[tac_plus] Re: How can I deny/permit ?
Nathan Schrenk
nathan at schrenk.org
Tue Feb 3 16:20:21 UTC 2009
I don't know why that's not working. I would try to increase the debug
logging and then try to authorize the commands again and see if there are
any log messages that help explain why authorization is being denied.
Passing the command-line argument "-d 4088" should enable lots of debugging
log messages.
Nathan
On 2/2/09, Alexander Czutka <aczutka at brocade.com> wrote:
>
> Hello Nathan,
>
>
>
> Sorry for the delay.
>
>
>
> I have tried this:
>
>
>
> # tacacs configuration file
>
> # Pierre-Yves Maunier - 20060713
>
> # /etc/tac_plus.conf
>
>
>
> # set the key
>
> key = foundry
>
>
>
>
>
> accounting file = /var/log/tac_plus.acct
>
>
>
> # Group definition
>
>
>
> group = group2 {
>
> default service = deny
>
>
>
> cmd = show {
>
> permit "ip <cr>"
>
> deny .*
>
> }
>
>
>
> # users accounts
>
>
>
> user = test {
>
> default service = permit
>
> login = cleartext "test"
>
> enable = cleartext "test"
>
> name = "test"
>
> }
>
>
>
> user = user2 {
>
> member = group2
>
> login = cleartext "user2"
>
> enable = cleartext "user2"
>
> }
>
>
>
> # END
>
>
>
> Now I´m not able to execute any command:
>
>
>
> telnet at BigIron Router#
>
> telnet at BigIron Router#show ip
>
> Not authorized to execute this command.
>
> telnet at BigIron Router#
>
> telnet at BigIron Router#
>
> telnet at BigIron Router#show ip route
>
> Not authorized to execute this command.
>
> telnet at BigIron Router#
>
> telnet at BigIron Router#
>
> telnet at BigIron Router#
>
>
>
> Regards,
>
>
>
> Alexander
> ------------------------------
>
> *Von:* nschrenk at gmail.com [mailto:nschrenk at gmail.com] *Im Auftrag von *Nathan
> Schrenk
> *Gesendet:* Freitag, 30. Januar 2009 22:57
> *An:* Alexander Czutka
> *Cc:* tac_plus at shrubbery.net
> *Betreff:* Re: [tac_plus] How can I deny/permit ?
>
>
>
> On 1/30/09, *Alexander Czutka* <aczutka at brocade.com> wrote:
>
> Hello Nathan,
>
>
>
> it doesn´t work.
>
>
> What doesn't work? tac_plus doesn't print the same error message while
> parsing the config file as it does without the quotes, does it?
>
> I normally use a group and deny everything that is not explicitly allowed
> (a command blacklist):
>
> group = mygroup {
> default service = deny
> cmd = show {
> permit "ip <cr>"
> deny .*
> }
> }
> user = myuser {
> member = mygroup
> login = cleartext "mypassword"
> }
>
> Nathan
>
>
>
> user = user2 {
>
> # member = group2
>
> # debug = REGEX
>
> login = cleartext "user2"
>
> enable = cleartext "user2"
>
>
>
> cmd = show {
>
> permit ip
>
> deny "ip ospf"
>
> }
>
>
>
> # END
>
>
>
> Regards,
>
>
>
> Alexander
>
>
> ------------------------------
>
> *Von:* nschrenk at gmail.com [mailto:nschrenk at gmail.com] *Im Auftrag von *Nathan
> Schrenk
> *Gesendet:* Freitag, 30. Januar 2009 21:14
> *An:* Alexander Czutka
> *Cc:* tac_plus at shrubbery.net
> *Betreff:* Re: [tac_plus] How can I deny/permit ?
>
>
>
> On 1/30/09, *Alexander Czutka* <aczutka at brocade.com> wrote:
>
> Hello,
>
> I´m trying to setup an authorization for a user.
>
> The user should be allowed to do a:
>
> - Show ip
> - show ip route
>
> But he shouldn´t execute the commands, which starts with:
>
> - Show ip ospf
> - Show ip pim
>
> I tried this, but it didn´t work:
>
> cmd = show {
> permit ip
> deny ip ospf
> }
>
> root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf
> Error: expecting '}' but found 'ospf' on line 40
> root at ubuntu-fdry:/#
>
> Is this possible ?
>
>
> Try putting quotes around the tokens:
>
> cmd = show {
> permit ip
> deny "ip ospf"
> }
>
> Nathan
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090203/bbee3b72/attachment.html
More information about the tac_plus
mailing list