[tac_plus] More complex do_auth.py

Daniel Schmidt daniel.schmidt at wyo.gov
Wed May 4 15:46:38 UTC 2011 

Yeah, and that darn, lazy author of do_auth didn't provide much
documentation!  Seriously, there is only this:
http://tacacs.org/

and this:
python do_auth.py | less

or maybe this:
http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html

or this:
http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html

So, dunno really, maybe you have a dum user named homer who you don't want
on your core and that would be maybe something like:

[user]
homer =
	no_core_for_you
	few_core_commands_for_you
other_guy =
	do_everything
[no_core_for_you]
device_deny =
	1.1.1.1
	1.1.1.2
device_allow =
	.*
command_permit =
	.*
[few_core_commands_for_you]
device_allow =
	1.1.1.1
	1.1.1.2
command_permit =
	show.*
	exit.*
	dir.*
[do_everything]
host_allow =
        .*
device_permit =
        .*
command_permit =
        .*

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing
Sent: Tuesday, May 03, 2011 8:49 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] More complex do_auth.py

Has anyone re-written do_auth.py to support command authorization on a
per-device basis?  Currently, device IP is only considered on login.  Does
TACACS+ pass the device ID when attempting to authorize commands?  It
would
be beneficial to permit/deny commands on a per-group basis, considering
the
device ID.

This would allow one to group allowed commands on a per-device
basis, allowing a group that can execute "interface" or "router"
configuration commands on all but a subset of devices, such as core
network
equipment.

-- 
Brandon Ewing
(nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://www.shrubbery.net/pipermail/tac_plus/attachments/20110503/c1712478
/attachment.bin>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list