From roderick.greening at gmail.com Wed Jun 2 18:58:20 2010 From: roderick.greening at gmail.com (Roderick B. Greening) Date: Wed, 2 Jun 2010 16:28:20 -0230 Subject: [tac_plus] Changing a user's password from tacacs prompt or other method... Message-ID: <201006021628.26256.roderick.greening@gmail.com> Hi, Just wondering how I would go about allowing the user to change their password without providing access to the tacacs+ server? For example, the user telnets to one of the tacacs+ enabled NAS and enters their username and then nothing for password. I'd like this to trigger a request for a password change. In my tacacs+ config, I am using the default Linux /etc/passwd with the file option for login. Is this possible? _______________________________________ Roderick B. Greening, B.Sc. Paradise, NL Canada E-mail/MSN: roderick.greening at gmail.com LP: launchpad.net/~roderick-greening Wiki: wiki.ubuntu.com/rgreening Blog: roderick-greening.blogspot.com Twitter: twitter.com/rgreening Identica: identi.ca/rgreening -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100602/f229e597/attachment.bin From kissg at ssg.ki.iif.hu Wed Jun 2 19:15:03 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 2 Jun 2010 21:15:03 +0200 (CEST) Subject: [tac_plus] Re: Changing a user's password from tacacs prompt or other method... In-Reply-To: <201006021628.26256.roderick.greening@gmail.com> References: <201006021628.26256.roderick.greening@gmail.com> Message-ID: > Just wondering how I would go about allowing the user to change their password > without providing access to the tacacs+ server? > > For example, the user telnets to one of the tacacs+ enabled NAS and enters > their username and then nothing for password. I'd like this to trigger a > request for a password change. > > In my tacacs+ config, I am using the default Linux /etc/passwd with the file The TACACS+ protocol itself is suitable to do this. The popular (and free) server programs isn't. You have to develop it... Gabor From kissg at ssg.ki.iif.hu Wed Jun 2 19:46:10 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 2 Jun 2010 21:46:10 +0200 (CEST) Subject: [tac_plus] Re: Changing a user's password from tacacs prompt or other method... In-Reply-To: <201006021712.45638.roderick.greening@gmail.com> References: <201006021628.26256.roderick.greening@gmail.com> <201006021712.45638.roderick.greening@gmail.com> Message-ID: > > The TACACS+ protocol itself is suitable to do this. > > The popular (and free) server programs isn't. > > You have to develop it... > > > > I take it this means that writing a before/after auth script is not possible > to do this, and only possible with modifications to the tacacs server code base > itself? Yes, exactly. Protocol allows you to send arbitrary questions (prompts) to NAS that displays them on user's screen. User's answers returns to TACACS+ server. Gabor From roderick.greening at gmail.com Wed Jun 2 19:42:40 2010 From: roderick.greening at gmail.com (Roderick B. Greening) Date: Wed, 2 Jun 2010 17:12:40 -0230 Subject: [tac_plus] Re: Changing a user's password from tacacs prompt or other method... In-Reply-To: References: <201006021628.26256.roderick.greening@gmail.com> Message-ID: <201006021712.45638.roderick.greening@gmail.com> > > Just wondering how I would go about allowing the user to change their > > password without providing access to the tacacs+ server? > > > > For example, the user telnets to one of the tacacs+ enabled NAS and > > enters their username and then nothing for password. I'd like this to > > trigger a request for a password change. > > > > In my tacacs+ config, I am using the default Linux /etc/passwd with the > > file > > The TACACS+ protocol itself is suitable to do this. > The popular (and free) server programs isn't. > You have to develop it... > I take it this means that writing a before/after auth script is not possible to do this, and only possible with modifications to the tacacs server code base itself? Anyone interested in developing this? > Gabor > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________ Roderick B. Greening, B.Sc. Paradise, NL Canada E-mail/MSN: roderick.greening at gmail.com LP: launchpad.net/~roderick-greening Wiki: wiki.ubuntu.com/rgreening Blog: roderick-greening.blogspot.com