Easier Tacacs Configurations with do_auth

in ,

We've gone over how you can make your tacacs configuration really secure but complicated. Let's show how do\_auth can actually make configuration easier. It's much easier to edit the do\_auth.ini file than the tac\_plus.conf file. In fact, we can make adding a default user as easy as typing "adduser". I would post the compiled code, but it's too difficult to get a hold of John these days. (Something about a baby, I dunno) It's trivial to compile: dan@dan-desktop:~$ python
Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import py\_compile
>>> py\_compile.compile("do\_auth.py")
>>> quit()
First, a starting tac\_plus.conf file. Which, we'll never have to edit again:

# My simple tac\_plus config that never needs to change
key = my\_key
accounting file = /var/log/tac\_plus.acct
default authentication = file /etc/passwd
user = DEFAULT {
     member = do\_auth\_access
}
group = do\_auth\_access {
     default service = permit
     service = exec { priv-lvl = 15
          idletime = 10 }
     enable = file /etc/passwd
     after authorization "/usr/bin/python /root/do\_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do\_auth.ini" }

Most important - after authorizaion line is one line, not two. The $ means it wrapped.

Now, we add homer and give him access to some show commands. Fist, we do a adduser homer on linux to add the user. This way, when the user wants to change is password, he can any time he wants to with passwd. Next, we edit the do\_auth.ini file

[users]
homer =
     few\_commands
[few\_commands]
host\_allow =
     .*
device\_permit =
     .*
command\_permit =
     show users
     show int.*
     show ip int.*
     show controllers.*

And, you're done. Well, I'd add some tabs to each command that got stripped above(blogs/wiki's can be annoying), but that's about it.

Let's compare that to the tac\_plus.conf config:

user = homer {
     member = limited\_access
}
group = limited\_access {
     default service = deny
     acl = limited\_acl
     service = exec {
          priv-lvl = 15
          idletime = 10
     }
     cmd = show {
          permit "running-config.*"
          permit "ip int*"
          permit "inter.*"
          permit "controllers.*"
     }

In my small do\_auth python program, we have no permits, no “”, and no {}. Much easier and the no need to restart the daemon. To add an admin user is even easier. Adduser admin in linux, then add:

admin =
     admin\_user
[admin\_user]
host\_allow =
     .*
device\_permit =
     .*
command\_permit =
     .*

So, our final config is very easy:

[users]
homer =
     few\_commands
admin =
     admin\_user
[few\_commands]
host\_allow =
     .*
device\_permit =
     .*
command\_permit =
     show users
     show int.*
     show ip int.*
     show controllers.*
[admin\_user]
host\_allow =
     .*
device\_permit =
     .*
command\_permit =
     .*

As if this weren't easy enough, let's say 99% of your users are these limited access users. Wouldn't it be nice to just do an adduser and be done without any config modification? All we need is a default user. In our example above we would change to this:

[users]
default =
     few\_commands
[few\_commands]
host\_allow =
     .*
device\_permit =
     .*
command\_permit =
     show users
     show int.*
     show ip int.*
     show controllers.*

Now, whenever we do an adduser, it automatically gets this level of access.

From here, we can make it as simple or as complicated as we want. Restrict them to certain device, make them connect from connect from certain IP's, ect. We can maybe even begin to work on a web front end. (Maybe someday when I get time.....)

-Dan Schmidt