Changeset View
Changeset View
Standalone View
Standalone View
lib/libtacplus/tacplus.conf.5
Show All 18 Lines | |||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd July 29, 1998 | .Dd June 13, 2023 | ||||
.Dt TACPLUS.CONF 5 | .Dt TACPLUS.CONF 5 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm tacplus.conf | .Nm tacplus.conf | ||||
.Nd TACACS+ client configuration file | .Nd TACACS+ client configuration file | ||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||
.Pa /etc/tacplus.conf | .Pa /etc/tacplus.conf | ||||
.Sh DESCRIPTION | .Sh DESCRIPTION | ||||
.Nm | .Nm | ||||
contains the information necessary to configure the TACACS+ client | contains the information necessary to configure the TACACS+ client | ||||
library. | library. | ||||
It is parsed by | It is parsed by | ||||
.Fn tac_config | .Fn tac_config | ||||
(see | (see | ||||
.Xr libtacplus 3 ) . | .Xr libtacplus 3 ) . | ||||
The file contains one or more lines of text, each describing a | The file contains one or more lines of text, each describing a | ||||
single TACACS+ server which is to be used by the library. | single TACACS+ server which is to be used by the library. | ||||
Leading | Leading | ||||
white space is ignored, as are empty lines and lines containing | white space is ignored, as are empty lines and lines containing | ||||
only comments. | only comments. | ||||
.Pp | .Pp | ||||
A TACACS+ server is described by two to four fields on a line. | A TACACS+ server is described by a minimum of two fields on a line. | ||||
pauamma_gundo.com: This is saying that "#foobar" is a valid field but "foo#bar" isn't. Is that still true with the… | |||||
Done Inline ActionsThanks for catching that, I'll check. des: Thanks for catching that, I'll check. | |||||
Done Inline ActionsOK so I think you misunderstood, it's not talking about the legality of a # character but about whether it will be seen as the start of a comment or as a regular character within a field. In both cases # starts a comment only if it is the first character on the line or is preceded by unescaped whitespace. In all other cases it is a regular character. This is unchanged. What has changed is mainly support for line continuations and improved quoting. des: OK so I think you misunderstood, it's not talking about the legality of a `#` character but… | |||||
The | The fields are separated by whitespace and follow the same rules for | ||||
fields are separated by white space. | comments, quoting, escaping, and line continuation as the POSIX shell. | ||||
The | |||||
.Ql # | |||||
character at the beginning of a field begins a comment, which extends | |||||
to the end of the line. | |||||
A field may be enclosed in double quotes, | |||||
in which case it may contain white space and/or begin with the | |||||
.Ql # | |||||
character. | |||||
Within a quoted string, the double quote character can | |||||
be represented by | |||||
.Ql \e\&" , | |||||
and the backslash can be represented by | |||||
.Ql \e\e . | |||||
No other escape sequences are supported. | |||||
.Pp | .Pp | ||||
The first field specifies | The first field specifies | ||||
the server host, either as a fully qualified domain name or as a | the server host, either as a fully qualified domain name or as a | ||||
dotted-quad IP address. | dotted-quad IP address. | ||||
The host may optionally be followed by a | The host may optionally be followed by a | ||||
.Ql \&: | .Ql \&: | ||||
and a numeric port number, without intervening white space. | and a numeric port number, without intervening white space. | ||||
If the | If the | ||||
port specification is omitted, it defaults to 49, the standard TACACS+ | port specification is omitted, it defaults to 49, the standard TACACS+ | ||||
port. | port. | ||||
.Pp | .Pp | ||||
The second field contains the shared secret, which should be known | The second field contains the shared secret, which should be known | ||||
only to the client and server hosts. | only to the client and server hosts. | ||||
It is an arbitrary string | It is an arbitrary string | ||||
of characters, though it must be enclosed in double quotes if it | of characters, though it must be enclosed in double quotes if it | ||||
contains white space or is empty. | contains white space or is empty. | ||||
