[tac_plus] do_auth not parsing config file

Matt Almgren matta at surveymonkey.com
Tue Aug 4 22:12:58 UTC 2015 

Ok, I've taken the do_auth leap to try and secure our rancid logins.


I've added this line to the end of the rancid group within tac_plus.conf:


after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini"


And I have a simple/default do_auth.ini file:


rancid =

    fewcommands


[fewcommands]

host_allow =

.*

device_permit =

.*

command_permit =

show users

show int.*

show ip int.*

show controllers.*

show conf.*


But I seem to be getting these errors in the do_auth.log.  I checked and the file exists and seems permissions are ok:


root at sjc-nettools01:~/tacacs-do_auth# more log.txt

2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'

2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'

2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'

2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'

root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini

-rw-r--r-- 1 root root 343 Aug  3 15:25 /root/tacacs-do_auth/do_auth.ini

root at sjc-nettools01:~/tacacs-do_auth#



tac_plus.log:


Tue Aug  4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini

Tue Aug  4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini

Tue Aug  4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini

Tue Aug  4 15:10:36 2015 [2950]: input service=junos-exec

Tue Aug  4 15:10:36 2015 [2950]: input local-user-name=remote-rancid

Tue Aug  4 15:10:36 2015 [2950]: pid 2951 child exited status 1

Tue Aug  4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny)

Tue Aug  4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected

Tue Aug  4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8]



I wish it would output more debugs, but that's all I got to go on.


Anybody see this before?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150804/26056c23/attachment.html>

More information about the tac_plus mailing list