> > Will this work so that Tom and Matt can both enable on all things except >> the >> > 192.168.0.1 that matt is acl from? >> >> yes, but login and enable are not valid in acl {}. >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090821/941f861b/attachment.html From heas at shrubbery.net Fri Aug 21 16:58:14 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 21 Aug 2009 09:58:14 -0700 Subject: [tac_plus] Re: tac_plus config In-Reply-To: References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> <20090821160933.GA23193@shrubbery.net> Message-ID: <20090821165814.GF21849@shrubbery.net> Fri, Aug 21, 2009 at 12:55:22PM -0400, Tom Murch: > so it works great except the enable password is not working on a per user > basis is there something i need to change to make that work? put it in the user {} area. if that is not working, you will have to run with debugging and i suspect you'll find that the device isnt passing the username with the enable authorization request but rahter $enable$. > On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch wrote: > > > yeah thats a miss type on part. Let me go try this out. > > > > On Fri, Aug 21, 2009 at 12:09 PM, john heasley wrote: > > > >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch: > >> > ok so here is what i have > >> > > >> > user tom { > >> > login = cleartext 'tom' > >> > enable = cleartext 'tom12' > >> > } > >> > > >> > acl = badmatt { > >> > login = cleartext 'matt' > >> > enable = cleartext 'matt12' > >> > deny 192\.168\.0\.1 # disallow enable on this tacacs client > >> > permit .* > >> > } > >> > user matt { enableacl = badmatt } > >> > > >> > Will this work so that Tom and Matt can both enable on all things except > >> the > >> > 192.168.0.1 that matt is acl from? > >> > >> yes, but login and enable are not valid in acl {}. > >> > > > > From tmurch at toniccomputers.com Fri Aug 21 16:52:19 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Fri, 21 Aug 2009 12:52:19 -0400 Subject: [tac_plus] Re: tac_plus config In-Reply-To: <20090821160933.GA23193@shrubbery.net> References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> <20090821160933.GA23193@shrubbery.net> Message-ID: yeah thats a miss type on part. Let me go try this out. On Fri, Aug 21, 2009 at 12:09 PM, john heasley wrote: > Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch: > > ok so here is what i have > > > > user tom { > > login = cleartext 'tom' > > enable = cleartext 'tom12' > > } > > > > acl = badmatt { > > login = cleartext 'matt' > > enable = cleartext 'matt12' > > deny 192\.168\.0\.1 # disallow enable on this tacacs client > > permit .* > > } > > user matt { enableacl = badmatt } > > > > Will this work so that Tom and Matt can both enable on all things except > the > > 192.168.0.1 that matt is acl from? > > yes, but login and enable are not valid in acl {}. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090821/ce93c110/attachment.html From tmurch at toniccomputers.com Fri Aug 21 17:24:19 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Fri, 21 Aug 2009 13:24:19 -0400 Subject: [tac_plus] Re: tac_plus config In-Reply-To: <20090821165814.GF21849@shrubbery.net> References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> <20090821160933.GA23193@shrubbery.net> <20090821165814.GF21849@shrubbery.net> Message-ID: your correct so what did i do wrong or how do i fix this ? user = tom { login = cleartext tom enable = cleartext tom12 } user = matt { enableacl = badmatt login = cleartext matt enable = cleartext matt12 } acl = badmatt { deny = 192\.168\.0\.1 # disallow enable on this tacacs client permit = .* } On Fri, Aug 21, 2009 at 12:58 PM, john heasley wrote: > Fri, Aug 21, 2009 at 12:55:22PM -0400, Tom Murch: > > so it works great except the enable password is not working on a per user > > basis is there something i need to change to make that work? > > put it in the user {} area. if that is not working, you will have to run > with debugging and i suspect you'll find that the device isnt passing the > username with the enable authorization request but rahter $enable$. > > > On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch >wrote: > > > > > yeah thats a miss type on part. Let me go try this out. > > > > > > On Fri, Aug 21, 2009 at 12:09 PM, john heasley > wrote: > > > > > >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch: > > >> > ok so here is what i have > > >> > > > >> > user tom { > > >> > login = cleartext 'tom' > > >> > enable = cleartext 'tom12' > > >> > } > > >> > > > >> > acl = badmatt { > > >> > login = cleartext 'matt' > > >> > enable = cleartext 'matt12' > > >> > deny 192\.168\.0\.1 # disallow enable on this tacacs > client > > >> > permit .