[tac_plus] Re: How can I deny/permit ?
Alexander Czutka
aczutka at brocade.com
Thu Feb 5 15:46:37 UTC 2009
Thanks.
It works,
Alexander
________________________________
Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Dienstag, 3. Februar 2009 17:20
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?
I don't know why that's not working. I would try to increase the debug logging and then try to authorize the commands again and see if there are any log messages that help explain why authorization is being denied. Passing the command-line argument "-d 4088" should enable lots of debugging log messages.
Nathan
On 2/2/09, Alexander Czutka <aczutka at brocade.com> wrote:
Hello Nathan,
Sorry for the delay.
I have tried this:
# tacacs configuration file
# Pierre-Yves Maunier - 20060713
# /etc/tac_plus.conf
# set the key
key = foundry
accounting file = /var/log/tac_plus.acct
# Group definition
group = group2 {
default service = deny
cmd = show {
permit "ip <cr>"
deny .*
}
# users accounts
user = test {
default service = permit
login = cleartext "test"
enable = cleartext "test"
name = "test"
}
user = user2 {
member = group2
login = cleartext "user2"
enable = cleartext "user2"
}
# END
Now I´m not able to execute any command:
telnet at BigIron Router#
telnet at BigIron Router#show ip
Not authorized to execute this command.
telnet at BigIron Router#
telnet at BigIron Router#
telnet at BigIron Router#show ip route
Not authorized to execute this command.
telnet at BigIron Router#
telnet at BigIron Router#
telnet at BigIron Router#
Regards,
Alexander
________________________________
Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Freitag, 30. Januar 2009 22:57
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?
On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:
Hello Nathan,
it doesn´t work.
What doesn't work? tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it?
I normally use a group and deny everything that is not explicitly allowed (a command blacklist):
group = mygroup {
default service = deny
cmd = show {
permit "ip <cr>"
deny .*
}
}
user = myuser {
member = mygroup
login = cleartext "mypassword"
}
Nathan
user = user2 {
# member = group2
# debug = REGEX
login = cleartext "user2"
enable = cleartext "user2"
cmd = show {
permit ip
deny "ip ospf"
}
# END
Regards,
Alexander
________________________________
Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Freitag, 30. Januar 2009 21:14
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?
On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:
Hello,
I´m trying to setup an authorization for a user.
The user should be allowed to do a:
- Show ip
- show ip route
But he shouldn´t execute the commands, which starts with:
- Show ip ospf
- Show ip pim
I tried this, but it didn´t work:
cmd = show {
permit ip
deny ip ospf
}
root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf
Error: expecting '}' but found 'ospf' on line 40
root at ubuntu-fdry:/#
Is this possible ?
Try putting quotes around the tokens:
cmd = show {
permit ip
deny "ip ospf"
}
Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090205/f947fb23/attachment.html
More information about the tac_plus
mailing list