Easier Tacacs Configurations with do_auth
26 09 2009We’ve gone over how you can make your tacacs configuration really secure but complicated. Let’s show how doauth can actually make configuration easier. It’s much easier to edit the doauth.ini file than the tac_plus.conf file. In fact, we can make adding a default user as easy as typing “adduser”.
I would post the compiled code, but it’s too difficult to get a hold of John these days. (Something about a baby, I dunno) It’s trivial to compile:
dan@dan-desktop:~$ python
Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pycompile
>>> pycompile.compile("doauth.py")
>>> quit()
First, a starting tacplus.conf file. Which, we’ll never have to edit again:
# My simple tacplus config that never needs to change
key = mykey
accounting file = /var/log/tacplus.acct
default authentication = file /etc/passwd
user = DEFAULT {
member = doauthaccess
}
group = doauthaccess {
default service = permit
service = exec { priv-lvl = 15
idletime = 10 }
enable = file /etc/passwd
after authorization "/usr/bin/python /root/doauth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini"
}
Most important – after authorizaion line is one line, not two. The $ means it wrapped.
Now, we add homer and give him access to some show commands. Fist, we do a adduser homer on linux to add the user. This way, when the user wants to change is password, he can any time he wants to with passwd. Next, we edit the do_auth.ini file
[users]
homer =
fewcommands
[fewcommands]
hostallow =
.*
devicepermit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*
And, you’re done. Well, I’d add some tabs to each command that got stripped above(blogs/wiki’s can be annoying), but that’s about it.
Let’s compare that to the tac_plus.conf config:
user = homer {
member = limitedaccess
}
group = limitedaccess {
default service = deny
acl = limited_acl
service = exec {
priv-lvl = 15
idletime = 10
}
cmd = show {
permit "running-config.*"
permit "ip int*"
permit "inter.*"
permit "controllers.*"
}
In my small do_auth python program, we have no permits, no “”, and no {}. Much easier and the no need to restart the daemon. To add an admin user is even easier. Adduser admin in linux, then add:
admin =
adminuser
[adminuser]
hostallow =
.*
devicepermit =
.*
command_permit =
.*
So, our final config is very easy:
[users]
homer =
fewcommands
admin =
adminuser
[fewcommands]
hostallow =
.*
devicepermit =
.*
commandpermit =
show users
show int.*
show ip int.*
show controllers.*
[adminuser]
hostallow =
.*
devicepermit =
.*
commandpermit =
.*
As if this weren’t easy enough, let’s say 99% of your users are these limited access users. Wouldn’t it be nice to just do an adduser and be done without any config modification? All we need is a default user. In our example above we would change to this:
[users]
default =
fewcommands
[fewcommands]
hostallow =
.*
devicepermit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*
Now, whenever we do an adduser, it automatically gets this level of access.
From here, we can make it as simple or as complicated as we want. Restrict them to certain device, make them connect from connect from certain IP’s, ect. We can maybe even begin to work on a web front end. (Maybe someday when I get time…..)
-Dan Schmidt
Categories : Uncategorized
