From ck at teknikmejeriet.se Fri Jan 16 08:31:07 2009 From: ck at teknikmejeriet.se (Christian Karlsson) Date: Fri, 16 Jan 2009 09:31:07 +0100 Subject: [tac_plus] Tac_plus usernames from PAM Message-ID: <497045CB.2070702@teknikmejeriet.se> I cant get tacacs to get user names from PAM. I have gotten passwords to work fine but i still need to configure the user name for the users in tacacs. I have read around a lot and what i see it should be possible but cant understand what im doing wrong. Can some one supply me with a working config exampel or give me a hint on what can be wrong? /Christian From dross at cc.gatech.edu Tue Jan 20 17:17:49 2009 From: dross at cc.gatech.edu (dross at cc.gatech.edu) Date: Tue, 20 Jan 2009 12:17:49 -0500 Subject: [tac_plus] tac_plus RHEL5 x86_64 Message-ID: <18B48E88A340A34D94D25FF7C91C47F104B9AF014A@aeatlcamex16.campus.gtri.ext> Hello, I am trying to compile and install tacacs+-F4.0.4.15 and it just isn't working I get the following errors in my log: Tue Jan 20 12:14:58 2009 [16054]: tac_plus server F4.0.4.15 starting Tue Jan 20 12:14:58 2009 [16054]: Error getpeername failure Transport endpoint is not connected Tue Jan 20 12:14:58 2009 [16054]: unknown : error reading fd 0 nread=-1 Transport endpoint is not connected Tue Jan 20 12:14:58 2009 [16054]: Read -1 bytes from unknown , expecting 12 Tue Jan 20 12:14:58 2009 [16055]: Reading config Tue Jan 20 12:14:58 2009 [16055]: Version F4.0.4.15 Initialized 1 Tue Jan 20 12:14:58 2009 [16055]: tac_plus server F4.0.4.15 starting Tue Jan 20 12:14:58 2009 [16055]: Error getpeername failure Transport endpoint is not connected Tue Jan 20 12:14:58 2009 [16055]: unknown : error reading fd 0 nread=-1 Transport endpoint is not connected Tue Jan 20 12:14:58 2009 [16055]: Read -1 bytes from unknown , expecting 12 I get this when trying to connect. The session is killed almost immediately after being connected. I am using a config from a previous TACPLUS server tacacs+-F4.0.4.7 that is currently running on a solaris 5.8 system. So I don't believe it is the config file. Any suggestions? Thanks Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090120/3487b4b5/attachment.html From v.kurenyshev at oao.kuzbass.net Thu Jan 22 05:33:50 2009 From: v.kurenyshev at oao.kuzbass.net (Kurenyshev Vjacheslav) Date: Thu, 22 Jan 2009 12:33:50 +0700 Subject: [tac_plus] Default service and authorization script don't work at the same time Message-ID: <1232602430.6287.29.camel@Slav> Hi! I have a Tacacs+ on Debian server. The version of tac-plus is F4.0.4.alpha. There are following lines in the config file: user = test2 { member = admins login = nopassword } group = admins { before authorization "/etc/tac-plus/script $user $name $address" default service = permit cmd = ip { deny domain-lookup permit .* } service = exec { priv-lvl = 15 idletime = 30 } } When I try to start tacacs server I get: # /etc/init.d/tac-plus restart Restarting Tacacs+ server: Error: Unrecognised keyword default for user on line 49 tac_plus. Line 49 is 'default service = permit'. Why is it wrong? But. if to change the order of lines to following: ... group = admins { default service = permit before authorization "/etc/tac-plus/script $user $name $address" ... Tacacs server starts correctly. But when I login to cisco and type any command I get: Command authorization failed. But, default service = permit is in config!! Why this happens and how to fix it ? Thank you for attention. Bye. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090122/d880600f/attachment.html From prozaconstilts at gmail.com Thu Jan 22 18:44:05 2009 From: prozaconstilts at gmail.com (Adam Allred) Date: Thu, 22 Jan 2009 13:44:05 -0500 Subject: [tac_plus] PAM authentication Message-ID: <38bd4d620901221044j367c6655m1c5526e4c49dbe2e@mail.gmail.com> Hello, I am attempting to get tac_plus to use my pam stack for user authentication. As it stands, my pam stack already authenticates my users successfully for ssh login (I'm on a RHEL5 box). I have confirmed that the configure script did locate the pam devlopment libraries, but w/ debugging on, I don't see tac_plus trying to talk to the pam stack: [root at server tacacs]# /usr/local/bin/tac_plus -C /usr/local/etc/tac_plus.conf -d 8 -d 16 -d 32 -d 64 -g Reading config Version F4.0.4.15 Initialized 1 tac_plus server F4.0.4.15 starting uid=0 euid=0 gid=0 egid=0 s=4 session.peerip is connect from tac_passwd_lookup: open /usr/local/etc/tacacs_passwd 6 tac_passwd_lookup: close /usr/local/etc/tacacs_passwd 6 login query for '' tty1 from rejected login failure: tty1 I kinda feel like I'm missing a step to make this work...and I couldn't find any documetnation beyond the FAQ posting. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090122/5d58a54b/attachment.html From tempp at nm.ru Fri Jan 23 06:52:04 2009 From: tempp at nm.ru (tempp at nm.ru) Date: Fri, 23 Jan 2009 09:52:04 +0300 Subject: [tac_plus] Default service and authorization script don't work at the same time Message-ID: <20090123095204.uk395iv68cg8k0c4@www.pochta.ru> Hi! I have a Tacacs+ on Debian server. The version of tac-plus is F4.0.4.alpha. There are following lines in the config file: user = test2 { member = admins login = nopassword } group = admins { before authorization "/etc/tac-plus/script $user $name $address". default service = permit cmd = ip { . deny domain-lookup . permit .* } service = exec { . priv-lvl = 15 . idletime = 30 }. } When I try to start tacacs server I get: # /etc/init.d/tac-plus restart Restarting Tacacs+ server: Error: Unrecognised keyword default for user on line 49 tac_plus. Line 49 is 'default service = permit'. Why is it wrong? But. if to change the order of lines to following: ... group = admins { default service = permit before authorization "/etc/tac-plus/script $user $name $address". ... Tacacs server starts correctly. But when I login to cisco and type any command I get: Command authorization failed. But, default service = permit is in config!!. Why this happens and how to fix it ? Thank you for attention.. Bye. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090123/bb3e6ba4/attachment.html From heas at shrubbery.net Fri Jan 23 09:51:16 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 23 Jan 2009 09:51:16 +0000 Subject: [tac_plus] Re: PAM authentication In-Reply-To: <38bd4d620901221044j367c6655m1c5526e4c49dbe2e@mail.gmail.com> References: <38bd4d620901221044j367c6655m1c5526e4c49dbe2e@mail.gmail.com> Message-ID: <20090123095116.GF6753@shrubbery.net> Thu, Jan 22, 2009 at 01:44:05PM -0500, Adam Allred: > Hello, > > I am attempting to get tac_plus to use my pam stack for user authentication. > As it stands, my pam stack already authenticates my users successfully for > ssh login (I'm on a RHEL5 box). I have confirmed that the configure script > did locate the pam devlopment libraries, but w/ debugging on, I don't see > tac_plus trying to talk to the pam stack: > > [root at server tacacs]# /usr/local/bin/tac_plus -C > /usr/local/etc/tac_plus.conf -d 8 -d 16 -d 32 -d 64 -g > Reading config > Version F4.0.4.15 Initialized 1 > tac_plus server F4.0.4.15 starting > uid=0 euid=0 gid=0 egid=0 s=4 > session.peerip is > connect from > tac_passwd_lookup: open /usr/local/etc/tacacs_passwd 6 > tac_passwd_lookup: close /usr/local/etc/tacacs_passwd 6 > login query for '' tty1 from rejected > login failure: tty1 > > I kinda feel like I'm missing a step to make this work...and I couldn't find > any documetnation beyond the FAQ posting. Any ideas? as implemented, the user must still be list in the config, and maybe in a group, and pam as their auth source. From ck at teknikmejeriet.se Fri Jan 23 10:11:55 2009 From: ck at teknikmejeriet.se (Christian Karlsson) Date: