[tac_plus] Re: per-user enable passwords in a file

Fri Aug 21 19:58:50 UTC 2009

On Friday 21 August 2009 21:19:12 Schmidt, Daniel wrote:
> http://aron.ldc.lu.se/externwebb/natverk/mjh/bifrost/users_guide_tacacs

Hi Daniel,

Thanks, I already have that document - it's up on my internal wiki.

Perhaps I haven't read it enough times yet.

>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Friday, August 21, 2009 12:44 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] per-user enable passwords in a file
>
> Hi,
>
> My first post here. My question is about valid tac_plus.conf syntax.
>
> Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11.
>
> I have a bespoke system that provisions a valid tac_plus.conf to my auth
>
> servers. The cleanest and most elegant method would be login and enable
> passwords in separate files so I tried this:
>
> group = tacacs_role_1 {
>   [...]
>   login  = file tacacs_normal.passwd
>   enable = file tacacs_enable.passwd
>   [...]
> }
>
> user = user_1 {
>   member = tacacs_role_1
> }
>
>
> I typed this from memory, there might be silly typos. But the intention
> is
> clear. My code can guarantee that a user who should have a password in
> the
> files does have one. The format of the *.passwd files is the standard:
>
> <user>:<hash>:::::
>
> login works, enable does not. The logs say simply:
> "enable query for <user> tty514 from <IP> rejected"
> I work around this by putting the hashes in the user stanza but this is
> ugly -
> I need the *passwd files for other uses elsewhere anyway and would
> rather have
> hashes in only one format.
>
> I suspect I'm trying to do something that is simply not supported, but I
> can't
> find specs that say if it is or isn't. I did RTFM first :-)
>
> Is it?
>
> Has anyone ever compiled a railroad diagram that completely describes
> tac_plus.conf?

-- 
alan dot mckinnon at gmail dot com