Twitter: twitter.com/rgreening Identica: identi.ca/rgreening -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100602/3b125a97/attachment.bin From heas at shrubbery.net Wed Jun 2 20:26:43 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 2 Jun 2010 13:26:43 -0700 Subject: [tac_plus] Re: Changing a user's password from tacacs prompt or other method... In-Reply-To: <201006021712.45638.roderick.greening@gmail.com> References: <201006021628.26256.roderick.greening@gmail.com> <201006021712.45638.roderick.greening@gmail.com> Message-ID: <20100602202643.GF10297@shrubbery.net> Wed, Jun 02, 2010 at 05:12:40PM -0230, Roderick B. Greening: > > > Just wondering how I would go about allowing the user to change their > > > password without providing access to the tacacs+ server? > > > > > > For example, the user telnets to one of the tacacs+ enabled NAS and > > > enters their username and then nothing for password. I'd like this to > > > trigger a request for a password change. > > > > > > In my tacacs+ config, I am using the default Linux /etc/passwd with the > > > file > > > > The TACACS+ protocol itself is suitable to do this. > > The popular (and free) server programs isn't. > > You have to develop it... > > > > I take it this means that writing a before/after auth script is not possible > to do this, and only possible with modifications to the tacacs server code base > itself? > > Anyone interested in developing this? I believe that it currently works if the device initiates the change. but, otherwise gabor is right. however, you may be able to use PAM to do that - in theory, but I havent tried it. you'd need PAM modules that would enforce the empty password bit and perform the change passwd prompting. note that empty password is a DoS and security hole. From dterry at dollartree.com Thu Jun 3 15:30:49 2010 From: dterry at dollartree.com (dterry at dollartree.com) Date: Thu, 3 Jun 2010 11:30:49 -0400 Subject: [tac_plus] Re: Changing a user's password from tacacs prompt or other method... In-Reply-To: <20100602202643.GF10297@shrubbery.net> References: <201006021628.26256.roderick.greening@gmail.com> <201006021712.45638.roderick.greening@gmail.com> <20100602202643.GF10297@shrubbery.net> Message-ID: You don't have to give them access to the server. Set their shell no /sbin/nologin and they will be able to change their password, but not login. john heasley To Sent by: "Roderick B. Greening" @shrubbery.net> cc tac_plus at shrubbery.net Subject 06/02/2010 04:27 [tac_plus] Re: Changing a user's PM password from tacacs prompt or other method... Wed, Jun 02, 2010 at 05:12:40PM -0230, Roderick B. Greening: > > > Just wondering how I would go about allowing the user to change their > > > password without providing access to the tacacs+ server? > > > > > > For example, the user telnets to one of the tacacs+ enabled NAS and > > > enters their username and then nothing for password. I'd like this to > > > trigger a request for a password change. > > > > > > In my tacacs+ config, I am using the default Linux /etc/passwd with the > > > file > > > > The TACACS+ protocol itself is suitable to do this. > > The popular (and free) server programs isn't. > > You have to develop it... > > > > I take it this means that writing a before/after auth script is not possible > to do this, and only possible with modifications to the tacacs server code base > itself? > > Anyone interested in developing this? I believe that it currently works if the device initiates the change. but, otherwise gabor is right. however, you may be able to use PAM to do that - in theory, but I havent tried it. you'd need PAM modules that would enforce the empty password bit and perform the change passwd prompting. note that empty password is a DoS and security hole. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Thu Jun 3 15:48:11 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 3 Jun 2010 08:48:11 -0700 Subject: [tac_plus] Re: Changing a user's password from tacacs prompt or other method... In-Reply-To: References: <201006021628.26256.roderick.greening@gmail.com> <201006021712.45638.roderick.greening@gmail.com> <20100602202643.GF10297@shrubbery.net> Message-ID: <20100603154809.GB25318@shrubbery.net> Thu, Jun 03, 2010 at 11:30:49AM -0400, dterry at dollartree.com: > You don't have to give them access to the server. Set their shell > no /sbin/nologin and they will be able to change their password, but not > login. I didnt mention anything about the server. > Wed, Jun 02, 2010 at 05:12:40PM -0230, Roderick B. Greening: > > > > Just wondering how I would go about allowing the user to change their > > > > password without providing access to the tacacs+ server? > > > > > > > > For example, the user telnets to one of the tacacs+ enabled NAS and > > > > enters their username and then nothing for password. I'd like this to > > > > trigger a request for a password change. > > > > > > > > In my tacacs+ config, I am using the default Linux /etc/passwd with > the > > > > file > > > > > > The TACACS+ protocol itself is suitable to do this. > > > The popular (and free) server programs isn't. > > > You have to develop it... > > > > > > > I take it this means that writing a before/after auth script is not > possible > > to do this, and only possible with modifications to the tacacs server > code base > > itself? > > > > Anyone interested in developing this? > > I believe that it currently works if the device initiates the change. > but, otherwise gabor is right. however, you may be able to use PAM > to do that - in theory, but I havent tried it. you'd need PAM modules > that would enforce the empty password bit and perform the change passwd > prompting. > > note that empty password is a DoS and security hole. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > From bruce.carleton at jasperwireless.com Tue Jun 8 00:47:20 2010 From: bruce.carleton at jasperwireless.com (Bruce Carleton) Date: Mon, 7 Jun 2010 17:47:20 -0700 Subject: [tac_plus] Re: Tac_plus authentication and Active Directory group In-Reply-To: References: Message-ID: In regards to Active Directory groups being used to control access to NASs, there isn't a "native" way to do that that I know of. You have to define the groups in the tac_plus.conf and apply ACLs to them. I'm using winbind for pam and nss. I'm using the Samba RID backend to do UID/GID mapping, though tac_plus doesn't care. I believe you will need to use the --enable-acls argument with configure when you compile tac_plus. Here are some configuration scraps: # User definition user = some.user { login = PAM member = network_admin } # Group definition group = network_admin { default service = permit service = exec { priv-lvl = 15 } acl = network_admin } # Network Administration ACL acl = network_admin { permit = ^10\.0\.0\.1$ permit = ^10\.0\.1\.1$ deny = .* } Admittedly, this leaves some work on the tac_plus server configuration, but at least it gets you out of the business of password changes and expiration. Best, --Bruce -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Charly COYETTE Sent: Friday, May 28, 2010 8:07 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Tac_plus authentication and Active Directory group Hello, I'm currently installing a TACACS+ Server with Tac_plus that authenticate users with an active directory. I need to give different rights to users regarding the different groups in the active directory. I don't know how to indicate this in the configuration file. Another question: Is there a way to do "default authentication = PAM"? I always have an error: "Error: expecting 'file' but found 'pam' on line 16" Here is the configuration file I currently use: key = ... accounting file = /var/log/tacacs/accounting group = admin { default service = permit login = PAM enable = des "..." } group = user { default service = deny login = PAM enable = des "..." cmd = enable { permit ".*" } cmd = show { permit "ip .*" deny ".*" } cmd = disable { permit ".*" } cmd = exit { permit ".