* > > >> > } > > >> > user matt { enableacl = badmatt } > > >> > > > >> > Will this work so that Tom and Matt can both enable on all things > except > > >> the > > >> > 192.168.0.1 that matt is acl from? > > >> > > >> yes, but login and enable are not valid in acl {}. > > >> > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090821/321d7a9b/attachment.html From heas at shrubbery.net Fri Aug 21 18:07:02 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 21 Aug 2009 11:07:02 -0700 Subject: [tac_plus] Re: tac_plus config In-Reply-To: References: <20090803154602.GA9279@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DAE2@che-exch-003.uplinkdata.com> <20090821160933.GA23193@shrubbery.net> <20090821165814.GF21849@shrubbery.net> Message-ID: <20090821180701.GM21849@shrubbery.net> Fri, Aug 21, 2009 at 01:24:19PM -0400, Tom Murch: > your correct so what did i do wrong or how do i fix this ? > you can use priv-lvl to autoenable them and just limit where they login. otherwise, you contact the mfg and make them fix their software. > user = tom { > login = cleartext tom > enable = cleartext tom12 > } > > user = matt { > enableacl = badmatt > login = cleartext matt > enable = cleartext matt12 > } > > acl = badmatt { > deny = 192\.168\.0\.1 # disallow enable on this tacacs client > permit = .* > } > > > On Fri, Aug 21, 2009 at 12:58 PM, john heasley wrote: > > > Fri, Aug 21, 2009 at 12:55:22PM -0400, Tom Murch: > > > so it works great except the enable password is not working on a per user > > > basis is there something i need to change to make that work? > > > > put it in the user {} area. if that is not working, you will have to run > > with debugging and i suspect you'll find that the device isnt passing the > > username with the enable authorization request but rahter $enable$. > > > > > On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch > >wrote: > > > > > > > yeah thats a miss type on part. Let me go try this out. > > > > > > > > On Fri, Aug 21, 2009 at 12:09 PM, john heasley > > wrote: > > > > > > > >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch: > > > >> > ok so here is what i have > > > >> > > > > >> > user tom { > > > >> > login = cleartext 'tom' > > > >> > enable = cleartext 'tom12' > > > >> > } > > > >> > > > > >> > acl = badmatt { > > > >> > login = cleartext 'matt' > > > >> > enable = cleartext 'matt12' > > > >> > deny 192\.168\.0\.1 # disallow enable on this tacacs > > client > > > >> > permit .* > > > >> > } > > > >> > user matt { enableacl = badmatt } > > > >> > > > > >> > Will this work so that Tom and Matt can both enable on all things > > except > > > >> the > > > >> > 192.168.0.1 that matt is acl from? > > > >> > > > >> yes, but login and enable are not valid in acl {}. > > > >> > > > > > > > > > > From alan.mckinnon at gmail.com Fri Aug 21 18:44:05 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 21 Aug 2009 20:44:05 +0200 Subject: [tac_plus] per-user enable passwords in a file Message-ID: <200908212044.05355.alan.mckinnon@gmail.com> Hi, My first post here. My question is about valid tac_plus.conf syntax. Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11. I have a bespoke system that provisions a valid tac_plus.conf to my auth servers. The cleanest and most elegant method would be login and enable passwords in separate files so I tried this: group = tacacs_role_1 { [...] login = file tacacs_normal.passwd enable = file tacacs_enable.passwd [...] } user = user_1 { member = tacacs_role_1 } I typed this from memory, there might be silly typos. But the intention is clear. My code can guarantee that a user who should have a password in the files does have one. The format of the *.passwd files is the standard: :::::: login works, enable does not. The logs say simply: "enable query for tty514 from rejected" I work around this by putting the hashes in the user stanza but this is ugly - I need the *passwd files for other uses elsewhere anyway and would rather have hashes in only one format. I suspect I'm trying to do something that is simply not supported, but I can't find specs that say if it is or isn't. I did RTFM first :-) Is it? Has anyone ever compiled a railroad diagram that completely describes tac_plus.conf? -- alan dot mckinnon at gmail dot com From heas at shrubbery.net Fri Aug 21 19:27:53 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 21 Aug 2009 12:27:53 -0700 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <200908212044.05355.alan.mckinnon@gmail.com> References: <200908212044.05355.alan.mckinnon@gmail.com> Message-ID: <20090821192753.GR21849@shrubbery.net> Fri, Aug 21, 2009 at 08:44:05PM +0200, Alan McKinnon: > Hi, > > My first post here. My question is about valid tac_plus.conf syntax. > > Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11. > > I have a bespoke system that provisions a valid tac_plus.conf to my auth > servers. The cleanest and most elegant method would