9 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I want to configure and run sshd server on my unix box. I already have that installed.
# yum -y install openssh-server openssh-clients
Loaded plugins: fastestmirror, presto, refresh-packagekit
Loading mirror speeds from cached hostfile
* base: centos.mirror.constant.com
* epel:... (1 Reply)
Discussion started by: nitalchandel
1 Replies
2. IP Networking
I have customer who controls access to the internet via TACACS server, basically a PIX firewall uses authentication from the TACACS to say if traffic is allowed to pass out of the gateway. I can't find anything on how to configure a linux client of TACACS authentication only how to set up a linux... (1 Reply)
Discussion started by: metallica1973
1 Replies
3. Cybersecurity
Can someone please posts the steps needed to configure a UNIX server to authenticate with a TACACS+ server or point me in the right direction been googling for 2 days now. Thanks (1 Reply)
Discussion started by: supadee718
1 Replies
4. UNIX for Advanced & Expert Users
Can someone please posts the steps needed to configure a UNIX server to authenticate with a TACACS+ server or point me in the right direction been googling for 2 days now. Thanks (0 Replies)
Discussion started by: supadee718
0 Replies
5. UNIX for Dummies Questions & Answers
Seek help configuring Sendmail 8.14.4 Unix server.
Not sure if this is the correct place to post or the Unix/Linux Forums job board. Seeking help configuring sendmail 8.14.4 on my Unix server. It appears I have an open relay. I was advised I need to modify a etc/mail/dir , a command line entry... (0 Replies)
Discussion started by: raecampus
0 Replies
6. Shell Programming and Scripting
At times I find the need to test that the tacacs port 49 is open.
The code below works but is painfully slow because I have to wait on the timeouts.
Examples of possible responds
router1#telnet 10.11.20.14 49
Trying 206.112.204.140, 49 ... Open
route1#telnet 10.11.19.14 49
Trying... (1 Reply)
Discussion started by: popeye
1 Replies
7. Shell Programming and Scripting
Hi
I want to create a script that will authenticate user from a file and if both of them match then only the script is allowed to be executed...
Suppose I have a script say test.sh and a file config.txt
for users whose user ids exist in the text file should only be given permission to... (1 Reply)
Discussion started by: ultimatix
1 Replies
8. UNIX for Dummies Questions & Answers
Dear all
I want to redirect the logs of the syslog of a tru64 unix machine in a log and event monitoring tool installed in another server. In the syslog.conf i have appended *.*@<server_name> at the end, where <server_name> is the name of the machine on which the reporting tool is running. I... (0 Replies)
Discussion started by: adak2010
0 Replies
9. HP-UX
Hi all,
I have installed a software on a local machine running UNIX .
Using NetBatch utility, In the COMMUNICATION file on this Local UNIX machine I have added:
remote_machine_name:OS: Description:Type
so that I can use this remote machine running UNIX to complete jobs which are... (0 Replies)
Discussion started by: molly81
0 Replies
LIBTACPLUS(3) BSD Library Functions Manual LIBTACPLUS(3)
NAME
libtacplus -- TACACS+ client library
SYNOPSIS
#include <taclib.h>
int
tac_add_server(struct tac_handle *h, const char *host, int port, const char *secret, int timeout, int flags);
void
tac_clear_avs(struct tac_handle *h);
void
tac_close(struct tac_handle *h);
int
tac_config(struct tac_handle *h, const char *path);
int
tac_create_authen(struct tac_handle *h, int action, int type, int service);
int
tac_create_author(struct tac_handle *h, int method, int type, int service);
int
tac_create_acct(struct tac_handle *h, int acct, int action, int type, int service);
char *
tac_get_av(struct tac_handle *h, u_int index);
char *
tac_get_av_value(struct tac_handle *h, const char *attribute);
void *
tac_get_data(struct tac_handle *h, size_t *len);
char *
tac_get_msg(struct tac_handle *h);
struct tac_handle *
tac_open(void);
int
tac_send_authen(struct tac_handle *h);
int
tac_send_author(struct tac_handle *h);
int
tac_send_acct(struct tac_handle *h);
int
tac_set_av(struct tac_handle *h, u_int index, const char *av_pair);
int
tac_set_data(struct tac_handle *h, const void *data, size_t data_len);
int
tac_set_msg(struct tac_handle *h, const char *msg);
int
tac_set_port(struct tac_handle *h, const char *port);
int
tac_set_priv(struct tac_handle *h, int priv);
int
tac_set_rem_addr(struct tac_handle *h, const char *addr);
int
tac_set_user(struct tac_handle *h, const char *user);
const char *
tac_strerror(struct tac_handle *h);
DESCRIPTION
The libtacplus library implements the client side of the TACACS+ network access control protocol. TACACS+ allows clients to perform authen-
tication, authorization, and accounting by means of network requests to remote servers. This library currently supports only the authentica-
tion and authorization portion of the protocol.
