Poster of Linux kernelThe best gift for a Linux geek
do_auth

do_auth

Section: Maintenance Commands (8) Updated: February 27, 2010
Local index Up
 

NAME

do_auth - Program allowing more granular control than tac_plus.  

SYNOPSIS

do_auth -u user [-i Ip Address] [-d Device address] [-f Config filename] [-l Log file] [-D Debug mode]  

DESCRIPTION

do_auth is a python program written to work as an authorization script for tacacs to allow greater flexability in tacacs authentication. It allows a user to be part of many predefined groups that can allow different access to different devices based on ip, user, and source address.

Groups are assigned to users in the [users] section. A user must be assigned to one or more groups, one per line. Groups are defined in brackets, but can be any name. Each group can have up to 6 options as defined below.


 host_deny              Deny any user coming from this host.  Optional.

 host_allow             Allow users from this range. Mandatory with -i.

 device_deny            Deny any device with this IP.  Optional.

 device_permit          Allow this range. Mandatory if -d is specified.

 command_deny           Deny these commands.  Optional.

 command_permit Allow these commands.  Mandatory.

The options are parsed in order till a match is found. Obviously, for login, the commands section is not parsed. If a match is not found, or a deny is found, we move on to the next group. At the end, we have an implicit deny if no groups match. All tacacs keys passed on login to do_auth are returned. (except cmd*) It is possible to modify them, but I haven't implemented this yet as I don't need it. Future versions may have an av_pair & append_av_pair option.

 

OPTIONS

-u
Username. Mandatory. $user
-i
Ip address of user. Optional. If not specified, all host_ entries are ignored and can be omitted. $address
-d
Device address. Optional. If not specified, all device_ entries are ignored and can be omitted. $name
-f
Config Filename. Default is do_auth.ini.
-l
Logfile. Default is log.txt.
-D
Activate debug mode.
 

EXAMPLES

do_auth -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs+/do_auth.ini

 

EXIT STATUS

do_auth returns 0 to allow, 1 to deny authorization.  

AUTHOR

Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt.  

SEE ALSO

tac_plus(8), tac_plus.conf(5)


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLES
EXIT STATUS
AUTHOR
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 22:01:32 GMT, April 16, 2011