Fri, 23 Jan 2009 11:11:55 +0100 Subject: [tac_plus] Re: PAM authentication In-Reply-To: <20090123095116.GF6753@shrubbery.net> References: <38bd4d620901221044j367c6655m1c5526e4c49dbe2e@mail.gmail.com> <20090123095116.GF6753@shrubbery.net> Message-ID: <497997EB.8030900@teknikmejeriet.se> john heasley wrote: > Thu, Jan 22, 2009 at 01:44:05PM -0500, Adam Allred: > >> Hello, >> >> I am attempting to get tac_plus to use my pam stack for user authentication. >> As it stands, my pam stack already authenticates my users successfully for >> ssh login (I'm on a RHEL5 box). I have confirmed that the configure script >> did locate the pam devlopment libraries, but w/ debugging on, I don't see >> tac_plus trying to talk to the pam stack: >> >> [root at server tacacs]# /usr/local/bin/tac_plus -C >> /usr/local/etc/tac_plus.conf -d 8 -d 16 -d 32 -d 64 -g >> Reading config >> Version F4.0.4.15 Initialized 1 >> tac_plus server F4.0.4.15 starting >> uid=0 euid=0 gid=0 egid=0 s=4 >> session.peerip is >> connect from >> tac_passwd_lookup: open /usr/local/etc/tacacs_passwd 6 >> tac_passwd_lookup: close /usr/local/etc/tacacs_passwd 6 >> login query for '' tty1 from rejected >> login failure: tty1 >> >> I kinda feel like I'm missing a step to make this work...and I couldn't find >> any documetnation beyond the FAQ posting. Any ideas? >> > > as implemented, the user must still be list in the config, and maybe in > a group, and pam as their auth source. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > Im quite new to sending to mailing lists (google is god) so i hope this is right. I don't know how much problems there are in implementing the possibility to not need username in tacacs config. I should think that it should be a great thing to be able to direct the query of usernames to PAM also. Im after a kind of single instance user thing. I like the tac_plus program and find it very useful. Thanks for supplying it to us :-) /Christian From prozaconstilts at gmail.com Sat Jan 24 01:51:32 2009 From: prozaconstilts at gmail.com (Adam Allred) Date: Fri, 23 Jan 2009 20:51:32 -0500 Subject: [tac_plus] pam_ldap howto for tac_plus and RHEL5 Message-ID: <497A7424.1090203@gmail.com> After beating on my box for another day, I finally got pam based authentication working for tac_plus. Here's a rundown of how I did it: 1. Install the pam-devel package and tcp_wrappers via yum: yum install pam-devel tcp_wrappers 2. Obtain the latest tac_plus from ftp://ftp.shrubbery.net/pub/tac_plus/ I used version F4.0.4.15 3. unpack tac_plus: tar xfz tacacs+- 4. Run configure: ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --localstatedir=/var/local/tacacs --sysconfdir=/etc --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid --with-acctfile=/var/log/tacacs/acctfile Note that the above configure choices were my own, you can choose whatever values you want. 5. Make sure the pam libraries were found. Look at the output of configure for a line that looks like this: checking for pam_start in -lpam... yes If that says yes, then the daemon will compile with pam support. If it says no, then configure is unable to find your pam libraries. Make sure you performed Step 1. 6. compile tac_plus: make 7. install tac_plus make install 8. Configure tac_plus. While there are many more configurations to be done to make tac_plus work as a whole, the pam specific configuration is as follows: Edit the tac_plus conf file, and define your users as such: user = { login = PAM } Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :( 9. Define a pam stack for tac_plus. cd /etc/pam.d vi tac_plus My pam stack config is as follows: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so Note that this config also works well for system-auth. If you want all authentication for your server to use ldap (graphical login, ssh, etc.), you can place the above