[tac_plus] Re: per-user enable passwords in a file

Schmidt, Daniel dan.schmidt at uplinkdata.com
Fri Aug 21 22:28:59 UTC 2009 

enable = file /etc/passwd works.  Remember this?

202     p = tac_find_substring("file ", cfg_passwd);
203     if (p) {
204         return(passwd_file_verify(name, passwd, data, p));
205     }
206 
207     /* Oops. No idea what kind of password this is. This should
never
208      * happen as the parser should never create such passwords.
209      */
210     report(LOG_ERR, "%s: Error cannot identify password type %s for
%s",
211            session.peer,
212            cfg_passwd && cfg_passwd[0] ? cfg_passwd : "<NULL>",
213            name ? name : "<unknown>");
214 
215     data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
216     return(0);
217 }

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
Sent: Friday, August 21, 2009 1:28 PM
To: Alan McKinnon
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: per-user enable passwords in a file

Fri, Aug 21, 2009 at 08:44:05PM +0200, Alan McKinnon:
> Hi,
> 
> My first post here. My question is about valid tac_plus.conf syntax.
> 
> Using tac_plus-4.0.4.18 on FreeBSD-5.4-p11.
> 
> I have a bespoke system that provisions a valid tac_plus.conf to my
auth 
> servers. The cleanest and most elegant method would be login and
enable 
> passwords in separate files so I tried this:
> 
> group = tacacs_role_1 {
>   [...]
>   login  = file tacacs_normal.passwd
>   enable = file tacacs_enable.passwd

enable does not yet accept 'file'.  I'm mid-rewrite of the config
parser,
but intend to add that support.

>   [...]
> }
> 
> user = user_1 {
>   member = tacacs_role_1
> }
> 
> 
> I typed this from memory, there might be silly typos. But the
intention is 
> clear. My code can guarantee that a user who should have a password in
the 
> files does have one. The format of the *.passwd files is the standard:
> 
> <user>:<hash>:::::
> 
> login works, enable does not. The logs say simply:
> "enable query for <user> tty514 from <IP> rejected"
> I work around this by putting the hashes in the user stanza but this
is ugly - 
> I need the *passwd files for other uses elsewhere anyway and would
rather have 
> hashes in only one format.
> 
> I suspect I'm trying to do something that is simply not supported, but
I can't 
> find specs that say if it is or isn't. I did RTFM first :-)
> 
> Is it?
> 
> Has anyone ever compiled a railroad diagram that completely describes 
> tac_plus.conf?
> 
> -- 
> alan dot mckinnon at gmail dot com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list