INITIALIZATION
To use the library, an application must first call tac_open() to obtain a struct tac_handle *, which provides context for subsequent opera-
tions. Calls to tac_open() always succeed unless insufficient virtual memory is available. If the necessary memory cannot be allocated,
tac_open() returns NULL.
Before issuing any TACACS+ requests, the library must be made aware of the servers it can contact. The easiest way to configure the library
is to call tac_config(). tac_config() causes the library to read a configuration file whose format is described in tacplus.conf(5). The
pathname of the configuration file is passed as the file argument to tac_config(). This argument may also be given as NULL, in which case
the standard configuration file /etc/tacplus.conf is used. tac_config() returns 0 on success, or -1 if an error occurs.
The library can also be configured programmatically by calls to tac_add_server(). The host parameter specifies the server host, either as a
fully qualified domain name or as a dotted-quad IP address in text form. The port parameter specifies the TCP port to contact on the server.
If port is given as 0, the library uses port 49, the standard TACACS+ port. The shared secret for the server host is passed to the secret
parameter. It may be any null-terminated string of bytes. The timeout for receiving replies from the server is passed to the timeout param-
eter, in units of seconds. The flags parameter is a bit mask of flags to specify various characteristics of the server. It may contain:
TAC_SRVR_SINGLE_CONNECT
Causes the library to attempt to negotiate single connection mode when communicating with the server. In single connection mode,
the original TCP connection is held open for multiple TACACS+ sessions. Older servers do not support this mode, and some of them
become confused if the client attempts to negotiate it.
tac_add_server() returns 0 on success, or -1 if an error occurs.
tac_add_server() may be called multiple times, and it may be used together with tac_config(). At most 10 servers may be specified. When
multiple servers are given, they are tried in round-robin fashion until a working, accessible server is found. Once the library finds such a
server, it continues to use it as long as it works.
CREATING A TACACS+ AUTHENTICATION REQUEST
To begin constructing a new authentication request, call tac_create_authen(). The action, type, and service arguments must be set to appro-
priate values as defined in the TACACS+ protocol specification. The <taclib.h> header file contains symbolic constants for these values.
CREATING A TACACS+ AUTHORIZATION REQUEST
To begin constructing a new authorization request, call tac_create_author(). The method, type, and service arguments must be set to appro-
priate values as defined in the TACACS+ protocol specification. The <taclib.h> header file contains symbolic constants for these values.
CREATING A TACACS+ ACCOUNTING REQUEST
To begin constructing a new accounting request, call tac_create_acct(). The acct, action, type, and service arguments must be set to appro-
priate values as defined in the TACACS+ protocol specification. The <taclib.h> header file contains symbolic constants for these values.
SETTING OPTIONAL PARAMETERS ON A REQUEST
After creating a request, various optional parameters may be attached to it through calls to tac_set_av(), tac_set_data(), tac_set_port(),
tac_set_priv(), tac_set_rem_addr(), and tac_set_user(). The library creates its own copies of any strings provided to these functions, so
that it is not necessary for the caller to preserve them. By default, each of these parameters is empty except for the privilege level,
which defaults to 'USER' privilege.
tac_set_av() only applies to the context of an authorization request. The format for an attribute value pair is defined in the TACACS+ pro-
tocol specification. The index specified can be any value between 0 and 255 inclusive and indicates the position in the list to place the
attribute value pair. Calling tac_set_av() with same index twice effectively replaces the value at that position. Use tac_clear_avs() to
clear all attribute value pairs that may have been set.
SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
After the TACACS+ authentication request has been constructed, it is sent by means of tac_send_authen(). This function connects to a server
if not already connected, sends the request, and waits for a reply. On failure, tac_send_authen() returns -1. Otherwise, it returns the
TACACS+ status code and flags, packed into an integer value. The status can be extracted using the macro TAC_AUTHEN_STATUS(). Possible sta-
tus codes, defined in <taclib.h>, include:
TAC_AUTHEN_STATUS_PASS
TAC_AUTHEN_STATUS_FAIL
TAC_AUTHEN_STATUS_GETDATA
TAC_AUTHEN_STATUS_GETUSER
TAC_AUTHEN_STATUS_GETPASS
TAC_AUTHEN_STATUS_RESTART
TAC_AUTHEN_STATUS_ERROR
TAC_AUTHEN_STATUS_FOLLOW
The only flag is the no-echo flag, which can be tested using the macro TAC_AUTHEN_NOECHO().
EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
An authentication response packet from the server may contain a server message, a data string, or both. After a successful call to
tac_send_authen(), this information may be retrieved from the response by calling tac_get_msg() and tac_get_data(). These functions return
dynamically-allocated copies of the information from the packet. The caller is responsible for freeing the copies when it no longer needs
them. The data returned from these functions is guaranteed to be terminated by a null byte.