into system-auth, and the define tac_plus as follows: auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so 10. Configure your ldap.conf. This is where you define your ldap server, binddn, attribute maps, etc. Note that on RHEL5, there are two ldap.conf files. One is in /etc/openldap and the other is just in /etc. PAM will stat both files upon invocation, and the second one it stats will override the first. I usually modify /etc/openldap/ldap.conf, and then symlink /etc/ldap.conf to it. That's it. At this point, assuming you have everything setup right, you should be able to use your LDAP server for authentication. To troubleshoot, I normally run the tacacs daemon in the foreground with debugging on: tac_plus -C /path/to/tac_plus.conf -L -p 49 -d16 -g and then try to authenticate. So far, I have found a couple caveats that will make life very sad. First, if you decide to run tac_plus from xinetd in linux (which I suggest you do, to utilize tcp wrappers properly), then you should set up your /etc/xinetd.d/tacacs conf file as follows: service tacacs { socket_type = stream protocol = tcp wait = no disable = no user = root server = /path/to/tac_plus server_args = -C /path/to/tac_plus.conf -L -p 49 -i -d 16 cps = 50 10 flags = IPv4 } The server must be run as root. Because you are talking to PAM, then you must have root privileges, or else it will not work. Secondly, if you are using xinetd, in your ldap.conf file, turn off debugging. When run from xinetd with ldap debugging on, the ldap libs will output debug code to stderr. Since you are running the daemon from within xinetd, there is no stderr to output to, and the tac_plus daemon upon discovering this broken pipe will fail and exit. Whether this is a tac_plus or xinetd problem I'm not sure, but it's there all the same. You can use the -g option to run in the foreground to test your ldap conf if you wish, but once you start to use xinetd, make sure that the debug directive in your ldap.conf is off. From heas at shrubbery.net Tue Jan 27 06:11:11 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 27 Jan 2009 06:11:11 +0000 Subject: [tac_plus] Re: Default service and authorization script don't work at the same time In-Reply-To: <1232602430.6287.29.camel@Slav> References: <1232602430.6287.29.camel@Slav> Message-ID: <20090127061111.GN28039@shrubbery.net> Thu, Jan 22, 2009 at 12:33:50PM +0700, Kurenyshev Vjacheslav: > Hi! > > I have a Tacacs+ on Debian server. > The version of tac-plus is F4.0.4.alpha. > > There are following lines in the config file: > > user = test2 { > member = admins > login = nopassword > } > > group = admins { > before authorization "/etc/tac-plus/script $user $name $address" > default service = permit > > cmd = ip { > deny domain-lookup > permit .* > } > > service = exec { > priv-lvl = 15 > idletime = 30 > } > } > > When I try to start tacacs server I get: > # /etc/init.d/tac-plus restart > Restarting Tacacs+ server: Error: Unrecognised keyword default for user > on line 49 > tac_plus. > > Line 49 is 'default service = permit'. > Why is it wrong? > > But. if to change the order of lines to following: > ... > group = admins { > default service = permit > before authorization "/etc/tac-plus/script $user $name $address" > ... > > Tacacs server starts correctly. > But when I login to cisco and type any command I get: Command > authorization failed. > But, default service = permit is in config!! > > Why this happens and how to fix it ? I don't know. enable authorization debugging/logging. From dgethings at juniper.net Tue Jan 27 12:18:23 2009 From: dgethings at juniper.net (David Gethings) Date: Tue, 27 Jan 2009 12:18:23 +0000 Subject: [tac_plus] support for user defined pasword prompt Message-ID: Hi, Some TACACS+ servers I've seen allow the administrator to define the password prompt. Does your TACACS+ server support