[tac_plus] Re: How can I deny/permit ?

Alexander Czutka aczutka at brocade.com
Thu Feb 5 15:46:37 UTC 2009


Thanks.

 

It works,

 

Alexander

 

________________________________

Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Dienstag, 3. Februar 2009 17:20
An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?

 

I don't know why that's not working.  I would try to increase the debug logging and then try to authorize the commands again and see if there are any log messages that help explain why authorization is being denied.  Passing the command-line argument "-d 4088" should enable lots of debugging log messages.

Nathan

On 2/2/09, Alexander Czutka <aczutka at brocade.com> wrote:

Hello Nathan,

 

Sorry for the delay.

 

I have tried this:

 

# tacacs configuration file

# Pierre-Yves Maunier - 20060713

# /etc/tac_plus.conf

 

# set the key

key = foundry

 

 

accounting file = /var/log/tac_plus.acct

 

# Group definition

 

group = group2 {

                default service = deny

 

        cmd = show {

                    permit "ip <cr>"

                    deny .*

                   } 

 

# users accounts

 

user = test {

        default service = permit

        login = cleartext "test"

        enable = cleartext "test"

        name = "test"

}

 

user = user2 {

             member = group2

             login = cleartext "user2"

             enable = cleartext "user2"

             }

 

# END

 

Now I´m not able to execute any command:

 

telnet at BigIron Router#

telnet at BigIron Router#show ip

Not authorized to execute this command.

telnet at BigIron Router#

telnet at BigIron Router#

telnet at BigIron Router#show ip route

Not authorized to execute this command.

telnet at BigIron Router#

telnet at BigIron Router#

telnet at BigIron Router#

 

Regards,

 

Alexander

________________________________

Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
Gesendet: Freitag, 30. Januar 2009 22:57


An: Alexander Czutka
Cc: tac_plus at shrubbery.net
Betreff: Re: [tac_plus] How can I deny/permit ?

 

On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:

	Hello Nathan,

	 

	it doesn´t work.


What doesn't work?  tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it?

I normally use a group and deny everything that is not explicitly allowed (a command blacklist):

group = mygroup {
   default service = deny
   cmd = show {
      permit "ip <cr>"
      deny .*
   }
}
user = myuser {
   member = mygroup
   login = cleartext "mypassword"
}

Nathan

	 

	user = user2 {

	#             member = group2

	#             debug = REGEX

	             login = cleartext "user2"

	             enable = cleartext "user2"

	 

	            cmd = show {

	                       permit ip

	                       deny "ip ospf"

	            }

	 

	# END

	 

	Regards,

	 

	Alexander

	 

	
________________________________


	Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk
	Gesendet: Freitag, 30. Januar 2009 21:14
	An: Alexander Czutka
	Cc: tac_plus at shrubbery.net
	Betreff: Re: [tac_plus] How can I deny/permit ?

	 

	On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:

		Hello,
		
		I´m trying to setup an authorization for a user.
		
		The user should be allowed to do a:
		
		- Show ip
		- show ip route
		
		But he shouldn´t execute the commands, which starts with:
		
		- Show ip ospf
		- Show ip pim
		
		I tried this, but it didn´t work:
		
		cmd = show {
		            permit ip
		            deny ip ospf
		            }
		
		root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf
		Error: expecting '}' but found 'ospf' on line 40
		root at ubuntu-fdry:/#
		
		Is this possible ?

	
	Try putting quotes around the tokens:
	
	cmd = show {
	            permit ip
	            deny "ip ospf"  
	            }

	Nathan

	 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090205/f947fb23/attachment.html 


More information about the tac_plus mailing list