In the case of tac_get_data(), the len argument points to a location into which the library will store the actual length of the received
data, not including the null terminator. This argument may be given as NULL if the caller is not interested in the length.
SENDING AUTHENTICATION CONTINUE PACKETS
If tac_send_authen() returns a value containing one of the status codes TAC_AUTHEN_STATUS_GETDATA, TAC_AUTHEN_STATUS_GETUSER, or
TAC_AUTHEN_STATUS_GETPASS, then the client must provide additional information to the server by means of a TACACS+ CONTINUE packet. To do
so, the application must first set the packet's user message and/or data fields using tac_set_msg() and tac_set_data(). The client then
sends the CONTINUE packet with tac_send_authen(). N.B., tac_create_authen() should not be called to construct a CONTINUE packet; it is used
only for the initial authentication request.
When it receives the CONTINUE packet, the server may again request more information by returning TAC_AUTHEN_STATUS_GETDATA,
TAC_AUTHEN_STATUS_GETUSER, or TAC_AUTHEN_STATUS_GETPASS. The application should send further CONTINUEs until some other status is received
from the server.
SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
After the TACACS+ authorization request has been constructed, it is sent by means of tac_send_author(). This function connects to a server
if not already connected, sends the request, and waits for a reply. On failure, tac_send_author() returns -1. Otherwise, it returns the
TACACS+ status code and number of attribute value (AV) pairs received packed into an integer value. The status can be extracted using the
macro TAC_AUTHOR_STATUS(). Possible status codes, defined in <taclib.h>, include:
TAC_AUTHOR_STATUS_PASS_ADD
TAC_AUTHOR_STATUS_PASS_REPL
TAC_AUTHOR_STATUS_FAIL
TAC_AUTHOR_STATUS_ERROR
The number of AV pairs received is obtained using TAC_AUTHEN_AV_COUNT().
SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE
After the TACACS+ authorization request has been constructed, it is sent by means of tac_send_acct(). This function connects to a server if
not already connected, sends the request, and waits for a reply. On failure, tac_send_acct() returns -1. Otherwise, it returns the TACACS+
status code. Possible status codes, defined in <taclib.h>, include:
TAC_ACCT_STATUS_SUCCESS
TAC_ACCT_STATUS_ERROR
TAC_ACCT_STATUS_FOLLOW
EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
Like an authentication response packet, an authorization response packet from the server may contain a server message, a data string, or
both. Refer to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE for instruction on extraction of those values.
An authorization response packet from the server may also contain attribute value (AV) pairs. To extract these, use tac_get_av() or
tac_get_av_value(). tac_get_av() takes the index of the AV pair as it is positioned in the list. The indexes start at 0 (use
TAC_AUTHEN_AV_COUNT() on the return value of tac_send_author() to get the total number of items in this list). Alternatively,
tac_get_av_value() can be used. tac_get_av_value() takes the attribute name and returns the corresponding value only, not the AV pair.
These functions return dynamically-allocated copies of the information from the packet. The caller is responsible for freeing the copies
when it no longer needs them. The data returned from these functions is guaranteed to be terminated by a null byte.
OBTAINING ERROR MESSAGES
Those functions which accept a struct tac_handle * argument record an error message if they fail. The error message can be retrieved by
calling tac_strerror(). The message text is overwritten on each new error for the given struct tac_handle *. Thus the message must be
copied if it is to be preserved through subsequent library calls using the same handle.
CLEANUP
To free the resources used by the TACACS+ library, call tac_close().
RETURN VALUES
The following functions return a non-negative value on success. If they detect an error, they return -1 and record an error message which
can be retrieved using tac_strerror().
tac_add_server()
tac_config()
tac_create_authen()
tac_create_author()
tac_create_acct()
tac_send_authen()
tac_send_author()
tac_send_acct()
tac_set_av()
tac_set_data()
tac_set_msg()
tac_set_port()
tac_set_priv()
tac_set_rem_addr()
tac_set_user()
The following functions return a non-NULL pointer on success. If they are unable to allocate sufficient virtual memory, they return NULL and
record an error message which can be retrieved using tac_strerror().
tac_get_av()
tac_get_av_value()
tac_get_data()
tac_get_msg()
The following functions return a non-NULL pointer on success. If they are unable to allocate sufficient virtual memory, they return NULL,
without recording an error message.
tac_open()
FILES
/etc/tacplus.conf
SEE ALSO
tacplus.conf(5)
D. Carrel and Lol Grant, The TACACS+ Protocol, Version 1.78, draft-grant-tacacs-02.txt (Internet Draft).
AUTHORS
This software was written by John Polstra and Paul Fraley, and donated to the FreeBSD project by Juniper Networks, Inc.
BSD
December 11, 2009 BSD