Changeset View
Changeset View
Standalone View
Standalone View
lib/libtacplus/tacplus.conf.5
| Show All 18 Lines | |||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| .\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||
| .\" | .\" | ||||
| .Dd July 29, 1998 | .Dd June 13, 2023 | ||||
| .Dt TACPLUS.CONF 5 | .Dt TACPLUS.CONF 5 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm tacplus.conf | .Nm tacplus.conf | ||||
| .Nd TACACS+ client configuration file | .Nd TACACS+ client configuration file | ||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||
| .Pa /etc/tacplus.conf | .Pa /etc/tacplus.conf | ||||
| .Sh DESCRIPTION | .Sh DESCRIPTION | ||||
| .Nm | .Nm | ||||
| contains the information necessary to configure the TACACS+ client | contains the information necessary to configure the TACACS+ client | ||||
| library. | library. | ||||
| It is parsed by | It is parsed by | ||||
| .Fn tac_config | .Fn tac_config | ||||
| (see | (see | ||||
| .Xr libtacplus 3 ) . | .Xr libtacplus 3 ) . | ||||
| The file contains one or more lines of text, each describing a | The file contains one or more lines of text, each describing a | ||||
| single TACACS+ server which is to be used by the library. | single TACACS+ server which is to be used by the library. | ||||
| Leading | Leading | ||||
| white space is ignored, as are empty lines and lines containing | white space is ignored, as are empty lines and lines containing | ||||
| only comments. | only comments. | ||||
| .Pp | .Pp | ||||
| A TACACS+ server is described by two to four fields on a line. | A TACACS+ server is described by a minimum of two fields on a line. | ||||
pauamma_gundo.com: This is saying that "#foobar" is a valid field but "foo#bar" isn't. Is that still true with the… | |||||
Done Inline ActionsThanks for catching that, I'll check. des: Thanks for catching that, I'll check. | |||||
Done Inline ActionsOK so I think you misunderstood, it's not talking about the legality of a # character but about whether it will be seen as the start of a comment or as a regular character within a field. In both cases # starts a comment only if it is the first character on the line or is preceded by unescaped whitespace. In all other cases it is a regular character. This is unchanged. What has changed is mainly support for line continuations and improved quoting. des: OK so I think you misunderstood, it's not talking about the legality of a `#` character but… | |||||
| The | The fields are separated by whitespace and follow the same rules for | ||||
| fields are separated by white space. | comments, quoting, escaping, and line continuation as the POSIX shell. | ||||
| The | |||||
| .Ql # | |||||
| character at the beginning of a field begins a comment, which extends | |||||
| to the end of the line. | |||||
| A field may be enclosed in double quotes, | |||||
| in which case it may contain white space and/or begin with the | |||||
| .Ql # | |||||
| character. | |||||
| Within a quoted string, the double quote character can | |||||
| be represented by | |||||
| .Ql \e\&" , | |||||
| and the backslash can be represented by | |||||
| .Ql \e\e . | |||||
| No other escape sequences are supported. | |||||
| .Pp | .Pp | ||||
| The first field specifies | The first field specifies | ||||
| the server host, either as a fully qualified domain name or as a | the server host, either as a fully qualified domain name or as a | ||||
| dotted-quad IP address. | dotted-quad IP address. | ||||
| The host may optionally be followed by a | The host may optionally be followed by a | ||||
| .Ql \&: | .Ql \&: | ||||
| and a numeric port number, without intervening white space. | and a numeric port number, without intervening white space. | ||||
| If the | If the | ||||
| port specification is omitted, it defaults to 49, the standard TACACS+ | port specification is omitted, it defaults to 49, the standard TACACS+ | ||||
| port. | port. | ||||
| .Pp | .Pp | ||||
| The second field contains the shared secret, which should be known | The second field contains the shared secret, which should be known | ||||
| only to the client and server hosts. | only to the client and server hosts. | ||||
| It is an arbitrary string | It is an arbitrary string | ||||
| of characters, though it must be enclosed in double quotes if it | of characters, though it must be enclosed in double quotes if it | ||||
| contains white space or is empty. | contains white space or is empty. | ||||