this? If so what is the configuration syntax that allows one to define the password prompt? -- Cheers Dg From heas at shrubbery.net Tue Jan 27 21:45:47 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 27 Jan 2009 13:45:47 -0800 Subject: [tac_plus] Re: support for user defined pasword prompt In-Reply-To: References: Message-ID: <20090127214547.GF950@shrubbery.net> Tue, Jan 27, 2009 at 12:18:23PM +0000, David Gethings: > Hi, > > Some TACACS+ servers I've seen allow the administrator to define the > password prompt. Does your TACACS+ server support this? If so what is > the configuration syntax that allows one to define the password prompt? the username prompt is, but the password prompt is not. From dgethings at juniper.net Thu Jan 29 09:47:38 2009 From: dgethings at juniper.net (David Gethings) Date: Thu, 29 Jan 2009 09:47:38 +0000 Subject: [tac_plus] Re: support for user defined pasword prompt In-Reply-To: <20090127214547.GF950@shrubbery.net> References: <20090127214547.GF950@shrubbery.net> Message-ID: On 27 Jan 2009, at 21:45, john heasley wrote: > the username prompt is, but the password prompt is not. Drat. OK, thanks. -- Cheers Dg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090129/6a45be0c/attachment.html From heas at shrubbery.net Thu Jan 29 19:02:32 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 29 Jan 2009 11:02:32 -0800 Subject: [tac_plus] Re: support for user defined pasword prompt In-Reply-To: References: <20090127214547.GF950@shrubbery.net> Message-ID: <20090129190232.GB13630@shrubbery.net> Thu, Jan 29, 2009 at 09:47:38AM +0000, David Gethings: > On 27 Jan 2009, at 21:45, john heasley wrote: > > >the username prompt is, but the password prompt is not. > > Drat. OK, thanks. > > -- > Cheers > > Dg > its not impossible to add, but like changing the username prompt its an automation nightmare. are you sure its really something that you want? From dgethings at juniper.net Fri Jan 30 10:04:45 2009 From: dgethings at juniper.net (David Gethings) Date: Fri, 30 Jan 2009 10:04:45 +0000 Subject: [tac_plus] Re: support for user defined pasword prompt In-Reply-To: <20090129190232.GB13630@shrubbery.net> References: <20090127214547.GF950@shrubbery.net> <20090129190232.GB13630@shrubbery.net> Message-ID: On 29 Jan 2009, at 19:02, john heasley wrote: > its not impossible to add, but like changing the username prompt its > an > automation nightmare. are you sure its really something that you > want? Thanks for the offer but it is OK. I'm trying to troubleshoot a problem for a customer and I was hoping to use this tacacs server for this task. I'll just find another way to do this. Thanks for the help. -- Cheers Dg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090130/1cac2380/attachment.html From aczutka at brocade.com Fri Jan 30 20:09:08 2009 From: aczutka at brocade.com (Alexander Czutka) Date: Fri, 30 Jan 2009 12:09:08 -0800 Subject: [tac_plus] How can I deny/permit ? Message-ID: Hello, I?m trying to setup an authorization for a user. The user should be allowed to do a: - Show ip - show ip route But he shouldn?t execute the commands, which starts with: - Show ip ospf - Show ip pim I tried this, but it didn?t work: cmd = show { permit ip deny ip ospf } root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf Error: expecting '}' but found 'ospf' on line 40 root at ubuntu-fdry:/# Is this possible ? Thanks,Alexander From aczutka at brocade.com Fri Jan 30 20:27:24 2009 From: aczutka at brocade.com (Alexander Czutka) Date: Fri, 30 Jan 2009 12:27:24 -0800 Subject: [tac_plus] Re: How can I deny/permit ? In-Reply-To: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> References: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> Message-ID: Hello Nathan, it doesn?t work. user = user2 { # member = group2 # debug = REGEX login = cleartext "user2" enable = cleartext "user2" cmd = show { permit ip deny "ip ospf" } # END Regards, Alexander ________________________________ Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk Gesendet: Freitag, 30. Januar 2009 21:14 An: Alexander Czutka Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] How can I deny/permit ? On 1/30/09, Alexander Czutka wrote: Hello, I?m trying to setup an authorization for a user. The user should be allowed to do a: - Show ip - show ip route But he shouldn?t execute the commands, which starts with: - Show ip ospf - Show ip pim I tried this, but it didn?t work: cmd = show { permit ip deny ip ospf } root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf Error: expecting '}' but found 'ospf' on line 40 root at ubuntu-fdry:/# Is this possible ? Try putting quotes around the tokens: cmd = show { permit ip deny "ip ospf" } Nathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090130/57a99efa/attachment.html From nathan at schrenk.org Fri Jan 30 20:13:53 2009 From: nathan at schrenk.org (Nathan Schrenk) Date: Fri, 30 Jan 2009 12:13:53 -0800 Subject: [tac_plus] Re: How can I deny/permit ? In-Reply-To: References: Message-ID: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> On 1/30/09, Alexander Czutka wrote: > > Hello, > > I?m trying to setup an authorization for a user. > > The user should be allowed to do a: > > - Show ip > - show ip route > > But he shouldn?t execute the commands, which starts with: > > - Show ip ospf > - Show ip pim > > I tried this, but it didn?t work: > > cmd = show { > permit ip > deny ip ospf > } > > root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf > Error: expecting '}' but found 'ospf' on line 40 > root at ubuntu-fdry:/# > > Is this possible ? Try putting quotes around the tokens: cmd = show { permit ip deny "ip ospf" } Nathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090130/7de85ef8/attachment.html From nathan at schrenk.org Fri Jan 30 21:56:30 2009 From: nathan at schrenk.org (Nathan Schrenk) Date: Fri, 30 Jan 2009 13:56:30 -0800 Subject: [tac_plus] Re: How can I deny/permit ? In-Reply-To: References: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> Message-ID: <6121a88b0901301356u9f9f612t6b92c99b45573f01@mail.gmail.com> On 1/30/09, Alexander Czutka wrote: > > Hello Nathan, > > > > it doesn?t work. > What doesn't work? tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it? I normally use a group and deny everything that is not explicitly allowed (a command blacklist): group = mygroup { default service = deny cmd = show { permit "ip " deny .* } } user = myuser { member = mygroup login = cleartext "mypassword" } Nathan user = user2 { > > # member = group2 > > # debug = REGEX > > login = cleartext "user2" > > enable = cleartext "user2" > > > > cmd = show { > > permit ip > > deny "ip ospf" > > } > > > > # END > > > > Regards, > > > > Alexander > > > ------------------------------ > > *Von:* nschrenk at gmail.com [mailto:nschrenk at gmail.com] *Im Auftrag von *Nathan > Schrenk > *Gesendet:* Freitag, 30. Januar 2009 21:14 > *An:* Alexander Czutka > *Cc:* tac_plus at shrubbery.net > *Betreff:* Re: [tac_plus] How can I deny/permit ? > > > > On 1/30/09, *Alexander Czutka* wrote: > > Hello, > > I?m trying to setup an authorization for a user. > > The user should be allowed to do a: > > - Show ip > - show ip route > > But he shouldn?t execute the commands, which starts with: > > - Show ip ospf > - Show ip pim > > I tried this, but it didn?t work: > > cmd = show { > permit ip > deny ip ospf > } > > root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf > Error: expecting '}' but found 'ospf' on line 40 > root at ubuntu-fdry:/# > > Is this possible ? > > > Try putting quotes around the tokens: > > cmd = show { > permit ip > deny "ip ospf" > } > > Nathan > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090130/85f936b8/attachment.html