[tac_plus] Adding users to tacacs passwd file

Thu Aug 12 13:28:26 UTC 2010

Why wouldn't you want to use the Linux shadow / passwd files?

             "Jeffrey S.                                                   
             Geist"                                                        
             <jeffrey.geist at pn                                          To 
             pt.com>                   "tac_plus at shrubbery.net"            
             Sent by:                  <tac_plus at shrubbery.net>            
             <tac_plus-bounces                                          cc 
             @shrubbery.net>           Mark Urbach <mark.urbach at pnpt.com>  
                                                                   Subject 
                                       [tac_plus] Adding users to tacacs   
             08/12/2010 09:04          passwd file                         
             AM                                                            

Hi,

We are currently migrating Tacacs from  Solaris to Linux. We haven't had
any issues getting Tacacs to run on CentOS and users are authenticating
through CentOS (using the old tacacs passwd file from Solaris). The issue
we are facing is trying to convert the old Solaris script, that creates the
users entries in the tacacs passwd file, over to a script that runs on
CentOS. The Solaris script creates a user with a unique "uid". We were
wondering if anyone knows of a Linux script that will accomplish the same
results. We have a fairly good understanding of Tacacs, but we are no
experts.

Here is the script used on Solaris:

---------------------------- begin ------------------------------------
#!/bin/sh
#
# @(#)auth_user 2.2 12.28.05
#  modified by RKJ for mail2.swnebr.net  Solaris 5.8 11/28/03
#  modified by MLW for dns3.pnpt.com   Solaris 5.8 1/5/06
#
#
# add user script for use with sys-config
# arguments: uname "fullname" password
#
# dirname is in SystemV catagory - so put it herein
shdirname()
{
expr \
  ${1-.}'/' : '\(/\)[^/]*//*$' \
  \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \
  \| .
}

myname=`basename $0`
Passwd_file=/etc/auth-passwd
PATH=$PATH:/usr/ucb:/usr/local/bin
export PATH
# check for root
if [ "`whoami`x" != "root"x ]; then
   echo "You must be root to do $myname!"
   exit 1
fi

uid=`cat /usr/local/puid`
nuid=`expr ${uid} + 1`
echo $nuid > /usr/local/puid

# check for number of args
if [ $# -ne 3 ]; then
        echo "${myname}: invalid number of arguments"
        echo "   usage: ${myname} uname \"fullname\" password"
        exit 1
fi

# put args into named variables
uname=$1
gid=1000
fullname=$2
password=`/usr/local/sbin/generate_passwd $3`
#password=`/usr/bin/encrypt encpw passwd $3`
##############################################################################

#  modified by RKJ for mail2.swnebr.net  Solaris 5.8 11/28/03
#
homedir="/home/$1"
#
#
#
##############################################################################

shell=/bin/false

# checks for validity of arguments
# check uid

echo "uid:" $uid
if test $uid -lt 10 ; then
        echo  "uid: uid must be greater than 10 and less than 60000"
        exit 1
elif test $uid -gt 60000 ; then
        echo  "uid: uid must be greater than 10 and less than 60000"
        exit 1
fi

echo "gid:" $gid
# check gid
if test $gid -lt 10 ; then
        echo  "gid: gid must be greater than 10 and less than 60000"
        exit 1
elif test $gid -gt 60000 ; then
        echo  "gid: gid must be greater than 10 and less than 60000"
        exit 1
fi

# check shell
if test ! -x $shell ; then
        echo "$shell: the program does not exist or is not executable"
        exit 1
fi

# create a null /etc/passwd entry
# first check if one already exists
if grep -s "^${uname}:" ${Passwd_file} ; then
        echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}";
        exit 1;
fi
# check if uid already exists
if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then
        echo "uid: ERROR: ${uid} already in ${Passwd_file}";
        exit 1;
fi
pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}"
# XXX sould we use tmp file and rename it?
( echo '$' ;
  echo 'i' ;
  echo "${pwent}" ;
  echo '.' ;
  echo 'w' ;
  echo 'q' ) | ed -s ${Passwd_file} > /dev/null
if grep -s "^${uname}:" ${Passwd_file} ; then
        :
else
        echo "${myname}: ERROR: password entry didn't go to $
{Passwd_file}";
        exit 1;
fi
#
echo "Please be patient! This may take some time"
echo ""
#
#
# SCP a copy of /etc/auth-passwd to DNS2 and Tacacs
#
if [ -f /etc/auth-passwd ]; then

        scp /etc/auth-passwd
sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd
        echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!"
        scp /etc/auth-passwd
sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd
        echo "A copy of the auth-passwd file has been sent to
Tacacs..WHEW!!"
        echo " "
fi
#
exit 0
#
#EOF
---------------------------- end ------------------------------------

Maybe this is more complicated than it needs to be. Any suggests,
recommendation or opinions are welcomed!

Thanx In Advance,

[cid:image003.png at 01CB39F4.EEBC6A80]

Jeffrey S. Geist
Systems Administrator
PinPoint Communications
100 North 12th Street
Suite 500
Lincoln, NE  68508
Work: (402) 438-6211
Cellular: (402) 580-0047

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/attachment.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 24221 bytes
Desc: image003.png
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/attachment.png
>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus