This repository was archived by the owner on Oct 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathChangeLog
More file actions
33 lines (23 loc) · 1.21 KB
/
ChangeLog
File metadata and controls
33 lines (23 loc) · 1.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2016-10-13 tacplus-auth v1.0.0 Dave Olson <olson@cumulusnetworks.com>
First revision:
This program does TACACS+ per-command authorization, using the libtac
interfaces.
It is expected to be symlink'ed or linked into a bin directory for
restricted shell users such as rbash. A link should exist
for every command the restricted user might run.
The real command is found by checking the directories in PATH from the
ENV_PATH variable in /etc/login.defs, and if that file is not found, by
looking for PATH in /etc/environment. This works for at least the major
Linux distributions, and also netbsd and freebsd.
tacplus-auth is installed setuid so it can get the list of
tacacs servers from /etc/tacplus_servers.
tacplus-auth sends the command and arguments (up to 250 characters)
to each tacacs server for authorization.
It tries each server in turn until it gets successful permission or there
are no more servers. All servers are tried in case they have different
databases.
If authorization is succesful, the real command is executed with the same
arguments.
debug can be enabled from /etc/tacplus_servers, and if enabled, debug
messages are printed on stderr.
See README for more details and limitations.