*" } } user administrator { member = admin } user toto { member = user } Regards, Charly COYETTE | Network and System department Mail : ccoyette at devanlay.fr DEVANLAY SA : 19bis, rue des Gayettes - BP 503 - 10083 TROYES - FRANCE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f 2/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1175 bytes Desc: image001.gif Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f 2/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2657 bytes Desc: image002.gif Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f 2/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2645 bytes Desc: image003.gif Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f 2/attachment-0002.gif _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From andrew at aeronav.ecasa.avianet.cu Wed Jun 16 18:14:00 2010 From: andrew at aeronav.ecasa.avianet.cu (andrew) Date: Wed, 16 Jun 2010 18:14:00 -0000 Subject: [tac_plus] Help me Message-ID: <574CD69AA82448E28CEFE66F0AF1D944@aeronav.ecasa.avianet.cu> Hi there, I need the instalation of current version of TACACS+ on Debian Lenny Can you please help me? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100616/ea3150c1/attachment.html From roderick.greening at gmail.com Wed Jun 16 19:38:22 2010 From: roderick.greening at gmail.com (Roderick B. Greening) Date: Wed, 16 Jun 2010 17:08:22 -0230 Subject: [tac_plus] Re: Help me In-Reply-To: <574CD69AA82448E28CEFE66F0AF1D944@aeronav.ecasa.avianet.cu> References: <574CD69AA82448E28CEFE66F0AF1D944@aeronav.ecasa.avianet.cu> Message-ID: <201006161708.26653.roderick.greening@gmail.com> The latest version of Debian unstable has this packaged. You should be able to install this under Debian Lenny or request a Debian back-port possibly. It's also available in Ubuntu Maverick (based on Debian unstable) and as a back-port to Ubuntu Lucid. Nothing special was required for the back-port to work, just a rebuild of the Debian package. I expect similar situation under Debian Lenny. > Hi there, > > I need the instalation of current version of TACACS+ on Debian Lenny Can > you please help me? Thanks in advance. > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20100616/ea3150c1/ > attachment.html _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________ Roderick B. Greening, B.Sc. Paradise, NL Canada E-mail/MSN: roderick.greening at gmail.com LP: launchpad.net/~roderick-greening Wiki: wiki.ubuntu.com/rgreening Blog: roderick-greening.blogspot.com Twitter: twitter.com/rgreening Identica: identi.ca/rgreening -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100616/dc126443/attachment.bin From henry.nicolas at tourneur.be Wed Jun 16 20:28:02 2010 From: henry.nicolas at tourneur.be (Tourneur Henry-Nicolas) Date: Wed, 16 Jun 2010 22:28:02 +0200 Subject: [tac_plus] Re: Help me In-Reply-To: <201006161708.26653.roderick.greening@gmail.com> References: <574CD69AA82448E28CEFE66F0AF1D944@aeronav.ecasa.avianet.cu> <201006161708.26653.roderick.greening@gmail.com> Message-ID: <201006162228.03477.henry.nicolas@tourneur.be> Hello, I'm the Debian packager for Tacacs+ and I'm also using it with Lenny. If you want, you can just download the tacacs+ deb file and libtacacs+ from the Debian website and it'll work with Lenny. http://packages.debian.org/squeeze/tacacs+ http://packages.debian.org/squeeze/libtacacs+1 On Wednesday 16 June 2010 21:38:22 Roderick B. Greening wrote: > The latest version of Debian unstable has this packaged. You should be able > to install this under Debian Lenny or request a Debian back-port possibly. > > It's also available in Ubuntu Maverick (based on Debian unstable) and as a > back-port to Ubuntu Lucid. > > Nothing special was required for the back-port to work, just a rebuild of > the Debian package. I expect similar situation under Debian Lenny. > > > Hi there, > > > > I need the instalation of current version of TACACS+ on Debian Lenny Can > > you please help me? Thanks in advance. > > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20100616/ea3150c1 > > / attachment.html _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > _______________________________________ > Roderick B. Greening, B.Sc. > Paradise, NL Canada > E-mail/MSN: roderick.greening at gmail.com > LP: launchpad.net/~roderick-greening > Wiki: wiki.ubuntu.com/rgreening > Blog: roderick-greening.blogspot.com > Twitter: twitter.com/rgreening > Identica: identi.ca/rgreening > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: This is a digitally signed message part. > Url : > http://www.shrubbery.net/pipermail/tac_plus/attachments/20100616/dc126443/ > attachment.bin _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From shadrack at rocketmail.com Wed Jun 30 21:27:12 2010 From: shadrack at rocketmail.com (Paul Floyd) Date: Wed, 30 Jun 2010 