[tac_plus] user DEFAULT - anyone can login?

Alan McKinnon alan.mckinnon at gmail.com
Mon Jun 16 22:07:14 UTC 2014 

On 16/06/2014 21:17, Asif Iqbal wrote:
> So if I understand correctly with the following stanza in tac_plus.conf
> anyone with valid LDAP credentials (PAM is pointing to LDAP in my case)
> can login to a router?
> 
> user = DEFAULT {
>    login = PAM
>    member = doauthaccess
> }
> 
> I am guessing I cannot really use this should I want to limit
> who can login?

Yes and no - see below. As with all things in life, the truth is a
little more complex than at first appears.


> I guess I cannot take advantage of do_auth to prevent login since
> it gets called after authorization?

Yes you can use do_auth, but there is a lot to know about this area.

First look at the standard tac_plus behaviour:

1. Authentication happens, this just verifies the username exists and
the password matches.
2. Login authorization happens. This is simplicity itself - if the user
has any permit clauses in a cmd stanza, the user is permitted to exec a
shell (the docs express this as is it is pointless permitting the user
to run a command if they can't get a shell)

Summary: with tac_plus, if the user has an ldap account and at least one
active cmd permit, then they can log in.


Contrast with a post authorization script - this script always gets
called with login as login is not purely an authentication action. IIRC
Dan's script acts similarly to tac_plus default.

But there's nothing stopping you from writing code to check whatever you
wish in ldap and allow or disallow login based on that. You don't have
such code yet, you must write it :-)

tac_plus does this with a post-auth script:

1. If everything looks legit in tac_plus for this user, the script is
called, tac_plus acts as if the authorization is going to be allowed.
2. If the script returns exit code 0 or 2, the action is authorized
3. If the script returns exit code 1, the action is not authorized


> 
> May be I can use do_auth with before authorization as well and
> define the allowed users under the [users] stanza and limti that
> way if I want to shrink my tac_plus conf user blocks to just DEFAULT?

That might work, you could use some form of groups in ldap (eg to be
able to log in to routers you must be in group X). This involves 2 ldap
lookups - one by the pre-auth script, one by tac_plus to authenticate
the user



Unfortunately, this area is fraught with problems and difficulties. It
all looks so simple on paper but custom code gets real ugly real quick
as you have to cover all bases and make no assumptions about behaviour.
I'd advise you to read all the docs in the tarball several times as well
as the draft RFC on TACACS+ that is out there


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list