[tac_plus] Re: How can I deny/permit ?
Alexander Czutka
aczutka at brocade.com
Tue Feb 3 07:23:27 UTC 2009
Hello Nathan,
Sorry for the delay.
I have tried this:
# tacacs configuration file
# Pierre-Yves Maunier - 20060713
# /etc/tac_plus.conf
# set the key
key = foundry
accounting file = /var/log/tac_plus.acct
# Group definition
group = group2 {
default service = deny
cmd = show {
permit "ip <cr>"
deny .*
}
# users accounts
user = test {
default service = permit
login = cleartext "test"
enable = cleartext "test"
name = "test"
}
user = user2 {
member = group2
login = cleartext "user2"
enable = cleartext "user2"
}
# END
Now I´m not able to execute any command:
telnet at BigIron Router#
telnet at BigIron Router#show ip
Not authorized to execute this command.
telnet at BigIron Router#
telnet at BigIron Router#
telnet at BigIron Router#show ip route
Not authorized to execute this command.
telnet at BigIron Router#
telnet at BigIron Router#
telnet at BigIron Router#
Regards,
Alexander
________________________________
Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Freitag, 30. Januar 2009 22:57
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?
On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:
Hello Nathan,
it doesn´t work.
What doesn't work? tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it?
I normally use a group and deny everything that is not explicitly allowed (a command blacklist):
group = mygroup {
default service = deny
cmd = show {
permit "ip <cr>"
deny .*
}
}
user = myuser {
member = mygroup
login = cleartext "mypassword"
}
Nathan
user = user2 {
# member = group2
# debug = REGEX
login = cleartext "user2"
enable = cleartext "user2"
cmd = show {
permit ip
deny "ip ospf"
}
# END
Regards,
Alexander
________________________________
Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Freitag, 30. Januar 2009 21:14
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?
On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:
Hello,
I´m trying to setup an authorization for a user.
The user should be allowed to do a:
- Show ip
- show ip route
But he shouldn´t execute the commands, which starts with:
- Show ip ospf
- Show ip pim
I tried this, but it didn´t work:
cmd = show {
permit ip
deny ip ospf
}
root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf
Error: expecting '}' but found 'ospf' on line 40
root at ubuntu-fdry:/#
Is this possible ?
Try putting quotes around the tokens:
cmd = show {
permit ip
deny "ip ospf"
}
Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090202/d4f12ada/attachment.html
More information about the tac_plus
mailing list