[tac_plus] do_auth not parsing config file

Alan McKinnon alan.mckinnon at gmail.com
Wed Aug 5 11:57:05 UTC 2015 

Then it's the "parse" part of the error that is causing issues, not the
"open" part,

python is very picky about the structure of .ini files, especially wrt
to indentation. Your post shows ".*" in the permit/allow sections to be
indented, I had assumed that was mail client pasting issues.

Make sure those are indented same as the commands higher up.

https://github.com/jathanism/do_auth#do_authini is a good template




On 05/08/2015 09:52, Matt Almgren wrote:
> Tac_plus is running as root on this particular server. 
> 
> The permissions on the ini file are that of root, so I'm not sure why it's not able to open it. 
> 
> I can open it as root and edit it.
> 
>  -- Matt
> 
> 
> ________________________________________
> From: tac_plus <tac_plus-bounces at shrubbery.net> on behalf of Alan McKinnon <alan.mckinnon at gmail.com>
> Sent: Tuesday, August 4, 2015 11:53 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] do_auth not parsing config file
> 
> On 05/08/2015 00:12, Matt Almgren wrote:
>> Ok, I've taken the do_auth leap to try and secure our rancid logins.
>>
>>
>> I've added this line to the end of the rancid group within tac_plus.conf:
>>
>>
>> after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini"
>>
>>
>> And I have a simple/default do_auth.ini file:
>>
>>
>> rancid =
>>
>>     fewcommands
>>
>>
>> [fewcommands]
>>
>> host_allow =
>>
>> .*
>>
>> device_permit =
>>
>> .*
>>
>> command_permit =
>>
>> show users
>>
>> show int.*
>>
>> show ip int.*
>>
>> show controllers.*
>>
>> show conf.*
>>
>>
>> But I seem to be getting these errors in the do_auth.log.  I checked and the file exists and seems permissions are ok:
>>
>>
>> root at sjc-nettools01:~/tacacs-do_auth# more log.txt
>>
>> 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>>
>> 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>>
>> 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>>
>> 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>>
>> root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini
>>
>> -rw-r--r-- 1 root root 343 Aug  3 15:25 /root/tacacs-do_auth/do_auth.ini
>>
>> root at sjc-nettools01:~/tacacs-do_auth#
>>
>>
>>
>> tac_plus.log:
>>
>>
>> Tue Aug  4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
>>
>> Tue Aug  4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
>>
>> Tue Aug  4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
>>
>> Tue Aug  4 15:10:36 2015 [2950]: input service=junos-exec
>>
>> Tue Aug  4 15:10:36 2015 [2950]: input local-user-name=remote-rancid
>>
>> Tue Aug  4 15:10:36 2015 [2950]: pid 2951 child exited status 1
>>
>> Tue Aug  4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny)
>>
>> Tue Aug  4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected
>>
>> Tue Aug  4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8]
>>
>>
>>
>> I wish it would output more debugs, but that's all I got to go on.
>>
>>
>> Anybody see this before?
> 
> 
> do-auth is launched by tac_plus and so runs as that user.
> 
> Are you running tac_plus as root, or do you drop privs?
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list