[tac_plus] Re: How can I deny/permit ?

Alexander Czutka aczutka at brocade.com
Tue Feb 3 07:23:27 UTC 2009


Hello Nathan,

 

Sorry for the delay.

 

I have tried this:

 

# tacacs configuration file

# Pierre-Yves Maunier - 20060713

# /etc/tac_plus.conf

 

# set the key

key = foundry

 

 

accounting file = /var/log/tac_plus.acct

 

# Group definition

 

group = group2 {

                default service = deny

 

        cmd = show {

                    permit "ip <cr>"

                    deny .*

                   } 

 

# users accounts

 

user = test {

        default service = permit

        login = cleartext "test"

        enable = cleartext "test"

        name = "test"

}

 

user = user2 {

             member = group2

             login = cleartext "user2"

             enable = cleartext "user2"

             }

 

# END

 

Now I´m not able to execute any command:

 

telnet at BigIron Router#

telnet at BigIron Router#show ip

Not authorized to execute this command.

telnet at BigIron Router#

telnet at BigIron Router#

telnet at BigIron Router#show ip route

Not authorized to execute this command.

telnet at BigIron Router#

telnet at BigIron Router#

telnet at BigIron Router#

 

Regards,

 

Alexander

________________________________

Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Freitag, 30. Januar 2009 22:57
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?

 

On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:

	Hello Nathan,

	 

	it doesn´t work.


What doesn't work?  tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it?

I normally use a group and deny everything that is not explicitly allowed (a command blacklist):

group = mygroup {
   default service = deny
   cmd = show {
      permit "ip <cr>"
      deny .*
   }
}
user = myuser {
   member = mygroup
   login = cleartext "mypassword"
}

Nathan

	 

	user = user2 {

	#             member = group2

	#             debug = REGEX

	             login = cleartext "user2"

	             enable = cleartext "user2"

	 

	            cmd = show {

	                       permit ip

	                       deny "ip ospf"

	            }

	 

	# END

	 

	Regards,

	 

	Alexander

	 

	
________________________________


	Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
	Gesendet: Freitag, 30. Januar 2009 21:14
	An: Alexander Czutka
	Cc: tac_plus at shrubbery.net
	Betreff: Re: [tac_plus] How can I deny/permit ?

	 

	On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:

		Hello,
		
		I´m trying to setup an authorization for a user.
		
		The user should be allowed to do a:
		
		- Show ip
		- show ip route
		
		But he shouldn´t execute the commands, which starts with:
		
		- Show ip ospf
		- Show ip pim
		
		I tried this, but it didn´t work:
		
		cmd = show {
		            permit ip
		            deny ip ospf
		            }
		
		root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf
		Error: expecting '}' but found 'ospf' on line 40
		root at ubuntu-fdry:/#
		
		Is this possible ?

	
	Try putting quotes around the tokens:
	
	cmd = show {
	            permit ip
	            deny "ip ospf"  
	            }

	Nathan

	 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090202/d4f12ada/attachment.html 


More information about the tac_plus mailing list