| An empty secret disables the | An empty secret disables the | ||||
| normal encryption mechanism, causing all data to cross the network in | normal encryption mechanism, causing all data to cross the network in | ||||
| cleartext. | cleartext. | ||||
| .Pp | .Pp | ||||
| The third field contains a decimal integer specifying the timeout | The optional third field may contain a decimal integer specifying the | ||||
| in seconds for communicating with the server. | timeout in seconds for communicating with the server. | ||||
| The timeout applies | The timeout applies | ||||
| separately to each connect, write, and read operation. | separately to each connect, write, and read operation. | ||||
| If this field | If this field is omitted, it defaults to 3 seconds. | ||||
| is omitted, it defaults to 3 seconds. | |||||
| .Pp | .Pp | ||||
| The optional fourth field may contain the string | The optional fourth field may contain the string | ||||
| .Ql single-connection . | .Ql single-connection . | ||||
| If this option is included, the library will attempt to negotiate | If this option is included, the library will attempt to negotiate | ||||
| with the server to keep the TCP connection open for multiple | with the server to keep the TCP connection open for multiple | ||||
| sessions. | sessions. | ||||
| Some older TACACS+ servers become confused if this option | Some older TACACS+ servers become confused if this option | ||||
| is specified. | is specified. | ||||
| .Pp | .Pp | ||||
| Any subsequent fields must be of the form | |||||
| .Ar attribute Ns = Ns Ar value | |||||
| and will be appended to authorization responses as if they had been | |||||
| sent by the server. | |||||
| .Pp | |||||
| Up to 10 TACACS+ servers may be specified. | Up to 10 TACACS+ servers may be specified. | ||||
| The servers are tried in | The servers are tried in | ||||
| order, until a valid response is received or the list is exhausted. | order, until a valid response is received or the list is exhausted. | ||||
| .Pp | .Pp | ||||
| The standard location for this file is | The standard location for this file is | ||||
| .Pa /etc/tacplus.conf . | .Pa /etc/tacplus.conf . | ||||
| An alternate pathname may be specified in the call to | An alternate pathname may be specified in the call to | ||||
| .Fn tac_config | .Fn tac_config | ||||
| (see | (see | ||||
| .Xr libtacplus 3 ) . | .Xr libtacplus 3 ) . | ||||
| Since the file contains sensitive information in the form of the | Since the file contains sensitive information in the form of the | ||||
| shared secrets, it should not be readable except by root. | shared secrets, it should not be readable except by root. | ||||
| .Sh FILES | .Sh FILES | ||||
| .Bl -tag -width Pa | .Bl -tag -width Pa | ||||
| .It Pa /etc/tacplus.conf | .It Pa /etc/tacplus.conf | ||||
| .El | .El | ||||
| .Sh EXAMPLES | .Sh EXAMPLES | ||||
| .Bd -literal | .Bd -literal | ||||
| # A simple entry using all the defaults: | # A simple entry using all the defaults: | ||||
| tacserver.domain.com OurLittleSecret | tacserver.domain.com OurLittleSecret | ||||
| # A server using a non-standard port, with an increased timeout and | # A server using a non-standard port, with an increased timeout and | ||||
| # the "single-connection" option. | # the "single-connection" option, and overrides for the for uid, gid | ||||
| auth.domain.com:4333 "Don't tell!!" 15 single-connection | # and shell attributes. | ||||
| auth.domain.com:4333 "Don't tell!!" 15 single-connection \e | |||||
| uid=1001 gid=20 shell="/usr/local/bin/zsh" | |||||
| # A server specified by its IP address: | # A server specified by its IP address: | ||||
| 192.168.27.81 $X*#..38947ax-+= | 192.168.27.81 $X*#..38947ax-+= shell="/sbin/nologin" | ||||
| .Ed | .Ed | ||||
| .Sh SEE ALSO | .Sh SEE ALSO | ||||
| .Xr libtacplus 3 | .Xr libtacplus 3 | ||||
| .Sh AUTHORS | .Sh AUTHORS | ||||
| This documentation was written by | This documentation was written by | ||||
| .An John Polstra , | .An John Polstra , | ||||
| and donated to the | and donated to the | ||||
| .Fx | .Fx | ||||
| project by Juniper Networks, Inc. | project by Juniper Networks, Inc. | ||||
This is saying that "#foobar" is a valid field but "foo#bar" isn't. Is that still true with the new tokenizer? openpam_readlinev(3) leads me to openpam_readword(3), which states
which I interpret as permitting "foo#bar".