[tac_plus] Adding users to tacacs passwd file
Jeffrey S. Geist
jeffrey.geist at pnpt.com
Thu Aug 12 14:08:50 UTC 2010
We run two tacacs servers to provide failover and we "scp" the tacacs passwd
files between the two servers to keep them "in sync". We thought about using
the system passwd and shadow files, but we are concerned about copying these
files back and forth between the two tacacs servers and having one or both
of these files getting corrupted due to the copying (network "hiccup").
Could make it so we are not able to login into the server as one of the
local users or root. Right? Maybe we are being too cautious.
-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com]
Sent: Thursday, August 12, 2010 8:28 AM
To: Jeffrey S. Geist
Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net
Subject: Re: [tac_plus] Adding users to tacacs passwd file
Why wouldn't you want to use the Linux shadow / passwd files?
----------------------------------------------------------------------------
Hi,
We are currently migrating Tacacs from Solaris to Linux. We haven't had
any issues getting Tacacs to run on CentOS and users are authenticating
through CentOS (using the old tacacs passwd file from Solaris). The issue
we are facing is trying to convert the old Solaris script, that creates the
users entries in the tacacs passwd file, over to a script that runs on
CentOS. The Solaris script creates a user with a unique "uid". We were
wondering if anyone knows of a Linux script that will accomplish the same
results. We have a fairly good understanding of Tacacs, but we are no
experts.
Here is the script used on Solaris:
---------------------------- begin ------------------------------------
#!/bin/sh
#
# @(#)auth_user 2.2 12.28.05
# modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03
# modified by MLW for dns3.pnpt.com Solaris 5.8 1/5/06
#
#
# add user script for use with sys-config
# arguments: uname "fullname" password
#
# dirname is in SystemV catagory - so put it herein
shdirname()
{
expr \
${1-.}'/' : '\(/\)[^/]*//*$' \
\| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \
\| .
}
myname=`basename $0`
Passwd_file=/etc/auth-passwd
PATH=$PATH:/usr/ucb:/usr/local/bin
export PATH
# check for root
if [ "`whoami`x" != "root"x ]; then
echo "You must be root to do $myname!"
exit 1
fi
uid=`cat /usr/local/puid`
nuid=`expr ${uid} + 1`
echo $nuid > /usr/local/puid
# check for number of args
if [ $# -ne 3 ]; then
echo "${myname}: invalid number of arguments"
echo " usage: ${myname} uname \"fullname\" password"
exit 1
fi
# put args into named variables
uname=$1
gid=1000
fullname=$2
password=`/usr/local/sbin/generate_passwd $3`
#password=`/usr/bin/encrypt encpw passwd $3`
############################################################################
##
# modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03
#
homedir="/home/$1"
#
#
#
############################################################################
##
shell=/bin/false
# checks for validity of arguments
# check uid
echo "uid:" $uid
if test $uid -lt 10 ; then
echo "uid: uid must be greater than 10 and less than 60000"
exit 1
elif test $uid -gt 60000 ; then
echo "uid: uid must be greater than 10 and less than 60000"
exit 1
fi
echo "gid:" $gid
# check gid
if test $gid -lt 10 ; then
echo "gid: gid must be greater than 10 and less than 60000"
exit 1
elif test $gid -gt 60000 ; then
echo "gid: gid must be greater than 10 and less than 60000"
exit 1
fi
# check shell
if test ! -x $shell ; then
echo "$shell: the program does not exist or is not executable"
exit 1
fi
# create a null /etc/passwd entry
# first check if one already exists
if grep -s "^${uname}:" ${Passwd_file} ; then
echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}";
exit 1;
fi
# check if uid already exists
if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then
echo "uid: ERROR: ${uid} already in ${Passwd_file}";
exit 1;
fi
pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}"
# XXX sould we use tmp file and rename it?
( echo '$' ;
echo 'i' ;
echo "${pwent}" ;
echo '.' ;
echo 'w' ;
echo 'q' ) | ed -s ${Passwd_file} > /dev/null
if grep -s "^${uname}:" ${Passwd_file} ; then
:
else
echo "${myname}: ERROR: password entry didn't go to $
{Passwd_file}";
exit 1;
fi
#
echo "Please be patient! This may take some time"
echo ""
#
#
# SCP a copy of /etc/auth-passwd to DNS2 and Tacacs
#
if [ -f /etc/auth-passwd ]; then
scp /etc/auth-passwd
sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd
echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!"
scp /etc/auth-passwd
sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd
echo "A copy of the auth-passwd file has been sent to
Tacacs..WHEW!!"
echo " "
fi
#
exit 0
#
#EOF
---------------------------- end ------------------------------------
Maybe this is more complicated than it needs to be. Any suggests,
recommendation or opinions are welcomed!
Thanx In Advance,
[cid:image003.png at 01CB39F4.EEBC6A80]
Jeffrey S. Geist
Systems Administrator
PinPoint Communications
100 North 12th Street
Suite 500
Lincoln, NE 68508
Work: (402) 438-6211
Cellular: (402) 580-0047
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at
tachment.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 24221 bytes
Desc: image003.png
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at
tachment.png
>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list