[tac_plus] Re: per-user enable passwords in a file
john heasley
heas at shrubbery.net
Fri Aug 21 19:27:53 UTC 2009
Fri, Aug 21, 2009 at 08:44:05PM +0200, Alan McKinnon:
> Hi,
>
> My first post here. My question is about valid tac_plus.conf syntax.
>
> Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11.
>
> I have a bespoke system that provisions a valid tac_plus.conf to my auth
> servers. The cleanest and most elegant method would be login and enable
> passwords in separate files so I tried this:
>
> group = tacacs_role_1 {
> [...]
> login = file tacacs_normal.passwd
> enable = file tacacs_enable.passwd
enable does not yet accept 'file'. I'm mid-rewrite of the config parser,
but intend to add that support.
> [...]
> }
>
> user = user_1 {
> member = tacacs_role_1
> }
>
>
> I typed this from memory, there might be silly typos. But the intention is
> clear. My code can guarantee that a user who should have a password in the
> files does have one. The format of the *.passwd files is the standard:
>
> <user>:<hash>:::::
>
> login works, enable does not. The logs say simply:
> "enable query for <user> tty514 from <IP> rejected"
> I work around this by putting the hashes in the user stanza but this is ugly -
> I need the *passwd files for other uses elsewhere anyway and would rather have
> hashes in only one format.
>
> I suspect I'm trying to do something that is simply not supported, but I can't
> find specs that say if it is or isn't. I did RTFM first :-)
>
> Is it?
>
> Has anyone ever compiled a railroad diagram that completely describes
> tac_plus.conf?
>
> --
> alan dot mckinnon at gmail dot com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list