[tac_plus] Dynamic authentication plugins via shared libraries?

heasley heas at shrubbery.net
Thu Aug 16 17:02:49 UTC 2012 

Thu, Aug 16, 2012 at 07:09:56AM +0100, Steve Kemp:
> 
>  Where we work we have an in-house authentication system which
> is used for many things, and a few months ago we wished to
> add Tacas+ to that list.
> 
>  Looking over the code there are various authentication methods
> supported, each of which ultimately end up getting called with
> a username/password:
> 
>     static int des_verify(char *, char *);
>     static int pam_verify(char *, char *);
> 
>  (The only exception here is the etc_passwd_verify method which
> takes an extra argument.)
> 
>  Rather than adding in our custom verification method directly
> into the core, along with those, I ended up writing our custom
> code to test a username/password in a small shared library,
> and then updating tacacs+ code to load it dynamically at run-time
> with this configuration file:
> 
>    ..
>    accounting file = /var/log/tac_plus.acct
>    sso_plugin      = /usr/local/lib/sso_plugin.so
>    ..
> 
>    user = steve {
>       member = our_company
>       login = sso skemp
>       name = "Steve Kemp"
>    }
> 
>  When I then try to login the single method is called, via the
> plugin file loaded with dlopen/dlsym/etc with username
> "skemp":
> 
>     int sso_authenticate( char * sso_username, char *password )
> 
> 
>  Assuming I cleaned up the code to rename the configuration
> options, etc, would this be of interest in the main repository
> and stand a chance of making it into the upstream releases of
> the future?

sure, but why didn't you just write a PAM module for your sso and have
tacacs enter from there?

>  I'd expect something like:
> 
>     auth_plugin = /path/to/shared.so
> 
>     user = blah {
>         login = plugin useraname [data1] [data2] ... [dataN]
>     }
> 
> FWIW our code is currently based around F4.0.4.16, but will need
> re-basing against something more recent in the near future anyway.
> 
> 
> Steve
> -- 
> http://www.steve.org.uk/
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list