1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd December 11, 2009 26.Dt LIBTACPLUS 3 27.Os 28.Sh NAME 29.Nm libtacplus 30.Nd TACACS+ client library 31.Sh SYNOPSIS 32.In taclib.h 33.Ft int 34.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags" 35.Ft void 36.Fn tac_clear_avs "struct tac_handle *h" 37.Ft void 38.Fn tac_close "struct tac_handle *h" 39.Ft int 40.Fn tac_config "struct tac_handle *h" "const char *path" 41.Ft int 42.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service" 43.Ft int 44.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service" 45.Ft int 46.Fn tac_create_acct "struct tac_handle *h" "int acct" "int action" "int type" "int service" 47.Ft char * 48.Fn tac_get_av "struct tac_handle *h" "u_int index" 49.Ft char * 50.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute" 51.Ft void * 52.Fn tac_get_data "struct tac_handle *h" "size_t *len" 53.Ft char * 54.Fn tac_get_msg "struct tac_handle *h" 55.Ft struct tac_handle * 56.Fn tac_open "void" 57.Ft int 58.Fn tac_send_authen "struct tac_handle *h" 59.Ft int 60.Fn tac_send_author "struct tac_handle *h" 61.Ft int 62.Fn tac_send_acct "struct tac_handle *h" 63.Ft int 64.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair" 65.Ft int 66.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len" 67.Ft int 68.Fn tac_set_msg "struct tac_handle *h" "const char *msg" 69.Ft int 70.Fn tac_set_port "struct tac_handle *h" "const char *port" 71.Ft int 72.Fn tac_set_priv "struct tac_handle *h" "int priv" 73.Ft int 74.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr" 75.Ft int 76.Fn tac_set_user "struct tac_handle *h" "const char *user" 77.Ft const char * 78.Fn tac_strerror "struct tac_handle *h" 79.Sh DESCRIPTION 80The 81.Nm 82library implements the client side of the TACACS+ network access 83control protocol. 84TACACS+ allows clients to perform authentication, 85authorization, and accounting by means of network requests to remote 86servers. 87This library currently supports only the authentication 88and authorization portion of the protocol. 89.Sh INITIALIZATION 90To use the library, an application must first call 91.Fn tac_open 92to obtain a 93.Va struct tac_handle * , 94which provides context for subsequent operations. 95Calls to 96.Fn tac_open 97always succeed unless insufficient virtual memory is available. 98If 99the necessary memory cannot be allocated, 100.Fn tac_open 101returns 102.Dv NULL . 103.Pp 104Before issuing any TACACS+ requests, the library must be made aware 105of the servers it can contact. 106The easiest way to configure the 107library is to call 108.Fn tac_config . 109.Fn tac_config 110causes the library to read a configuration file whose format is 111described in 112.Xr tacplus.conf 5 . 113The pathname of the configuration file is passed as the 114.Va file 115argument to 116.Fn tac_config . 117This argument may also be given as 118.Dv NULL , 119in which case the standard configuration file 120.Pa /etc/tacplus.conf 121is used. 122.Fn tac_config 123returns 0 on success, or \-1 if an error occurs. 124.Pp 125The library can also be configured programmatically by calls to 126.Fn tac_add_server . 127The 128.Va host 129parameter specifies the server host, either as a fully qualified 130domain name or as a dotted-quad IP address in text form. 131The 132.Va port 133parameter specifies the TCP port to contact on the server. 134If 135.Va port 136is given as 0, the library uses port 49, the standard TACACS+ port. 137The shared secret for the server host is passed to the 138.Va secret 139parameter. 140It may be any null-terminated string of bytes. 141The timeout for receiving replies from the server is passed to the 142.Va timeout 143parameter, in units of seconds. 144The 145.Va flags 146parameter is a bit mask of flags to specify various characteristics of 147the server. 148It may contain: 149.Bl -tag -width Fl 150.It Dv TAC_SRVR_SINGLE_CONNECT 151Causes the library to attempt to negotiate single connection mode 152when communicating with the server. 153In single connection mode, the 154original TCP connection is held open for multiple TACACS+ sessions. 155Older servers do not support this mode, and some of them become 156confused if the client attempts to negotiate it. 157.El 158.Pp 159.Fn tac_add_server 160returns 0 on success, or \-1 if an error occurs. 161.Pp 162.Fn tac_add_server 163may be called multiple times, and it may be used together with 164.Fn tac_config . 165At most 10 servers may be specified. 166When multiple servers are given, they are tried in round-robin 167fashion until a working, accessible server is found. 168Once the 169library finds such a server, it continues to use it as long as it 170works. 171.Sh CREATING A TACACS+ AUTHENTICATION REQUEST 172To begin constructing a new authentication request, call 173.Fn tac_create_authen . 174The 175.Va action , 176.Va type , 177and 178.Va service 179arguments must be set to appropriate values as defined in the 180TACACS+ protocol specification. 