[tac_plus] do_auth not parsing config file

John Fraizer john at op-sec.us
Wed Aug 5 21:39:56 UTC 2015 

Matt,

You're missing some stuff...  Specifically, you're missing the [users]
section heading.

Try this:

[users]
rancid =
    rancid_group

[rancid_group]
host_deny =
host_allow =
        .*
device_deny =
device_permit =
        .*
command_deny =
        enable password.*
        enable secret.*
command_permit =
        show.*
        dir.*
        more.*
        copy .*
        terminal .*
        enable.*
        write t.*
        set length .*
        set logging session disable.*
        exit.*
av_pairs =
        priv-lvl=15
        shell:roles="network-admin vdc-admin"
        local-user-name = remote
        allow-commands = (.*copy .*)|(.*show .*)|(.*write .*)|(.*exit)
        deny-commands = .*
        allow-configuration =
        deny-configuation =




And for your rancid group in tac_plus.conf, try:

group = randid_group {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ""
                }

    after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i
$address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f
/root/tacacs-do_auth/do_auth.ini"

    }


I'm using this *exact* do_auth.ini config for RANCID in our network with
devices ranging the spectrum of Cisco CatOS, IOS, IOS-XR, NX-OS, Arista
EOS, and Juniper.

Note: My TAC_PLUS is patched to only send PASS_ADD and never send
PASS_REPL.  I posted my patch to this list a couple of weeks ago.  You may
or may not need that patch to successfully use do_auth.py with your network
devices.  The error you're seeing is based on the lack of the "[users]"
header in your do_auth.ini file though.


--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/


On Tue, Aug 4, 2015 at 3:12 PM, Matt Almgren <matta at surveymonkey.com> wrote:
> rancid =
>
>     fewcommands
>
>
> [fewcommands]
>
> host_allow =
>
> .*
>
> device_permit =
>
> .*
>
> command_permit =
>
> show users
>
> show int.*
>
> show ip int.*
>
> show controllers.*
>
> show conf.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150805/6bfa2d45/attachment.html>

More information about the tac_plus mailing list