Easier Tacacs Configurations with do_auth
26 09 2009We’ve gone over how you can make your tacacs configuration really secure but complicated. Let’s show how do_auth can actually make configuration easier. It’s much easier to edit the do_auth.ini file than the tac_plus.conf file. In fact, we can make adding a default user as easy as typing “adduser”.
First, the code has been updated:
I would post the compiled code, but it’s too difficult to get a hold of John these days. (Something about a baby, I dunno) It’s trivial to compile:
dan@dan-desktop:~$ python
Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import py_compile
>>> py_compile.compile("do_auth.py")
>>> quit()
First, a starting tac_plus.conf file. Which, we’ll never have to edit again:
# My simple tac_plus config that never needs to change
key = my_key
accounting file = /var/log/tac_plus.acct
default authentication = file /etc/passwd
user = DEFAULT {
member = do_auth_access
}
group = do_auth_access {
default service = permit
service = exec { priv-lvl = 15
idletime = 10 }
enable = file /etc/passwd
after authorization "/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini"
}
Hum… some extra returns & tabs in there would make it more readable, but it doesn’t look right when I post it. Also, most important – after authorizaion line is one line, not two.
Now, we add homer and give him access to some show commands. Fist, we do a adduser homer on linux to add the user. This way, when the user wants to change is password, he can any time he wants to with passwd. Next, we edit the do_auth.ini file
[users]
homer =
few_commands
[few_commands]
host_allow =
.*
device_permit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*
And, you’re done. Well, I’d add some tabs to each command that got stripped above(blogs/wiki’s can be annoying), but that’s about it.
Let’s compare that to the tac_plus.conf config:
user = homer {
member = limited_access
}
group = limited_access {
default service = deny
acl = limited_acl
service = exec {
priv-lvl = 15
idletime = 10
}
cmd = show {
permit "running-config.*"
permit "ip int*"
permit "inter.*"
permit "controllers.*"
}
In my small do_auth python program, we have no permits, no “”, and no {}. Much easier and the no need to restart the daemon. To add an admin user is even easier. Adduser admin in linux, then add:
admin =
admin_user
[admin_user]
host_allow =
.*
device_permit =
.*
command_permit =
.*
So, our final config is very easy:
[users]
homer =
few_commands
admin =
admin_user
[few_commands]
host_allow =
.*
device_permit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*
[admin_user]
host_allow =
.*
device_permit =
.*
command_permit =
.*
As if this weren’t easy enough, let’s say 99% of your users are these limited access users. Wouldn’t it be nice to just do an adduser and be done without any config modification? All we need is a default user. In our example above we would change to this:
[users]
default =
few_commands
[few_commands]
host_allow =
.*
device_permit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*
Now, whenever we do an adduser, it automatically gets this level of access.
From here, we can make it as simple or as complicated as we want. Restrict them to certain device, make them connect from connect from certain IP’s, ect. We can maybe even begin to work on a web front end. (Maybe someday when I get time…..)
-Dan Schmidt
Excellent guide Dan ! There’s one point that seems uncovered however. What if user Homer need access to specific commands not found on Level1 ?? Is there any way to handle that scenario ?
Level 1? The levels you authorize are set on the device it’s self, they are not set set on the tacacs server.
I really like this and it would make building a front end simple. My only issue is I use login = PAM and tie authentication back to our Active directory through pam_ldap. Can’t seem to get that working here, maybe i am missing something.
You can’t get login = PAM working or can’t get do_auth working? do_auth is pretty trivial, getting PAM to work with active directory is much more difficult and I can’t help you there. (Have often suggested somebody write a tutorial) Getting the two to work together should not be a problem as after authentication scripts are completely separate from the login process.
This doesn’t appear to work with ASA 8.21 for command authorization. It just spits out; 2010-02-17 16:20:29: Error: Option ‘default’ does not exist in section users in file /etc/tac_plus/do_auth.ini whenever trying to authorize commands.
Dan,
I would like to implement this but have a question first.
The way I would like to use it is, default user has no access and then set the privileged user according to their access level. Is there away to do that?