181The 182.In taclib.h 183header file contains symbolic constants for these values. 184.Sh CREATING A TACACS+ AUTHORIZATION REQUEST 185To begin constructing a new authorization request, call 186.Fn tac_create_author . 187The 188.Va method , 189.Va type , 190and 191.Va service 192arguments must be set to appropriate values as defined in the 193TACACS+ protocol specification. 194The 195.In taclib.h 196header file contains symbolic constants for these values. 197.Sh CREATING A TACACS+ ACCOUNTING REQUEST 198To begin constructing a new accounting request, call 199.Fn tac_create_acct . 200The 201.Va acct , 202.Va action , 203.Va type , 204and 205.Va service 206arguments must be set to appropriate values as defined in the 207TACACS+ protocol specification. 208The 209.In taclib.h 210header file contains symbolic constants for these values. 211.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST 212After creating a request, 213various optional parameters may be attached to it through calls to 214.Fn tac_set_av , 215.Fn tac_set_data , 216.Fn tac_set_port , 217.Fn tac_set_priv , 218.Fn tac_set_rem_addr , 219and 220.Fn tac_set_user . 221The library creates its own copies of any strings provided to these 222functions, so that it is not necessary for the caller to preserve 223them. 224By default, each of these parameters is empty except for the 225privilege level, which defaults to 226.Ql USER 227privilege. 228.Pp 229.Fn tac_set_av 230only applies to the context of an authorization request. 231The format 232for an attribute value pair is defined in the TACACS+ protocol 233specification. 234The index specified can be any value between 0 and 235255 inclusive and indicates the position in the list to place the 236attribute value pair. 237Calling 238.Fn tac_set_av 239with same index twice effectively replaces the value at that position. 240Use 241.Fn tac_clear_avs 242to clear all attribute value pairs that may have been set. 243.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE 244After the TACACS+ authentication request has been constructed, it is 245sent by means of 246.Fn tac_send_authen . 247This function connects to a server if not already connected, sends 248the request, and waits for a reply. 249On failure, 250.Fn tac_send_authen 251returns \-1. 252Otherwise, it returns the TACACS+ status code and flags, 253packed into an integer value. 254The status can be extracted using the 255macro 256.Fn TAC_AUTHEN_STATUS . 257Possible status codes, defined in 258.In taclib.h , 259include: 260.Pp 261.Bl -item -compact -offset indent 262.It 263.Dv TAC_AUTHEN_STATUS_PASS 264.It 265.Dv TAC_AUTHEN_STATUS_FAIL 266.It 267.Dv TAC_AUTHEN_STATUS_GETDATA 268.It 269.Dv TAC_AUTHEN_STATUS_GETUSER 270.It 271.Dv TAC_AUTHEN_STATUS_GETPASS 272.It 273.Dv TAC_AUTHEN_STATUS_RESTART 274.It 275.Dv TAC_AUTHEN_STATUS_ERROR 276.It 277.Dv TAC_AUTHEN_STATUS_FOLLOW 278.El 279.Pp 280The only flag is the no-echo flag, which can be tested using the 281macro 282.Fn TAC_AUTHEN_NOECHO . 283.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE 284An authentication response packet from the server may contain a 285server message, a data string, or both. 286After a successful call to 287.Fn tac_send_authen , 288this information may be retrieved from the response by calling 289.Fn tac_get_msg 290and 291.Fn tac_get_data . 292These functions return dynamically-allocated copies of the 293information from the packet. 294The caller is responsible for freeing 295the copies when it no longer needs them. 296The data returned from 297these functions is guaranteed to be terminated by a null byte. 298.Pp 299In the case of 300.Fn tac_get_data , 301the 302.Va len 303argument points to a location into which the library will store the 304actual length of the received data, not including the null 305terminator. 306This argument may be given as 307.Dv NULL 308if the caller is not interested in the length. 309.Sh SENDING AUTHENTICATION CONTINUE PACKETS 310If 311.Fn tac_send_authen 312returns a value containing one of the status codes 313.Dv TAC_AUTHEN_STATUS_GETDATA , 314.Dv TAC_AUTHEN_STATUS_GETUSER , 315or 316.Dv TAC_AUTHEN_STATUS_GETPASS , 317then the client must provide additional information to the server by 318means of a TACACS+ CONTINUE packet. 319To do so, the application must 320first set the packet's user message and/or data fields using 321.Fn tac_set_msg 322and 323.Fn tac_set_data . 324The client then sends the CONTINUE packet with 325.Fn tac_send_authen . 326N.B., 327.Fn tac_create_authen 328should 329.Em not 330be called to construct a CONTINUE packet; it is used only for the 331initial authentication request. 332.Pp 333When it receives the CONTINUE packet, the server may again request 334more information by returning 335.Dv TAC_AUTHEN_STATUS_GETDATA , 336.Dv TAC_AUTHEN_STATUS_GETUSER , 337or 338.Dv TAC_AUTHEN_STATUS_GETPASS . 339The application should send further CONTINUEs until some other 340status is received from the server. 341.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE 342After the TACACS+ authorization request has been constructed, it 343is sent by means of 344.Fn tac_send_author . 345This function connects to a server if not already connected, sends 346the request, and waits for a reply. 347On failure, 348.Fn tac_send_author 349returns \-1. 350Otherwise, it returns the TACACS+ status code and 351number of attribute value (AV) pairs received packed into an 352integer value. 353The status can be extracted using the macro 354.Fn TAC_AUTHOR_STATUS . 355Possible status codes, defined in 356.In taclib.h , 357include: 358.Pp 359.Bl -item -compact -offset indent 360.It 361.Dv TAC_AUTHOR_STATUS_PASS_ADD 362.It 363.Dv TAC_AUTHOR_STATUS_PASS_REPL 364.It 365.Dv TAC_AUTHOR_STATUS_FAIL 366.It 367.Dv TAC_AUTHOR_STATUS_ERROR 368.El 369.Pp 370The number of AV pairs received is obtained using 371.Fn TAC_AUTHEN_AV_COUNT . 372.Sh SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE 373After the TACACS+ authorization request has been constructed, it 374is sent by means of 375.Fn tac_send_acct . 376This function connects to a server if not already connected, sends 377the request, and waits for a reply. 378On failure, 379.Fn tac_send_acct 380returns \-1. 381Otherwise, it returns the TACACS+ status code. 382Possible status codes, defined in 383.In taclib.h , 384include: 385.Pp 386.Bl -item -compact -offset indent 387.It 388.Dv TAC_ACCT_STATUS_SUCCESS 389.It 390.Dv TAC_ACCT_STATUS_ERROR 391.It 392.Dv TAC_ACCT_STATUS_FOLLOW 393.El 394.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE 395Like an authentication response packet, an authorization 396response packet from the 397server may contain a server message, a data string, or both. 398Refer 399to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE 400for instruction on extraction of those values. 401.Pp 402An authorization response packet from the server may also contain 403attribute value (AV) pairs. 404To extract these, use 405.Fn tac_get_av 406or 407.Fn tac_get_av_value . 408.Fn tac_get_av 409takes the index of the AV pair as it is positioned in the list. 410The indexes start at 0 (use 411.Fn TAC_AUTHEN_AV_COUNT 412on the return value of 413.Fn tac_send_author 414to get the total number of items in this list). 415Alternatively, 416.Fn tac_get_av_value 417can be used. 418.Fn tac_get_av_value 419takes the attribute name and returns the 420corresponding value only, not the AV pair. 421These functions return 422dynamically-allocated copies of the information from the packet. 423The caller is responsible for freeing the copies when it no longer 424needs them. 425The data returned from these functions is guaranteed 426to be terminated by a null byte. 427.Sh OBTAINING ERROR MESSAGES 428Those functions which accept a 429.Va struct tac_handle * 430argument record an error message if they fail. 431The error message 432can be retrieved by calling 433.Fn tac_strerror . 434The message text is overwritten on each new error for the given 435.Va struct tac_handle * . 436Thus the message must be copied if it is to be preserved through 437subsequent library calls using the same handle. 438.Sh CLEANUP 439To free the resources used by the TACACS+ library, call 440.Fn tac_close . 441.Sh RETURN VALUES 442The following functions return a non-negative value on success. 443If 444they detect an error, they return \-1 and record an error message 445which can be retrieved using 446.Fn tac_strerror . 447.Pp 448.Bl -item -offset indent -compact 449.It 450.Fn tac_add_server 451.It 452.Fn tac_config 453.It 454.Fn tac_create_authen 455.It 456.Fn tac_create_author 457.It 458.Fn tac_create_acct 459.It 460.Fn tac_send_authen 461.It 462.Fn tac_send_author 463.It 464.Fn tac_send_acct 465.It 466.Fn tac_set_av 467.It 468.Fn tac_set_data 469.It 470.Fn tac_set_msg 471.It 472.Fn tac_set_port 473.It 474.Fn tac_set_priv 475.It 476.Fn tac_set_rem_addr 477.It 478.Fn tac_set_user 479.El 480.Pp 481The following functions return a 482.No non- Ns Dv NULL 483pointer on success. 484If they are unable to allocate sufficient 485virtual memory, they return 486.Dv NULL 487and record an error message which can be retrieved using 488.Fn tac_strerror . 489.Pp 490.Bl -item -offset indent -compact 491.It 492.Fn tac_get_av 493.It 494.Fn tac_get_av_value 495.It 496.Fn tac_get_data 497.It 498.Fn tac_get_msg 499.El 500.Pp 501The following functions return a 502.No non- Ns Dv NULL 503pointer on success. 504If they are unable to allocate sufficient 505virtual memory, they return 506.Dv NULL , 507without recording an error message. 508.Pp 509.Bl -item -offset indent -compact 510.It 511.Fn tac_open 512.El 513.Sh FILES 514.Bl -tag -width Pa 515.It Pa /etc/tacplus.conf 516.El 517.Sh SEE ALSO 518.Xr tacplus.conf 5 519.Rs 520.%A D. Carrel 521.%A Lol Grant 522.%T The TACACS+ Protocol, Version 1.78 523.%O draft-grant-tacacs-02.txt (Internet Draft) 524.Re 525.Sh AUTHORS 526.An -nosplit 527This software was written by 528.An John Polstra 529and 530.An Paul Fraley , 531and donated to the 532.Fx 533project by Juniper Networks, Inc. 534