Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

do_auth(8) [debian man page]

do_auth(8)						      System Manager's Manual							do_auth(8)

NAME

       do_auth - Program allowing more granular control than tac_plus.

SYNOPSIS

       do_auth -u user [-i Ip Address] [-d Device address] [-f Config filename] [-l Log file] [-D Debug mode]

DESCRIPTION

       do_auth	is  a  python program written to work as an authorization script for tacacs to allow greater flexability in tacacs authentication.
       It allows a user to be part of many predefined groups that can allow different access to different devices based on ip,	user,  and  source
       address.

       Groups  are  assigned to users in the [users] section.  A user must be assigned to one or more groups, one per line.  Groups are defined in
       brackets, but can be any name.  Each group can have up to 6 options as defined below.

	host_deny	   Deny any user coming from this host.  Optional.
	host_allow	   Allow users from this range. Mandatory with -i.
	device_deny	   Deny any device with this IP.  Optional.
	device_permit	   Allow this range. Mandatory if -d is specified.
	command_deny	   Deny these commands.  Optional.
	command_permit	   Allow these commands.  Mandatory.

       The options are parsed in order till a match is found.  Obviously, for login, the commands section is not parsed.  If a match is not found,
       or  a  deny  is	found,	we move on to the next group.  At the end, we have an implicit deny if no groups match.  All tacacs keys passed on
       login to do_auth are returned.  (except cmd*)  It is possible to modify them, but I haven't implemented	this  yet  as  I  don't  need  it.
       Future versions may have an av_pair & append_av_pair option.

OPTIONS

       -u     Username.  Mandatory.  $user

       -i     Ip address of user.  Optional.  If not specified, all host_ entries are ignored and can be omitted. $address

       -d     Device address.  Optional.  If not specified, all device_ entries are ignored and can be omitted.  $name

       -f     Config Filename.	Default is do_auth.ini.

       -l     Logfile. Default is log.txt.

       -D     Activate debug mode.

EXAMPLES

       do_auth -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs+/do_auth.ini

EXIT STATUS

       do_auth returns 0 to allow, 1 to deny authorization.

AUTHOR

       Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt.

SEE ALSO

       tac_plus(8), tac_plus.conf(5)

version 1.2							 February 27, 2010							do_auth(8)

Check Out this Related Man Page

ftphosts(4)                                                        File Formats                                                        ftphosts(4)

NAME

       ftphosts - FTP Server individual user host access file

SYNOPSIS

       /etc/ftpd/ftphosts

DESCRIPTION

       The ftphosts file is used to allow or deny access to accounts from specified hosts. The following access capabilities are supported:

       allow username addrglob [addrglob...]

           Only allow users to login as username from host(s) that match addrglob.

       deny username addrglob [addrglob...]

           Do not allow users to login as username from host(s) that match addrglob.

       A username of * matches all users. A username of anonymous or ftp specifies the anonymous user.

       addrglob  is  a  regular  expression that is matched against hostnames or IP addresses. addrglob may also be in the form address:netmask or
       address/CIDR, or be the name of a file that starts with a slash ('/') and contains additional address  globs.  An  exclamation  mark  (`!')
       placed before the addrglob negates the test.

       The first allow or deny entry in the ftphosts file that matches a username and host is used. If no entry exists for a username, then access
       is allowed. Otherwise, a matching allow entry is required to permit access.

EXAMPLES

       You can use the following ftphosts file to allow anonymous access from any host except those on the class A network 10, with the  exception
       of 10.0.0.* IP addresses, which are allowed access:

       allow   ftp   10.0.0.*
       deny    ftp   10.*.*.*
       allow   ftp   *

       10.0.0.* can be written as 10.0.0.0:255.255.255.0 or 10.0.0.0/24.

FILES

       /etc/ftpd/ftphosts

ATTRIBUTES

       See attributes(5)  for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Availability                 |SUNWftpr                     |
       +-----------------------------+-----------------------------+
       |Interface Stability          |External                     |
       +-----------------------------+-----------------------------+

SEE ALSO

        in.ftpd(1M), ftpaccess(4), attributes(5)

SunOS 5.10                                                          1 May 2003                                                         ftphosts(4)
Man Page