[tac_plus] Adding users to tacacs passwd file

dterry at dollartree.com dterry at dollartree.com
Thu Aug 12 15:23:44 UTC 2010


I am quite certain that you are being too cautious. If you used something
like rsync to sync the password files between the two servers and also make
a backup copy each time, you have pretty much zero chance of anything
becoming corrupt. I have used this method for a long time without issue.




                                                                           
             "Jeffrey S.                                                   
             Geist"                                                        
             <jeffrey.geist at pn                                          To 
             pt.com>                   <dterry at dollartree.com>             
                                                                        cc 
             08/12/2010 10:09          "Mark Urbach"                       
             AM                        <mark.urbach at pnpt.com>,             
                                       <tac_plus at shrubbery.net>,           
                                       <tac_plus-bounces at shrubbery.net>    
                                                                   Subject 
                                       RE: [tac_plus] Adding users to      
                                       tacacs passwd file                  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




We run two tacacs servers to provide failover and we "scp" the tacacs
passwd
files between the two servers to keep them "in sync". We thought about
using
the system passwd and shadow files, but we are concerned about copying
these
files back and forth between the two tacacs servers and having one or both
of these files getting corrupted due to the copying (network "hiccup").
Could make it so we are not able to login into the server as one of the
local users or root. Right? Maybe we are being too cautious.

-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com]
Sent: Thursday, August 12, 2010 8:28 AM
To: Jeffrey S. Geist
Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net
Subject: Re: [tac_plus] Adding users to tacacs passwd file


Why wouldn't you want to use the Linux shadow / passwd files?

----------------------------------------------------------------------------


Hi,

We are currently migrating Tacacs from  Solaris to Linux. We haven't had
any issues getting Tacacs to run on CentOS and users are authenticating
through CentOS (using the old tacacs passwd file from Solaris). The issue
we are facing is trying to convert the old Solaris script, that creates the
users entries in the tacacs passwd file, over to a script that runs on
CentOS. The Solaris script creates a user with a unique "uid". We were
wondering if anyone knows of a Linux script that will accomplish the same
results. We have a fairly good understanding of Tacacs, but we are no
experts.

Here is the script used on Solaris:

---------------------------- begin ------------------------------------
#!/bin/sh
#
# @(#)auth_user 2.2 12.28.05
#  modified by RKJ for mail2.swnebr.net  Solaris 5.8 11/28/03
#  modified by MLW for dns3.pnpt.com   Solaris 5.8 1/5/06
#
#
# add user script for use with sys-config
# arguments: uname "fullname" password
#
# dirname is in SystemV catagory - so put it herein
shdirname()
{
expr \
  ${1-.}'/' : '\(/\)[^/]*//*$' \
  \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \
  \| .
}

myname=`basename $0`
Passwd_file=/etc/auth-passwd
PATH=$PATH:/usr/ucb:/usr/local/bin
export PATH
# check for root
if [ "`whoami`x" != "root"x ]; then
   echo "You must be root to do $myname!"
   exit 1
fi

uid=`cat /usr/local/puid`
nuid=`expr ${uid} + 1`
echo $nuid > /usr/local/puid

# check for number of args
if [ $# -ne 3 ]; then
        echo "${myname}: invalid number of arguments"
        echo "   usage: ${myname} uname \"fullname\" password"
        exit 1
fi

# put args into named variables
uname=$1
gid=1000
fullname=$2
password=`/usr/local/sbin/generate_passwd $3`
#password=`/usr/bin/encrypt encpw passwd $3`
############################################################################

##

#  modified by RKJ for mail2.swnebr.net  Solaris 5.8 11/28/03
#
homedir="/home/$1"
#
#
#
############################################################################

##


shell=/bin/false

# checks for validity of arguments
# check uid

echo "uid:" $uid
if test $uid -lt 10 ; then
        echo  "uid: uid must be greater than 10 and less than 60000"
        exit 1
elif test $uid -gt 60000 ; then
        echo  "uid: uid must be greater than 10 and less than 60000"
        exit 1
fi


echo "gid:" $gid
# check gid
if test $gid -lt 10 ; then
        echo  "gid: gid must be greater than 10 and less than 60000"
        exit 1
elif test $gid -gt 60000 ; then
        echo  "gid: gid must be greater than 10 and less than 60000"
        exit 1
fi


# check shell
if test ! -x $shell ; then
        echo "$shell: the program does not exist or is not executable"
        exit 1
fi

# create a null /etc/passwd entry
# first check if one already exists
if grep -s "^${uname}:" ${Passwd_file} ; then
        echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}";
        exit 1;
fi
# check if uid already exists
if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then
        echo "uid: ERROR: ${uid} already in ${Passwd_file}";
        exit 1;
fi
pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}"
# XXX sould we use tmp file and rename it?
( echo '$' ;
  echo 'i' ;
  echo "${pwent}" ;
  echo '.' ;
  echo 'w' ;
  echo 'q' ) | ed -s ${Passwd_file} > /dev/null
if grep -s "^${uname}:" ${Passwd_file} ; then
        :
else
        echo "${myname}: ERROR: password entry didn't go to $
{Passwd_file}";
        exit 1;
fi
#
echo "Please be patient! This may take some time"
echo ""
#
#
# SCP a copy of /etc/auth-passwd to DNS2 and Tacacs
#
if [ -f /etc/auth-passwd ]; then

        scp /etc/auth-passwd
sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd
        echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!"
        scp /etc/auth-passwd
sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd
        echo "A copy of the auth-passwd file has been sent to
Tacacs..WHEW!!"
        echo " "
fi
#
exit 0
#
#EOF
---------------------------- end ------------------------------------

Maybe this is more complicated than it needs to be. Any suggests,
recommendation or opinions are welcomed!

Thanx In Advance,

[cid:image003.png at 01CB39F4.EEBC6A80]

Jeffrey S. Geist
Systems Administrator
PinPoint Communications
100 North 12th Street
Suite 500
Lincoln, NE  68508
Work: (402) 438-6211
Cellular: (402) 580-0047




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at

tachment.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 24221 bytes
Desc: image003.png
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at

tachment.png
>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus










More information about the tac_plus mailing list