be login and enable > passwords in separate files so I tried this: > > group = tacacs_role_1 { > [...] > login = file tacacs_normal.passwd > enable = file tacacs_enable.passwd enable does not yet accept 'file'. I'm mid-rewrite of the config parser, but intend to add that support. > [...] > } > > user = user_1 { > member = tacacs_role_1 > } > > > I typed this from memory, there might be silly typos. But the intention is > clear. My code can guarantee that a user who should have a password in the > files does have one. The format of the *.passwd files is the standard: > > :::::: > > login works, enable does not. The logs say simply: > "enable query for tty514 from rejected" > I work around this by putting the hashes in the user stanza but this is ugly - > I need the *passwd files for other uses elsewhere anyway and would rather have > hashes in only one format. > > I suspect I'm trying to do something that is simply not supported, but I can't > find specs that say if it is or isn't. I did RTFM first :-) > > Is it? > > Has anyone ever compiled a railroad diagram that completely describes > tac_plus.conf? > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Fri Aug 21 19:19:12 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Fri, 21 Aug 2009 13:19:12 -0600 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <200908212044.05355.alan.mckinnon@gmail.com> References: <200908212044.05355.alan.mckinnon@gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DC51@che-exch-003.uplinkdata.com> http://aron.ldc.lu.se/externwebb/natverk/mjh/bifrost/users_guide_tacacs -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Friday, August 21, 2009 12:44 PM To: tac_plus at shrubbery.net Subject: [tac_plus] per-user enable passwords in a file Hi, My first post here. My question is about valid tac_plus.conf syntax. Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11. I have a bespoke system that provisions a valid tac_plus.conf to my auth servers. The cleanest and most elegant method would be login and enable passwords in separate files so I tried this: group = tacacs_role_1 { [...] login = file tacacs_normal.passwd enable = file tacacs_enable.passwd [...] } user = user_1 { member = tacacs_role_1 } I typed this from memory, there might be silly typos. But the intention is clear. My code can guarantee that a user who should have a password in the files does have one. The format of the *.passwd files is the standard: :::::: login works, enable does not. The logs say simply: "enable query for tty514 from rejected" I work around this by putting the hashes in the user stanza but this is ugly - I need the *passwd files for other uses elsewhere anyway and would rather have hashes in only one format. I suspect I'm trying to do something that is simply not supported, but I can't find specs that say if it is or isn't. I did RTFM first :-) Is it? Has anyone ever compiled a railroad diagram that completely describes tac_plus.conf? -- alan dot mckinnon at gmail dot com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From alan.mckinnon at gmail.com Fri Aug 21 19:58:50 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 21 Aug 2009 21:58:50 +0200 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DC51@che-exch-003.uplinkdata.com> References: <200908212044.05355.alan.mckinnon@gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BC70DC51@che-exch-003.uplinkdata.com> Message-ID: <200908212158.50818.alan.mckinnon@gmail.com> On Friday 21 August 2009 21:19:12 Schmidt, Daniel wrote: > http://aron.ldc.lu.se/externwebb/natverk/mjh/bifrost/users_guide_tacacs Hi Daniel, Thanks, I already have that document - it's up on my internal wiki. Perhaps I haven't read it enough times yet. > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Friday, August 21, 2009 12:44 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] per-user enable passwords in a file > > Hi, > > My first post here. My question is about valid tac_plus.conf syntax. > > Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11. > > I have a bespoke system that provisions a valid tac_plus.conf to my auth > > servers. The cleanest and most elegant method would be login and enable > passwords in separate files so I tried this: > > group = tacacs_role_1 { > [...] > login = file tacacs_normal.passwd > enable = file tacacs_enable.passwd > [...] > } > > user = user_1 { > member = tacacs_role_1 > } > > > I typed this from memory, there might be silly typos. But the intention > is > clear. My code can guarantee that a user who should have a password in > the > files does have one. The format of the *.passwd files is the standard: > > :::::: > > login works, enable does not. The logs say simply: > "enable query for tty514 from rejected" > I work around this by putting the hashes in the user stanza but