[tac_plus] do_auth not parsing config file

Matt Almgren matta at surveymonkey.com
Wed Aug 5 07:52:29 UTC 2015 

Tac_plus is running as root on this particular server. 

The permissions on the ini file are that of root, so I'm not sure why it's not able to open it. 

I can open it as root and edit it.

 -- Matt


________________________________________
From: tac_plus <tac_plus-bounces at shrubbery.net> on behalf of Alan McKinnon <alan.mckinnon at gmail.com>
Sent: Tuesday, August 4, 2015 11:53 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] do_auth not parsing config file

On 05/08/2015 00:12, Matt Almgren wrote:
> Ok, I've taken the do_auth leap to try and secure our rancid logins.
>
>
> I've added this line to the end of the rancid group within tac_plus.conf:
>
>
> after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini"
>
>
> And I have a simple/default do_auth.ini file:
>
>
> rancid =
>
>     fewcommands
>
>
> [fewcommands]
>
> host_allow =
>
> .*
>
> device_permit =
>
> .*
>
> command_permit =
>
> show users
>
> show int.*
>
> show ip int.*
>
> show controllers.*
>
> show conf.*
>
>
> But I seem to be getting these errors in the do_auth.log.  I checked and the file exists and seems permissions are ok:
>
>
> root at sjc-nettools01:~/tacacs-do_auth# more log.txt
>
> 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>
> 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>
> 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>
> 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini'
>
> root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini
>
> -rw-r--r-- 1 root root 343 Aug  3 15:25 /root/tacacs-do_auth/do_auth.ini
>
> root at sjc-nettools01:~/tacacs-do_auth#
>
>
>
> tac_plus.log:
>
>
> Tue Aug  4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
>
> Tue Aug  4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
>
> Tue Aug  4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini
>
> Tue Aug  4 15:10:36 2015 [2950]: input service=junos-exec
>
> Tue Aug  4 15:10:36 2015 [2950]: input local-user-name=remote-rancid
>
> Tue Aug  4 15:10:36 2015 [2950]: pid 2951 child exited status 1
>
> Tue Aug  4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny)
>
> Tue Aug  4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected
>
> Tue Aug  4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8]
>
>
>
> I wish it would output more debugs, but that's all I got to go on.
>
>
> Anybody see this before?


do-auth is launched by tac_plus and so runs as that user.

Are you running tac_plus as root, or do you drop privs?


--
Alan McKinnon
alan.mckinnon at gmail.com

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list