-
Notifications
You must be signed in to change notification settings - Fork 0
/
tac_plus.8.in
306 lines (304 loc) · 8.05 KB
/
tac_plus.8.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
.\"
.hys 50
.TH tac_plus 8 "28 July 2009"
.\"
.SH NAME
tac_plus \- tacacs plus daemon
.\"
.SH SYNOPSIS
.B tac_plus
.BI \-C
<configfile>
[\fB\-GghiLPSstv\fP]
[\c
.BI \-B
<bind_address>]
[\c
.BI \-d
<level>]
[\c
.BI \-l
<logfile>]
[\c
.BI \-p
<tcp_port>]
[\c
.BI \-u
<wtmpfile>]
[\c
.BI \-w
<wholog>]
.\"
.SH DESCRIPTION
By default, tac_plus listens on tcp port
.B 49
and provides network devices (normally routers and access servers) with
authentication, authorization and accounting services.
.PP
A configuration file controls the details of authentication,
authorization and accounting.
.PP
.\"
.SH COMMAND-LINE OPTIONS
.TP
.B \-C <configfile>
.IP
Specify the configuration file name. The -C option is
.B required.
.\"
.TP
.B \-B <bind address>
.IP
Specify the address on which the daemon should
.BR bind(2).
Successive instances of
.B \-B
override previous instances. By default, the daemon listens on all
addresses.
Note: this changes the name of the pid file created by the daemon.
.\"
.TP
.B \-G
Remain in the foreground, but not single-threaded nor logging to the tty.
.\"
.TP
.B \-d <level>
Switch on debugging. By default the output will appear in the log file and
.BR syslog (3).
.sp
NOTE: The
.B \-g
flag will cause these messages to also appear on stdout. The
.B \-t
flag will cause these messages to also be written to /dev/console.
.sp
The value of level is as described below. These values represent bits
that can be logically OR'd together. The daemon logically ORs successive
occurrences of the
.B -d
option.
.sp
.nf
Value Meaning
2 configuration parsing debugging
4 fork(1) debugging
8 authorization debugging
16 authentication debugging
32 password file processing debugging
64 accounting debugging
128 config file parsing & lookup
256 packet transmission/reception
512 encryption/decryption
1024 MD5 hash algorithm debugging
2048 very low level encryption/decryption
32768 max session debugging
65536 lock debugging
.fi
.\"
.TP
.B \-g
Single threaded mode. The daemon will only accept and service a single
connection at a time without forking and without closing file
descriptors. All log messages appear on standard output.
.sp
This is intended only for debugging and not for normal service.
.sp
This option does not work with single-connection sessions.
.\"
.TP
.B \-h
Display help message.
.\"
.TP
.B \-i
.B tac_plus
will be run from inetd(8). In inetd mode, the configuration file is
parsed every time
.B tac_plus
starts.
.sp
If the configuration is large or the frequency of connections is
high, this negatively will affect the responsiveness of the daemon.
.sp
If the config file is small, connections are infrequent, and authentication
is being done via passwd(5) files or SKEY (which are not cached), running
in inetd mode should be tolerable, but still is not recommended.
.sp
This option does not work with single-connection sessions.
.\"
.TP
.B -l <logfile>
Specify an alternate log file location.
This file is only used when the
.B \-d
option is used.
The logs are still posted to syslog.
.\"
.TP
.B -L
Lookup DNS PTR (Domain Name System PoinTeR) record of client addresses.
The resulting FQDN (Fully Qualified Domain Name), if it resolves, will be
used in log messages, libwrap (tcp_wrappers) checks, and for matching host
clauses of the configuration file. Also see
.BR tac_plus.conf (5).
.\"
.TP
.B \-P
Parse the configuration file, echo it to standard output while
parsing, and then exit.
.B tac_plus
will exit non-zero when a parser error occurs.
.sp
Useful for debugging configuration file syntax.
.\"
.TP
.B \-p <port>
Listen on the specified port number instead of the default port
.B 49
for incoming tcp connections. Note: this changes the name of the
pid file created by the daemon.
.\"
.TP
.B \-S
Enables or allows client single-connection mode, where-by the client will
create one connection and interleave queries.
.sp
Note: this is broken in IOS and IOS-XE.