DanH – try ‘DEFAULT’ instead of ‘default’ in your tac_plus.conf
Skip – This code works by commands, not privilege levels. Not that it couldn’t be done, I just did not have a need at the time to modify the tac pairs. You could take priv-lvl = 15 out of the config and deny “enable” to the users you don’t want to enable. Or, put them in a different group in tac_plus.conf, but that means you now have to modify two configuration files instead of one.
The examples above were done in much haste, there might be errors; if other people are actually interested in this, I’ll try to fix it up a bit. My current employer doesn’t use tac_plus, so I don’t have a testing environment any more.
I have done each step as you have directed. However, I cannot log in to my router. However, using tac_plus.conf configuration works well. Anything I need to look out for.
I get the following
telnet 172.17.0.68
Trying 172.17.0.68…
Connected to 172.17.0.68.
Escape character is ‘^]’.
User Access Verification
Username: xxxx
Password:
% Authorization failed.
Connection closed by foreign host.
Post the log.txt & do_auth,ini
#This is my do_auth.ini
alex =
admin
[admin]
host_allow =
.*
device_permit =
.*
command_permit =
.*
# This is my tacacs cfg
key = xxxxx
accounting file = /var/log/tac_acc.log
default authentication = file /etc/passwd
user = DEFAULT {
member = do_auth_access
}
group = do_auth_access {
default service = permit
service = exec {
priv-lvl = 15
}
enable = file /etc/passwd
after authorization “/usr/bin/python /etc/tacacs/do_auth.pyc -i $address -u $user -d $name -l /var/log/log.txt -f /etc/tacacs/do_auth.ini”
}
#log.txt is empty
Well, you are missing [users] at the top. However, you should still get a log in /var/log/log.txt. Do you get output from “python do_auth.py”? (or .pyc)
Sorry about the [users] section. I actually do have it on the .ini file. I must have missed in during copy. I do get output from do_auth.pyc. It prints the content of the do_auth.py. What cat do_auth.py would do. Should that be the case?
Not exactly what cat would do – it only prints the help.
So, let’s debug with -D. (don’t run from command line without -D)
python do_auth.py -i 10.1.1.1 -u alex -d 192.168.1.1 -l log.txt -f do_auth.ini -D
We get errors:
Traceback (most recent call last):
File “do_auth.py”, line 375, in
main()
File “do_auth.py”, line 281, in main
if not (filename in config.read(filename)):
File “/usr/lib/python2.6/ConfigParser.py”, line 286, in read
self._read(fp, filename)
File “/usr/lib/python2.6/ConfigParser.py”, line 510, in _read
raise e
ConfigParser.ParsingError: File contains parsing errors: do_auth.ini
[line 3]: ‘admin\n’
….
I see the problem. No tabs! I can’t seem to print tabs on the wiki, but you need tabs everywhere I have a \t
[users]
alex =
\tadmin
[admin]
host_allow =
\t.*
device_permit =
\t.*
command_permit =
\t.*
After than, it’s a lot happier:
dan@dan-desktop:~$ python do_auth.py -i 10.1.1.1 -u alex -d 192.168.1.1 -l log.txt -f do_auth.ini -D
dan@dan-desktop:~$ cat log.txt
2010-03-25 18:16:06: User ‘alex’ allowed command ’show users wide’ to device ‘192.168.1.1′ in ‘admin’->’command_permit’
The debug command is hard coded to “show users wide.” I was going to change that to allow a variable, but I was finished with the program and nobody else had any interest in it.
Thanks helpdeskdan, it works fine now. I do appreciate the effort toward helping me resolve this.
Excellent guide, Dan! Does exist any bug about limiting configuration commands? In my do_auth.ini I’d restricted the following comands to the specified user:
[users]
integra =
restrito
rogerios =
admin
[restrito]
host_allow =
.*
device_permit =
192.168.0.2402
command_permit =
show .*
quit
command_deny =
show ver.*
conf.*
int.*
shutdown
But it didn’t work!
All other features are working (including deny “show version”), but “config ter”, “interface gi 0/1″ and “shutdown” were permited.
Can you help me?
Thanks in advance