14:27:12 -0700 (PDT) Subject: [tac_plus] Different privs for different devices? Message-ID: <237975.48368.qm@web34302.mail.mud.yahoo.com> Hi all - New to the list and tac_plus. I'm trying to figure out if there's a way to grant a set of users one privilege level on one set of devices and a different privilege level on another set of devices. My best guess at a config to do this was something like this: ===== group = helpdesk_full { acl = routers_full_access service = exec { priv-lvl = 15 } } group = helpdesk_limited { acl = routers_limited_access service = exec { priv-lvl = 7 } member = helpdesk_full } group = helpdesk { login = file /etc/tacacs/users member = helpdesk_limited } ==== However when I tried this, it seemed a member of the helpdesk group was able to log in to a router in the "routers_limited access" ACL, but not one in the "routers_full_access" group. If I'm interpreting the debug correctly, it appears tac_plus processes the router_limited_access ACL and immediately returns a login rejected message. It never tries to match against the routers_full_access ACL. Is what I'm trying to accomplish possible with tac_plus, and if so, how do I go about it? Thanks, - PF From alan.mckinnon at gmail.com Wed Jun 30 21:45:53 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 30 Jun 2010 23:45:53 +0200 Subject: [tac_plus] Re: Different privs for different devices? In-Reply-To: <237975.48368.qm@web34302.mail.mud.yahoo.com> References: <237975.48368.qm@web34302.mail.mud.yahoo.com> Message-ID: <201006302345.54152.alan.mckinnon@gmail.com> On Wednesday 30 June 2010 23:27:12 Paul Floyd wrote: > Hi all - > > New to the list and tac_plus. I'm trying to figure out if there's a way to > grant a set of users one privilege level on one set of devices and a > different privilege level on another set of devices. My best guess at a > config to do this was something like this: > > ===== > > group = helpdesk_full { > acl = routers_full_access > service = exec { > priv-lvl = 15 > } > } > > group = helpdesk_limited { > acl = routers_limited_access > service = exec { > priv-lvl = 7 > } > member = helpdesk_full > } > > group = helpdesk { > login = file /etc/tacacs/users > member = helpdesk_limited > } > > ==== > > However when I tried this, it seemed a member of the helpdesk group was > able to log in to a router in the "routers_limited access" ACL, but not > one in the "routers_full_access" group. If I'm interpreting the debug > correctly, it appears tac_plus processes the router_limited_access ACL and > immediately returns a login rejected message. It never tries to match > against the > routers_full_access ACL. > > Is what I'm trying to accomplish possible with tac_plus, and if so, how do > I go about it? tac-plus's ability to assign rights to users is deliberately simplistic. A user belongs to one group, which belong to one group, etc, etc till you reach a group that is not a member of another group. Rules are applied on a "first match wins" basis. The user in group "helpdesk" has no acl or rights, so tac_plus checks the group config. That does have an acl and rights so they are applied and used. End of story. It is a common error to assume that tac_plus walks the entire group inheritance tree and does some complex resolution to find the rights to apply. It does no such thing - it looks in a strict order and uses the first rule it finds. The reason for this is simple - conflict resolution. John mentioned as much about 6 months ago and it's a horrible problem to solve (I'm dealing with the same thing myself and reaching the same conclusion). How do you resolve opposing conflicts in rights? John's approach is to avoid the entire problem and guarantee it can't happen. A sensible approach that cause you more work than you think proper but leave you sane is to maintain two seperate group, acl and rights definitions, even if they overlap to greater or lesser degree. Or, Gabor might drop by with a suggestion, he has some very useful patches in his collection but I haven't tried them enough to comment. -- alan dot mckinnon at gmail dot com From heas at shrubbery.net Wed Jun 30 22:04:37 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 30 Jun 2010 22:04:37 +0000 Subject: [tac_plus] Re: Different privs for different