An empty secret disables the | An empty secret disables the | ||||
normal encryption mechanism, causing all data to cross the network in | normal encryption mechanism, causing all data to cross the network in | ||||
cleartext. | cleartext. | ||||
.Pp | .Pp | ||||
The third field contains a decimal integer specifying the timeout | The optional third field may contain a decimal integer specifying the | ||||
in seconds for communicating with the server. | timeout in seconds for communicating with the server. | ||||
The timeout applies | The timeout applies | ||||
separately to each connect, write, and read operation. | separately to each connect, write, and read operation. | ||||
If this field | If this field is omitted, it defaults to 3 seconds. | ||||
is omitted, it defaults to 3 seconds. | |||||
.Pp | .Pp | ||||
The optional fourth field may contain the string | The optional fourth field may contain the string | ||||
.Ql single-connection . | .Ql single-connection . | ||||
If this option is included, the library will attempt to negotiate | If this option is included, the library will attempt to negotiate | ||||
with the server to keep the TCP connection open for multiple | with the server to keep the TCP connection open for multiple | ||||
sessions. | sessions. | ||||
Some older TACACS+ servers become confused if this option | Some older TACACS+ servers become confused if this option | ||||
is specified. | is specified. | ||||
.Pp | .Pp | ||||
Any subsequent fields must be of the form | |||||
.Ar attribute Ns = Ns Ar value | |||||
and will be appended to authorization responses as if they had been | |||||
sent by the server. | |||||
.Pp | |||||
Up to 10 TACACS+ servers may be specified. | Up to 10 TACACS+ servers may be specified. | ||||
The servers are tried in | The servers are tried in | ||||
order, until a valid response is received or the list is exhausted. | order, until a valid response is received or the list is exhausted. | ||||
.Pp | .Pp | ||||
The standard location for this file is | The standard location for this file is | ||||
.Pa /etc/tacplus.conf . | .Pa /etc/tacplus.conf . | ||||
An alternate pathname may be specified in the call to | An alternate pathname may be specified in the call to | ||||
.Fn tac_config | .Fn tac_config | ||||
(see | (see | ||||
.Xr libtacplus 3 ) . | .Xr libtacplus 3 ) . | ||||
Since the file contains sensitive information in the form of the | Since the file contains sensitive information in the form of the | ||||
shared secrets, it should not be readable except by root. | shared secrets, it should not be readable except by root. | ||||
.Sh FILES | .Sh FILES | ||||
.Bl -tag -width Pa | .Bl -tag -width Pa | ||||
.It Pa /etc/tacplus.conf | .It Pa /etc/tacplus.conf | ||||
.El | .El | ||||
.Sh EXAMPLES | .Sh EXAMPLES | ||||
.Bd -literal | .Bd -literal | ||||
# A simple entry using all the defaults: | # A simple entry using all the defaults: | ||||
tacserver.domain.com OurLittleSecret | tacserver.domain.com OurLittleSecret | ||||
# A server using a non-standard port, with an increased timeout and | # A server using a non-standard port, with an increased timeout and | ||||
# the "single-connection" option. | # the "single-connection" option, and overrides for the for uid, gid | ||||
auth.domain.com:4333 "Don't tell!!" 15 single-connection | # and shell attributes. | ||||
auth.domain.com:4333 "Don't tell!!" 15 single-connection \e | |||||
uid=1001 gid=20 shell="/usr/local/bin/zsh" | |||||
# A server specified by its IP address: | # A server specified by its IP address: | ||||
192.168.27.81 $X*#..38947ax-+= | 192.168.27.81 $X*#..38947ax-+= shell="/sbin/nologin" | ||||
.Ed | .Ed | ||||
.Sh SEE ALSO | .Sh SEE ALSO | ||||
.Xr libtacplus 3 | .Xr libtacplus 3 | ||||
.Sh AUTHORS | .Sh AUTHORS | ||||
This documentation was written by | This documentation was written by | ||||
.An John Polstra , | .An John Polstra , | ||||
and donated to the | and donated to the | ||||
.Fx | .Fx | ||||
project by Juniper Networks, Inc. | project by Juniper Networks, Inc. |
This is saying that "#foobar" is a valid field but "foo#bar" isn't. Is that still true with the new tokenizer? openpam_readlinev(3) leads me to openpam_readword(3), which states
which I interpret as permitting "foo#bar".