[tac_plus] Per Device Command Authorization

Ben Wiechman wiechman.lists at gmail.com
Fri Nov 19 16:54:05 UTC 2010


At this point we are just going to go with giving the firewall admins full
access to the core as well... since that dept is... me. :)

And if I can't trust myself, no one can.

Thanks for all the comments.

Ben

> -----Original Message-----
> From: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu]
> Sent: Thursday, November 18, 2010 1:36 PM
> To: Ben Wiechman
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Per Device Command Authorization
> 
> > In our case we'd like to allow certain users read only type access on
> most
> > devices, but give more access on certain devices to do things like
> configure
> > static NAT, etc. Firewall administrators need more permissions on the
> > firewalls, but not on backbone routers as another example.
> >
> > I don't see any way to do this with the stock configuration, but I
> may be
> > missing something.
> >
> > It looks like it might be possible with the multiple groups patch
> here
> > (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely
> clear
> > on that either.
> 
> I'm afraid also that it can't solve your problem.
> ACLs are for exec authorization only, not for commands.
> 
> However I found a quick a dirty solution:
> Firewall admins might have two accounts on some hosts.
> E.g. user 'bill' may login into all routers but has few permissions.
> Meanwhile 'bill_fw' has more rights but can log in on very few NASs.
> 
> Regards
> 
> Gabor



More information about the tac_plus mailing list