[tac_plus] restrict by time of the day

heasley heas at shrubbery.net
Mon Apr 10 17:38:12 UTC 2017


Sat, Apr 08, 2017 at 06:29:46PM -0400, Asif Iqbal:
> I meant like below per tac_plus.conf man page
> 
> cmd-match
>               Specify a command argument match.
> 
>                   <permission> <regex>
>                   <permission> <regex>
> 
> In the regex may be some expression that become NUL based on timestamp? I
> do not have any example.

the regex does not match a timestamp; there is in fact no timestamp
involved at all.

You can use do_auth.py or enforce the ToD via PAM.

> Thanks for your help!
> 
> 
> 
> On Sat, Apr 8, 2017 at 6:22 PM, John Fraizer <john at op-sec.us> wrote:
> 
> > That is not supported by tac_plus.
> >
> > On Sat, Apr 8, 2017 at 3:21 PM Asif Iqbal <vadud3 at gmail.com> wrote:
> >
> >> I am not using do_auth.py yet. I was wondering if the regex can be used
> >> to logic the time of the day permit will work until then?
> >>
> >> On Sat, Apr 8, 2017 at 4:42 PM, John Fraizer <john at op-sec.us> wrote:
> >>
> >> You could modify do_auth.py to do this.
> >>
> >> On Fri, Apr 7, 2017 at 4:15 PM Asif Iqbal <vadud3 at gmail.com> wrote:
> >>
> >> Hi
> >>
> >> Is there a way to restrict access to routers with tacacs config based on
> >> time?
> >>
> >> So not allow someone to make any change to the config during work hours?
> >>
> >> I will need to apply something like that short from doing some config swap
> >> with allow/deny as a cronjob.
> >>
> >> Thanks
> >>
> >> --
> >> Asif Iqbal
> >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> >> A: Because it messes up the order in which people normally read text.
> >> Q: Why is top-posting such a bad thing?
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <http://www.shrubbery.net/pipermail/tac_plus/
> >> attachments/20170407/3d926439/attachment.html>
> >> _______________________________________________
> >> tac_plus mailing list
> >> tac_plus at shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo/tac_plus
> >>
> >> --
> >> --
> >> John Fraizer
> >> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Asif Iqbal
> >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> >> A: Because it messes up the order in which people normally read text.
> >> Q: Why is top-posting such a bad thing?
> >>
> >> --
> > --
> > John Fraizer
> > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
> >
> >
> >
> 
> 
> -- 
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170408/3b090ee8/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus



More information about the tac_plus mailing list