this is > ugly - > I need the *passwd files for other uses elsewhere anyway and would > rather have > hashes in only one format. > > I suspect I'm trying to do something that is simply not supported, but I > can't > find specs that say if it is or isn't. I did RTFM first :-) > > Is it? > > Has anyone ever compiled a railroad diagram that completely describes > tac_plus.conf? -- alan dot mckinnon at gmail dot com From alan.mckinnon at gmail.com Fri Aug 21 19:55:26 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 21 Aug 2009 21:55:26 +0200 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <20090821192753.GR21849@shrubbery.net> References: <200908212044.05355.alan.mckinnon@gmail.com> <20090821192753.GR21849@shrubbery.net> Message-ID: <200908212155.26422.alan.mckinnon@gmail.com> On Friday 21 August 2009 21:27:53 john heasley wrote: > Fri, Aug 21, 2009 at 08:44:05PM +0200, Alan McKinnon: > > Hi, > > > > My first post here. My question is about valid tac_plus.conf syntax. > > > > Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11. > > > > I have a bespoke system that provisions a valid tac_plus.conf to my auth > > servers. The cleanest and most elegant method would be login and enable > > passwords in separate files so I tried this: > > > > group = tacacs_role_1 { > > [...] > > login = file tacacs_normal.passwd > > enable = file tacacs_enable.passwd > > enable does not yet accept 'file'. I'm mid-rewrite of the config parser, > but intend to add that support. Excellent news! Thanks for the prompt reply. -- alan dot mckinnon at gmail dot com From dan.schmidt at uplinkdata.com Fri Aug 21 22:28:59 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Fri, 21 Aug 2009 16:28:59 -0600 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <20090821192753.GR21849@shrubbery.net> References: <200908212044.05355.alan.mckinnon@gmail.com> <20090821192753.GR21849@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DC59@che-exch-003.uplinkdata.com> enable = file /etc/passwd works. Remember this? 202 p = tac_find_substring("file ", cfg_passwd); 203 if (p) { 204 return(passwd_file_verify(name, passwd, data, p)); 205 } 206 207 /* Oops. No idea what kind of password this is. This should never 208 * happen as the parser should never create such passwords. 209 */ 210 report(LOG_ERR, "%s: Error cannot identify password type %s for %s", 211 session.peer, 212 cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", 213 name ? name : ""); 214 215 data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; 216 return(0); 217 } -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Friday, August 21, 2009 1:28 PM To: Alan McKinnon Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: per-user enable passwords in a file Fri, Aug 21, 2009 at 08:44:05PM +0200, Alan McKinnon: > Hi, > > My first post here. My question is about valid tac_plus.conf syntax. > > Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11. > > I have a bespoke system that provisions a valid tac_plus.conf to my auth > servers. The cleanest and most elegant method would be login and enable > passwords in separate files so I tried this: > > group = tacacs_role_1 { > [...] > login = file tacacs_normal.passwd > enable = file tacacs_enable.passwd enable does not yet accept 'file'. I'm mid-rewrite of the config parser, but intend to add that support. > [...] > } > > user = user_1 { > member = tacacs_role_1 > } > > > I typed this from memory, there might be silly typos. But the intention is > clear. My code can guarantee that a user who should have a password in the > files does have one. The format of the *.passwd files is the standard: > > :::::: > > login works, enable does not. The logs say simply: > "enable query for tty514 from rejected" > I work around this by putting the hashes in the user stanza but this is ugly - > I need the *passwd files for other uses elsewhere anyway and would rather have > hashes in only one format. > > I suspect I'm trying to do something that is simply not supported, but I can't > find specs that say if it is or isn't. I did RTFM first :-) > > Is it? > > Has anyone ever compiled a railroad diagram that completely describes > tac_plus.conf? > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Fri Aug 21 22:56:27 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 21 Aug 2009 22:56:27 +0000 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DC59@che-exch-003.uplinkdata.com> References: <200908212044.05355.alan.mckinnon@gmail.com> <20090821192753.GR21849@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DC59@che-exch-003.uplinkdata.com> Message-ID: <20090821225627.GI9362@shrubbery.net> Fri, Aug 21, 2009 at 04:28:59PM -0600, Schmidt, Daniel: > enable = file /etc/passwd works. Remember this? SOB. I forgot that got added. Sorry. So, if it doesn;t work