[tac_plus] user DEFAULT - anyone can login?

Asif Iqbal vadud3 at gmail.com
Mon Jun 16 21:02:43 UTC 2014 

On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott <
aaron.wasserott at viawest.com> wrote:

> If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you
> could not restrict who can login to what. Only restriction there would be
> locking that user account in LDAP/AD to prevent any access for that user.
>
> But you could use DEFAULT in tac_plus.conf and then define users/groups in
> do_auth.ini you can restrict it that way who can login to what.
>

device_deny is not being honored.

[users]
DEFAULT =
    noprivs
iqbala =
    noprivs
[noprivs]
host_deny =
    .*
host_allow =
device_deny =
    .*
device_allow =
command_deny =
    .*
command_permit =

user ``iqbala'' still can login to a router. command_deny works fine.

I do not see any log


> I remember reading your emails before, and it sounds like you have a
> pretty complicated user base setup. The best way is to model user access
> around the tried-and-true tier groups, like tier1, tier2, tier3. Then you
> could have those three groups defined in tac_plus.conf pointing to
> different do_auth.ini files that control access to certain devices. The big
> issue for you will be something you mentioned a few weeks back, where you
> said you want users in different groups. You might want to think about
> letting more trusted/privileged users have access to things they don't
> necessary need, so you can just stick them in one group like tier2.
>
> -----Original Message-----
> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif
> Iqbal
> Sent: Monday, June 16, 2014 1:17 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] user DEFAULT - anyone can login?
>
> So if I understand correctly with the following stanza in tac_plus.conf
> anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can
> login to a router?
>
> user = DEFAULT {
>    login = PAM
>    member = doauthaccess
> }
>
> I am guessing I cannot really use this should I want to limit who can
> login?
>
> I guess I cannot take advantage of do_auth to prevent login since it gets
> called after authorization?
>
> May be I can use do_auth with before authorization as well and define the
> allowed users under the [users] stanza and limti that way if I want to
> shrink my tac_plus conf user blocks to just DEFAULT?
>
> Please advise.
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/c87d6b0d/attachment.html>

More information about the tac_plus mailing list