devices? In-Reply-To: <201006302345.54152.alan.mckinnon@gmail.com> References: <237975.48368.qm@web34302.mail.mud.yahoo.com> <201006302345.54152.alan.mckinnon@gmail.com> Message-ID: <20100630220437.GG12025@shrubbery.net> Wed, Jun 30, 2010 at 11:45:53PM +0200, Alan McKinnon: > On Wednesday 30 June 2010 23:27:12 Paul Floyd wrote: > > Hi all - > > > > New to the list and tac_plus. I'm trying to figure out if there's a way to > > grant a set of users one privilege level on one set of devices and a > > different privilege level on another set of devices. My best guess at a > > config to do this was something like this: > > > > ===== > > > > group = helpdesk_full { > > acl = routers_full_access > > service = exec { > > priv-lvl = 15 > > } > > } > > > > group = helpdesk_limited { > > acl = routers_limited_access > > service = exec { > > priv-lvl = 7 > > } > > member = helpdesk_full > > } > > > > group = helpdesk { > > login = file /etc/tacacs/users > > member = helpdesk_limited > > } > > > > ==== > > > > However when I tried this, it seemed a member of the helpdesk group was > > able to log in to a router in the "routers_limited access" ACL, but not > > one in the "routers_full_access" group. If I'm interpreting the debug > > correctly, it appears tac_plus processes the router_limited_access ACL and > > immediately returns a login rejected message. It never tries to match > > against the > > routers_full_access ACL. > > > > Is what I'm trying to accomplish possible with tac_plus, and if so, how do > > I go about it? > > tac-plus's ability to assign rights to users is deliberately simplistic. A > user belongs to one group, which belong to one group, etc, etc till you reach > a group that is not a member of another group. > > Rules are applied on a "first match wins" basis. The user in group "helpdesk" > has no acl or rights, so tac_plus checks the group config. That does have an > acl and rights so they are applied and used. End of story. > > It is a common error to assume that tac_plus walks the entire group > inheritance tree and does some complex resolution to find the rights to apply. > It does no such thing - it looks in a strict order and uses the first rule it > finds. > > The reason for this is simple - conflict resolution. John mentioned as much > about 6 months ago and it's a horrible problem to solve (I'm dealing with the > same thing myself and reaching the same conclusion). How do you resolve > opposing conflicts in rights? John's approach is to avoid the entire problem > and guarantee it can't happen. I think that you make some more complex decisions by using external authorization scripts. > A sensible approach that cause you more work than you think proper but leave > you sane is to maintain two seperate group, acl and rights definitions, even > if they overlap to greater or lesser degree. > > Or, Gabor might drop by with a suggestion, he has some very useful patches in > his collection but I haven't tried them enough to comment. indeed he does. I hope to import them (possibly w/ some adjustment - sorry) once i get a better config parser completed. From shadrack at rocketmail.com Wed Jun 30 22:08:03 2010 From: shadrack at rocketmail.com (Paul Floyd) Date: Wed, 30 Jun 2010 15:08:03 -0700 (PDT) Subject: [tac_plus] Re: Different privs for different devices? In-Reply-To: <201006302345.54152.alan.mckinnon@gmail.com> References: <237975.48368.qm@web34302.mail.mud.yahoo.com> <201006302345.54152.alan.mckinnon@gmail.com> Message-ID: <36419.50547.qm@web34307.mail.mud.yahoo.com> > A sensible approach that cause you more work than you think proper but leave > you sane is to maintain two seperate group, acl and rights definitions, even > if they overlap to greater or lesser degree. Hmm... OK. Can you give me some insight as to how to do that? I'm OK creating separate groups and ACLs, but how do I make a single user a member of both groups? Or are you saying I also have to create two seperate userids for every user? > Or, Gabor might drop by with a suggestion, he has some very useful patches in > his collection but I haven't tried them enough to comment. Yeah, I saw mention of this in the mailing list archives, and even tried to apply the patch, but the latest patch on his website is against 4.0.4.15 and doesn't