[tac_plus] do_auth not parsing config file

Alan McKinnon alan.mckinnon at gmail.com
Wed Aug 5 06:53:42 UTC 2015 

On 05/08/2015 00:12, Matt Almgren wrote:
> Ok, I've taken the do_auth leap to try and secure our rancid logins.
> 
> 
> I've added this line to the end of the rancid group within tac_plus.conf:
> 
> 
> after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini"
> 
> 
> And I have a simple/default do_auth.ini file:
> 
> 
> rancid =
> 
>     fewcommands
> 
> 
> [fewcommands]
> 
> host_allow =
> 
> .*
> 
> device_permit =
> 
> .*
> 
> command_permit =
> 
> show users
> 
> show int.*
> 
> show ip int.*
> 
> show controllers.*
> 
> show conf.*
> 
> 
> But I seem to be getting these errors in the do_auth.log.  I checked and the file exists and seems permissions are ok:
> 
> 
> root at sjc-nettools01:~/tacacs-do_auth# more log.txt
> 
> 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
> 
> 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
> 
> 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
> 
> 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
> 
> root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini
> 
> -rw-r--r-- 1 root root 343 Aug  3 15:25 /root/tacacs-do_auth/do_auth.ini
> 
> root at sjc-nettools01:~/tacacs-do_auth#
> 
> 
> 
> tac_plus.log:
> 
> 
> Tue Aug  4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
> 
> Tue Aug  4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
> 
> Tue Aug  4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
> 
> Tue Aug  4 15:10:36 2015 [2950]: input service=junos-exec
> 
> Tue Aug  4 15:10:36 2015 [2950]: input local-user-name=remote-rancid
> 
> Tue Aug  4 15:10:36 2015 [2950]: pid 2951 child exited status 1
> 
> Tue Aug  4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny)
> 
> Tue Aug  4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected
> 
> Tue Aug  4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8]
> 
> 
> 
> I wish it would output more debugs, but that's all I got to go on.
> 
> 
> Anybody see this before?


do-auth is launched by tac_plus and so runs as that user.

Are you running tac_plus as root, or do you drop privs?


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list