[tac_plus] user DEFAULT - anyone can login?

Asif Iqbal vadud3 at gmail.com
Tue Jun 17 16:44:10 UTC 2014 

On Tue, Jun 17, 2014 at 11:08 AM, Asif Iqbal <vadud3 at gmail.com> wrote:

>
>
>
> On Mon, Jun 16, 2014 at 5:52 PM, Aaron Wasserott <
> aaron.wasserott at viawest.com> wrote:
>
>>  I think the issue you were seeing with still having access for that
>> user is because you have DEFAULT user listed first.  do_auth will act on
>> the first match it finds. In my do_auth.ini files I put the DEFAULT user
>> after all the specific users as a catch-all.
>>
>
> I am failing to connect to any router with this config and not seeing any
> log
>
> do_auth.ini
> ========
> [users]
> DEFAULT =
>     opseng
> [opseng]
> host_allow =
>     .*
> device_permit =
>     .*
> command_deny =
>     clear "^route-map counters"
>     show "^list"
>     debug "^all"
>     mpls "traffic-eng attribute-flags"
>     no "^ip routing"
>     no "^router .*"
>     write ^terminal
> command_permit =
>     clear .*
>     show .*
>     debug .*
>     ## prevent setting admin-group < 2^16... must be 6 decimal digits
>     mpls "traffic-eng attribute-flags [0-9][0-9][0-9][0-9][0-9][0-9]"
>     mpls .*
>     no .*
>     write .*
>
> tac_plus.conf
> ===========
> group = doauthaccess {
>         default service = permit
>         service = exec {
>                 priv-lvl = 15
>                 idletime = 10
>         }
>         after authorization "/usr/bin/python /root/do_auth/do_auth_orig.py
> -i $address -u $user -d $name -l /root/do_auth/do_auth.log -f
> /root/do_auth/do_auth.ini"
> }
>
> user = DEFAULT {
>         pap = PAM
>         login = PAM
>         member = doauthaccess
> }
>
> enabled DEBUG on do_auth.py
>
> DEBUG = os.getenv('DEBUG', True)
>
> I am not seeing any log in do_auth.log
>

I guess there is no log because user = DEFAULT {..} block is never
consulted.

man page says:

"
         default authentication
              By  default,  authentication  fails for users that do not
appear in the configuration file.  This
              overrides that behavior, thus permitting all authentication
requests for such users.

                  default authentication = file <filename>

              Such users will be authentication via the <user> "DEFAULT".
"

So that explains why I do not see any log, since I am not using default
authentication = file <filename>.
I am using login = PAM for users.

So to comply with that I added default authentication = file
/etc/tacacs-passwd and added my account
in there.

Now I can login with user = DEFAULT {..} and I do see logs and DEBUG logs
in do_auth.log file.

Is there a way I can make default authentication = PAM ?

Our LDAP password changes frequently as corporate policy. sync up that
password to /etc/tacacs-passwd would be pain. We have no admin access to
corporate LDAP to force sync that to /etc/tacacs-passwd.




> What am I doing wrong?
>
>
>
>>
>>
>> *From:* Asif Iqbal [mailto:vadud3 at gmail.com]
>> *Sent:* Monday, June 16, 2014 3:20 PM
>> *To:* Aaron Wasserott
>> *Cc:* tac_plus at shrubbery.net
>> *Subject:* Re: [tac_plus] user DEFAULT - anyone can login?
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>
>>
>>
>>
>>
>> On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott <
>> aaron.wasserott at viawest.com> wrote:
>>
>> If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you
>> could not restrict who can login to what. Only restriction there would be
>> locking that user account in LDAP/AD to prevent any access for that user.
>>
>> But you could use DEFAULT in tac_plus.conf and then define users/groups
>> in do_auth.ini you can restrict it that way who can login to what.
>>
>>
>>
>> device_deny is not being honored.
>>
>>
>>
>> [users]
>>
>> DEFAULT =
>>
>>     noprivs
>>
>> iqbala =
>>
>>     noprivs
>>
>> [noprivs]
>>
>> host_deny =
>>
>>     .*
>>
>> host_allow =
>>
>> device_deny =
>>
>>     .*
>>
>> device_allow =
>>
>> command_deny =
>>
>>     .*
>>
>> command_permit =
>>
>>
>>
>> user ``iqbala'' still can login to a router. command_deny works fine.
>>
>>
>>
>> I do not see any log
>>
>>
>>
>>
>>
>>
>>
>> Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then
>> device_deny works.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I remember reading your emails before, and it sounds like you have a
>> pretty complicated user base setup. The best way is to model user access
>> around the tried-and-true tier groups, like tier1, tier2, tier3. Then you
>> could have those three groups defined in tac_plus.conf pointing to
>> different do_auth.ini files that control access to certain devices. The big
>> issue for you will be something you mentioned a few weeks back, where you
>> said you want users in different groups. You might want to think about
>> letting more trusted/privileged users have access to things they don't
>> necessary need, so you can just stick them in one group like tier2.
>>
>>
>>
>>
>>
>>
>>
>> So I have over 1500 network devices. Each vendor type gets it own
>> instance of tac_plus which can point to
>>
>> separate do_auth.ini file like you suggested.
>>
>>
>>
>> Otherwise I have to consolidate all the devices in permit or deny block
>> for different groups. That would be nightmare if I want to consolidate to
>> one do_auth.ini file. Plus it will be slow to read through list of devices
>> for each authorization request for 1000s of employees. May be there should
>> be database option to read for device lists to make it perform well.
>>
>>
>>
>>
>>
>>     -----Original Message-----
>> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif
>> Iqbal
>> Sent: Monday, June 16, 2014 1:17 PM
>> To: tac_plus at shrubbery.net
>> Subject: [tac_plus] user DEFAULT - anyone can login?
>>
>> So if I understand correctly with the following stanza in tac_plus.conf
>> anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can
>> login to a router?
>>
>> user = DEFAULT {
>>    login = PAM
>>    member = doauthaccess
>> }
>>
>> I am guessing I cannot really use this should I want to limit who can
>> login?
>>
>> I guess I cannot take advantage of do_auth to prevent login since it gets
>> called after authorization?
>>
>> May be I can use do_auth with before authorization as well and define the
>> allowed users under the [users] stanza and limti that way if I want to
>> shrink my tac_plus conf user blocks to just DEFAULT?
>>
>> Please advise.
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>>
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>>
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140617/fbc636b4/attachment.html>

More information about the tac_plus mailing list