1998-11-13 00:54:26 +00:00
|
|
|
.\" Copyright 1998 Juniper Networks, Inc.
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1998-11-13 00:54:26 +00:00
|
|
|
.\"
|
|
|
|
.Dd July 29, 1998
|
|
|
|
.Dt TACPLUS.CONF 5
|
2001-07-10 13:41:46 +00:00
|
|
|
.Os
|
1998-11-13 00:54:26 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm tacplus.conf
|
|
|
|
.Nd TACACS+ client configuration file
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Pa /etc/tacplus.conf
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
.Nm
|
|
|
|
contains the information necessary to configure the TACACS+ client
|
2004-07-02 23:52:20 +00:00
|
|
|
library.
|
|
|
|
It is parsed by
|
2001-08-22 14:16:31 +00:00
|
|
|
.Fn tac_config
|
|
|
|
(see
|
|
|
|
.Xr libtacplus 3 ) .
|
1998-11-13 00:54:26 +00:00
|
|
|
The file contains one or more lines of text, each describing a
|
2004-07-02 23:52:20 +00:00
|
|
|
single TACACS+ server which is to be used by the library.
|
|
|
|
Leading
|
1998-11-13 00:54:26 +00:00
|
|
|
white space is ignored, as are empty lines and lines containing
|
|
|
|
only comments.
|
|
|
|
.Pp
|
2004-07-02 23:52:20 +00:00
|
|
|
A TACACS+ server is described by two to four fields on a line.
|
|
|
|
The
|
|
|
|
fields are separated by white space.
|
|
|
|
The
|
1998-11-13 00:54:26 +00:00
|
|
|
.Ql #
|
|
|
|
character at the beginning of a field begins a comment, which extends
|
2004-07-02 23:52:20 +00:00
|
|
|
to the end of the line.
|
|
|
|
A field may be enclosed in double quotes,
|
1998-11-13 00:54:26 +00:00
|
|
|
in which case it may contain white space and/or begin with the
|
|
|
|
.Ql #
|
2004-07-02 23:52:20 +00:00
|
|
|
character.
|
|
|
|
Within a quoted string, the double quote character can
|
1998-11-13 00:54:26 +00:00
|
|
|
be represented by
|
|
|
|
.Ql \e\&" ,
|
|
|
|
and the backslash can be represented by
|
|
|
|
.Ql \e\e .
|
|
|
|
No other escape sequences are supported.
|
|
|
|
.Pp
|
|
|
|
The first field specifies
|
|
|
|
the server host, either as a fully qualified domain name or as a
|
2004-07-02 23:52:20 +00:00
|
|
|
dotted-quad IP address.
|
|
|
|
The host may optionally be followed by a
|
1998-11-13 00:54:26 +00:00
|
|
|
.Ql \&:
|
2004-07-02 23:52:20 +00:00
|
|
|
and a numeric port number, without intervening white space.
|
|
|
|
If the
|
1998-11-13 00:54:26 +00:00
|
|
|
port specification is omitted, it defaults to 49, the standard TACACS+
|
|
|
|
port.
|
|
|
|
.Pp
|
|
|
|
The second field contains the shared secret, which should be known
|
2004-07-02 23:52:20 +00:00
|
|
|
only to the client and server hosts.
|
|
|
|
It is an arbitrary string
|
1998-11-13 00:54:26 +00:00
|
|
|
of characters, though it must be enclosed in double quotes if it
|
2004-07-02 23:52:20 +00:00
|
|
|
contains white space or is empty.
|
|
|
|
An empty secret disables the
|
1998-11-13 00:54:26 +00:00
|
|
|
normal encryption mechanism, causing all data to cross the network in
|
|
|
|
cleartext.
|
|
|
|
.Pp
|
|
|
|
The third field contains a decimal integer specifying the timeout
|
2004-07-02 23:52:20 +00:00
|
|
|
in seconds for communicating with the server.
|
|
|
|
The timeout applies
|
|
|
|
separately to each connect, write, and read operation.
|
|
|
|
If this field
|
1998-11-13 00:54:26 +00:00
|
|
|
is omitted, it defaults to 3 seconds.
|
|
|
|
.Pp
|
|
|
|
The optional fourth field may contain the string
|
|
|
|
.Ql single-connection .
|
|
|
|
If this option is included, the library will attempt to negotiate
|
|
|
|
with the server to keep the TCP connection open for multiple
|
2004-07-02 23:52:20 +00:00
|
|
|
sessions.
|
|
|
|
Some older TACACS+ servers become confused if this option
|
1998-11-13 00:54:26 +00:00
|
|
|
is specified.
|
|
|
|
.Pp
|
2004-07-02 23:52:20 +00:00
|
|
|
Up to 10 TACACS+ servers may be specified.
|
|
|
|
The servers are tried in
|
1998-11-13 00:54:26 +00:00
|
|
|
order, until a valid response is received or the list is exhausted.
|
|
|
|
.Pp
|
|
|
|
The standard location for this file is
|
|
|
|
.Pa /etc/tacplus.conf .
|
|
|
|
An alternate pathname may be specified in the call to
|
2001-08-22 14:16:31 +00:00
|
|
|
.Fn tac_config
|
|
|
|
(see
|
|
|
|
.Xr libtacplus 3 ) .
|
1998-11-13 00:54:26 +00:00
|
|
|
Since the file contains sensitive information in the form of the
|
|
|
|
shared secrets, it should not be readable except by root.
|
|
|
|
.Sh FILES
|
2013-05-12 22:22:12 +00:00
|
|
|
.Bl -tag -width Pa
|
|
|
|
.It Pa /etc/tacplus.conf
|
|
|
|
.El
|
1998-11-13 00:54:26 +00:00
|
|
|
.Sh EXAMPLES
|
|
|
|
.Bd -literal
|
|
|
|
# A simple entry using all the defaults:
|
|
|
|
tacserver.domain.com OurLittleSecret
|
|
|
|
|
|
|
|
# A server using a non-standard port, with an increased timeout and
|
|
|
|
# the "single-connection" option.
|
|
|
|
auth.domain.com:4333 "Don't tell!!" 15 single-connection
|
|
|
|
|
|
|
|
# A server specified by its IP address:
|
|
|
|
192.168.27.81 $X*#..38947ax-+=
|
|
|
|
.Ed
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr libtacplus 3
|
|
|
|
.Sh AUTHORS
|
|
|
|
This documentation was written by
|
|
|
|
.An John Polstra ,
|
2000-11-14 11:20:58 +00:00
|
|
|
and donated to the
|
|
|
|
.Fx
|
|
|
|
project by Juniper Networks, Inc.
|