[tac_plus] per-user enable passwords in a file
Alan McKinnon
alan.mckinnon at gmail.com
Fri Aug 21 18:44:05 UTC 2009
Hi,
My first post here. My question is about valid tac_plus.conf syntax.
Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11.
I have a bespoke system that provisions a valid tac_plus.conf to my auth
servers. The cleanest and most elegant method would be login and enable
passwords in separate files so I tried this:
group = tacacs_role_1 {
[...]
login = file tacacs_normal.passwd
enable = file tacacs_enable.passwd
[...]
}
user = user_1 {
member = tacacs_role_1
}
I typed this from memory, there might be silly typos. But the intention is
clear. My code can guarantee that a user who should have a password in the
files does have one. The format of the *.passwd files is the standard:
<user>:<hash>:::::
login works, enable does not. The logs say simply:
"enable query for <user> tty514 from <IP> rejected"
I work around this by putting the hashes in the user stanza but this is ugly -
I need the *passwd files for other uses elsewhere anyway and would rather have
hashes in only one format.
I suspect I'm trying to do something that is simply not supported, but I can't
find specs that say if it is or isn't. I did RTFM first :-)
Is it?
Has anyone ever compiled a railroad diagram that completely describes
tac_plus.conf?
--
alan dot mckinnon at gmail dot com
More information about the tac_plus
mailing list