.sp
Note: this is currently only partially supported in the daemon.
.\"
.TP
.B \-s
Causes the daemon to always reject authentication requests which contain
a minor version number of zero (SENDPASS). This enhances security in the
event that someone discovers your encryption key. SENDPASS requests
permit requesters to obtain CHAP, PAP and ARAP passwords from the daemon,
iff the encryption key is known.
.sp
Note: IOS versions preceding 11.2 will fail.
.\"
.TP
.B \-t
Log all informational, debugging or error messages to
.B
/dev/console
in addition to logging to syslogd. Useful for debugging.
.\"
.TP
.B \-u <wtmpfile>
Write wtmp entries to the specified wtmp file.
.\"
.TP
.B \-v
Display version information and exit.
.\"
.TP
.B \-w <wholog>
Specify the location of the max session file.
.\"
.SH STARTING
.B tac_plus
is normally invoked by root, as follows:
.sp
# tac_plus -C <configfile>
.sp
where <configfile> is a full path to the configuration file. Tac_plus
will background itself and start listening on port 49 for incoming tcp
connections.
.sp
Tac_plus must be invoked as root to obtain privileged network socket
49 and to read the protected configuration file, which may contain
confidential information such as encryption keys and cleartext
passwords.
.sp
After the port is acquired and the config file is read, root
privileges are no longer required. You can arrange that tac_plus will
change its user and group IDs to a more innocuous user and group via the
configuration file.
.sp
NOTE: The new user and group still needs permission to read any
passwd(5) (and shadow(5)) files and S/KEY database if these are being used.
.\"
.SH "TCP WRAPPERS"
If
.B tac_plus
was compiled with libwrap (aka. tcp_wrappers) support, upon connection
the daemon will consult with tcp_wrappers on whether the client has
permission to connect. The daemon name used in a daemon list of the
access control file is the name of the executable, normally "tac_plus".
See
.BR hosts_access (5).
.\"
.SH PERMISSIONS
The configuration file should be unreadable and unwriteable by anyone except
root, as it contains passwords and keys.
.\"
.SH SIGNALS
If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize itself
and re-read its configuration file.
.sp
Note: if an error is encountered in the configuration file or the file can
not be opened for reading, such as due to insufficient permissions resulting
from process ownership and file permissions, the daemon will exit.
.sp
Likewise, if the daemon is configured to send accounting records to a file
and that file can not be opened for writing, such as due to insufficient
permissions resulting from process ownership and file permissions, the daemon
will exit.
.\"
.SH "LOG MESSAGES"
.B tac_plus
logs error and informational messages to syslog facility LOG_DAEMON.
.\"
.SH FILES
.TP 30
.B @TACPLUS_ACCTFILE@
Default accounting file.
.\"
.TP
.B @TACPLUS_LOGFILE@
Default log file used when the
.B \-d
option is used.
.\"
.TP
.B @TACPLUS_PIDFILE@
Pid file.
If the
.B \-B
option is used, ".bind_address" is appended.
If the
.B \-p
option is used, ".port_number" is appended.
.\"
.SH "SEE ALSO"
.BR tac_plus.conf (5),
.BR tac_pwd (8)
.PP
Also see the
.B tac_plus
User Guide (user_guide) that came with the distribution.
The user guide does not cover all the modifications to the original
Cisco version.
.\"
.SH HISTORY
There are at least 3 versions of the authentication protocol that people
commonly refer to as "TACACS".
.sp
The first is ordinary tacacs, which was the first one offered on Cisco
boxes and has been in use for many years. The second is an extension
to the first, commonly called Extended Tacacs or XTACACS, introduced
in 1990.
.sp
The third one is TACACS+ (or T+ or tac_plus) which is what is documented
here. TACACS+ is NOT COMPATIBLE with any previous versions of tacacs.
.\"
.SH AUTHOR
The tac_plus (tacacs+) developer's kit is a product of Cisco Systems,
written by Lol Grant. Made available at no cost and with no warranty
of any kind. See the file COPYING and source files that came with the
distribution for specifics.
.sp
Though heavily modified from the original Cisco manual pages, much of
the modifications are derived from the tacacs IETF draft and the
Cisco user guide.