[tac_plus] Re: per-user enable passwords in a file
Schmidt, Daniel
dan.schmidt at uplinkdata.com
Fri Aug 21 19:19:12 UTC 2009
http://aron.ldc.lu.se/externwebb/natverk/mjh/bifrost/users_guide_tacacs
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Friday, August 21, 2009 12:44 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] per-user enable passwords in a file
Hi,
My first post here. My question is about valid tac_plus.conf syntax.
Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11.
I have a bespoke system that provisions a valid tac_plus.conf to my auth
servers. The cleanest and most elegant method would be login and enable
passwords in separate files so I tried this:
group = tacacs_role_1 {
[...]
login = file tacacs_normal.passwd
enable = file tacacs_enable.passwd
[...]
}
user = user_1 {
member = tacacs_role_1
}
I typed this from memory, there might be silly typos. But the intention
is
clear. My code can guarantee that a user who should have a password in
the
files does have one. The format of the *.passwd files is the standard:
<user>:<hash>:::::
login works, enable does not. The logs say simply:
"enable query for <user> tty514 from <IP> rejected"
I work around this by putting the hashes in the user stanza but this is
ugly -
I need the *passwd files for other uses elsewhere anyway and would
rather have
hashes in only one format.
I suspect I'm trying to do something that is simply not supported, but I
can't
find specs that say if it is or isn't. I did RTFM first :-)
Is it?
Has anyone ever compiled a railroad diagram that completely describes
tac_plus.conf?
--
alan dot mckinnon at gmail dot com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list