apply cleanly to 4.0.4.19. Also, I think the patch only handles recursion of certain group properties, services not among them (i.e. even if it handled the ACL, the priv-lvl would not be applied). Thanks, - Paul From alan.mckinnon at gmail.com Wed Jun 30 22:16:48 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 1 Jul 2010 00:16:48 +0200 Subject: [tac_plus] Re: Different privs for different devices? In-Reply-To: <20100630220437.GG12025@shrubbery.net> References: <237975.48368.qm@web34302.mail.mud.yahoo.com> <201006302345.54152.alan.mckinnon@gmail.com> <20100630220437.GG12025@shrubbery.net> Message-ID: <201007010016.49206.alan.mckinnon@gmail.com> On Thursday 01 July 2010 00:04:37 john heasley wrote: > > The reason for this is simple - conflict resolution. John mentioned as > > much about 6 months ago and it's a horrible problem to solve (I'm > > dealing with the same thing myself and reaching the same conclusion). > > How do you resolve opposing conflicts in rights? John's approach is to > > avoid the entire problem and guarantee it can't happen. > > I think that you make some more complex decisions by using external > authorization scripts. Of course! I forgot about that approach - I don't use it myself as my setup has a very high number of requests per second and I'm not putting that at risk. I considered an external daemon as well but rejected it as seeming just too much work. > > A sensible approach that cause you more work than you think proper but > > leave you sane is to maintain two seperate group, acl and rights > > definitions, even if they overlap to greater or lesser degree. > > > > > > > > Or, Gabor might drop by with a suggestion, he has some very useful > > patches in his collection but I haven't tried them enough to comment. > > indeed he does. I hope to import them (possibly w/ some adjustment - > sorry) once i get a better config parser completed. I feel your pain :-) I have similar things to solve in my auth setup (of which tacacs is a part) - it gives me sleepless nights sometimes. -- alan dot mckinnon at gmail dot com From alan.mckinnon at gmail.com Wed Jun 30 22:32:16 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 1 Jul 2010 00:32:16 +0200 Subject: [tac_plus] Re: Different privs for different devices? In-Reply-To: <36419.50547.qm@web34307.mail.mud.yahoo.com> References: <237975.48368.qm@web34302.mail.mud.yahoo.com> <201006302345.54152.alan.mckinnon@gmail.com> <36419.50547.qm@web34307.mail.mud.yahoo.com> Message-ID: <201007010032.17129.alan.mckinnon@gmail.com> On Thursday 01 July 2010 00:08:03 Paul Floyd wrote: > > A sensible approach that cause you more work than you think proper but > > leave you sane is to maintain two seperate group, acl and rights > > definitions, even if they overlap to greater or lesser degree. > > Hmm... OK. Can you give me some insight as to how to do that? I'm OK > creating separate groups and ACLs, but how do I make a single user a > member of both groups? Or are you saying I also have to create two > seperate userids for every user? Sorry, I slightly mis-read what you are trying to achieve. It's the combination of priviledge and acl that got me. having re-read your post, I can't think off-hand of an easy solution in the tac_plus config itself, but your stumbling block doesn't change. And networking kit isn't my expertise either - I copy the allowed command list my Cisco guys give me verbatim and leave them to work magic on the devices itself. If no-one else comes up with a bright idea, here's some out-the box approaches: - call an external script as John suggests in my other reply - modify the sources yourself to suit your needs - give everyone two login ids. This is horrible though - if your helpdesk staff are anything like me they will be completely unable to map privilege levels to devices in their head and will constantly get it wrong - Run two tac_plus servers (virtual machines are cool for this). Configure your devices to use the appropriate one. They will have the same list of users and two groups each - limited and full. A specific user belongs to only one group and you can adjust the rights of each group as you wish. The need for acls falls away as the acl has now effectively moved onto the device -- alan dot mckinnon at gmail dot com