for you; enable authen/author debugging. From alan.mckinnon at gmail.com Sat Aug 22 00:39:06 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Sat, 22 Aug 2009 02:39:06 +0200 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <20090821225627.GI9362@shrubbery.net> References: <200908212044.05355.alan.mckinnon@gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BC70DC59@che-exch-003.uplinkdata.com> <20090821225627.GI9362@shrubbery.net> Message-ID: <200908220239.06972.alan.mckinnon@gmail.com> On Saturday 22 August 2009 00:56:27 john heasley wrote: > Fri, Aug 21, 2009 at 04:28:59PM -0600, Schmidt, Daniel: > > enable = file /etc/passwd works. Remember this? > > SOB. I forgot that got added. Sorry. > > So, if it doesn;t work for you; enable authen/author debugging. Now I know what I'll be doing come Monday morning - testing :-) Does "enable = file" accept any arbitrary file? My Tacacs users are not Unix users and don't have shell accounts. -- alan dot mckinnon at gmail dot com From Carmelita.A.Schacht at Embarq.com Mon Aug 24 14:31:41 2009 From: Carmelita.A.Schacht at Embarq.com (Schacht, Carmi A[EQ]) Date: Mon, 24 Aug 2009 09:31:41 -0500 Subject: [tac_plus] DNS name instead of IP address in accounting log Message-ID: <2064B754E8E60840A2187DE50DFBE01202D9BDDA0F@PKDWES2V1.EQ.Intranet> Hello, I recently upgraded to tac_plus F4.0.4.18 on Solaris 10 from tac_plus 2.1 on Solaris 8. In the older version, the DSN name of the device/NAS was logged in the accouting log instead of the IP address, is there a way to get this feature back in version F4.0.4.18? Here is an example from the old accounting log: Thu Apr 23 12:33:26 2009 sesncagr11 mhenric tty1 10.90.49.18 stop task_id=6582 timezone=EST service=shell priv-lvl=15 cmd=write Thanks, Carmi Schacht Network Systems Administrator EMBARQ Voice: 407-741-0606 | Wireless: 321-439-4910 | Fax: 407-741-0455 Email: carmelita.a.schacht at embarq.com 500 North New York Avenue, Winter Park, FL 32789 Mailstop: FLWNTC0103-1007 Voice | Data | Internet | Wireless | Entertainment This e-mail is the property of EMBARQ and may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender and delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090824/c86a5dd9/attachment.html From heas at shrubbery.net Mon Aug 24 16:14:25 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 24 Aug 2009 09:14:25 -0700 Subject: [tac_plus] Re: DNS name instead of IP address in accounting log In-Reply-To: <2064B754E8E60840A2187DE50DFBE01202D9BDDA0F@PKDWES2V1.EQ.Intranet> References: <2064B754E8E60840A2187DE50DFBE01202D9BDDA0F@PKDWES2V1.EQ.Intranet> Message-ID: <20090824161425.GF2325@shrubbery.net> Mon, Aug 24, 2009 at 09:31:41AM -0500, Schacht, Carmi A[EQ]: > > Hello, > > I recently upgraded to tac_plus F4.0.4.18 on Solaris 10 from tac_plus 2.1 on Solaris 8. In the older version, the DSN name of the device/NAS was logged in the accouting log instead of the IP address, is there a way to get this feature back in version F4.0.4.18? > > Here is an example from the old accounting log: > Thu Apr 23 12:33:26 2009 sesncagr11 mhenric tty1 10.90.49.18 stop task_id=6582 timezone=EST service=shell priv-lvl=15 cmd=write -L > > Thanks, > > Carmi Schacht > Network Systems Administrator > EMBARQ > > Voice: 407-741-0606 | Wireless: 321-439-4910 | Fax: 407-741-0455 > Email: carmelita.a.schacht at embarq.com > > 500 North New York Avenue, Winter Park, FL 32789 > Mailstop: FLWNTC0103-1007 > > Voice | Data | Internet | Wireless | Entertainment > > This e-mail is the property of EMBARQ and may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender and delete all copies of the message. > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090824/c86a5dd9/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Mon Aug 24 18:38:41 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 24 Aug 2009 11:38:41 -0700 Subject: [tac_plus] Re: per-user enable passwords in a file In-Reply-To: <200908220239.06972.alan.mckinnon@gmail.com> References: <200908212044.05355.alan.mckinnon@gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BC70DC59@che-exch-003.uplinkdata.com> <20090821225627.GI9362@shrubbery.net> <200908220239.06972.alan.mckinnon@gmail.com> Message-ID: <20090824183841.GH2325@shrubbery.net> Sat, Aug 22, 2009 at 02:39:06AM +0200, Alan McKinnon: > On Saturday 22 August 2009 00:56:27 john heasley wrote: > > Fri, Aug 21, 2009 at 04:28:59PM -0600, Schmidt, Daniel: > > > enable = file /etc/passwd works. Remember this? > > > > SOB. I forgot that got added. Sorry. > > > > So, if it doesn;t work for you; enable authen/author debugging. > > Now I know what I'll be doing come Monday morning - testing :-) > > Does "enable = file" accept any arbitrary file? My Tacacs users are not Unix > users and don't have shell accounts. s.b. any passwd(5) formatted file.