xref: /freebsd/lib/libtacplus/libtacplus.3 (revision 5c52a79884070364bfc920fb8e492cfac61ec72f)
1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd September 2, 1998
28.Dt LIBTACPLUS 3
29.Os
30.Sh NAME
31.Nm libtacplus
32.Nd TACACS+ client library
33.Sh SYNOPSIS
34.In taclib.h
35.Ft int
36.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
37.Ft void
38.Fn tac_clear_avs "struct tac_handle *h"
39.Ft void
40.Fn tac_close "struct tac_handle *h"
41.Ft int
42.Fn tac_config "struct tac_handle *h" "const char *path"
43.Ft int
44.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
45.Ft int
46.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
47.Ft char *
48.Fn tac_get_av "struct tac_handle *h" "u_int index"
49.Ft char *
50.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
51.Ft void *
52.Fn tac_get_data "struct tac_handle *h" "size_t *len"
53.Ft char *
54.Fn tac_get_msg "struct tac_handle *h"
55.Ft struct tac_handle *
56.Fn tac_open "void"
57.Ft int
58.Fn tac_send_authen "struct tac_handle *h"
59.Ft int
60.Fn tac_send_author "struct tac_handle *h"
61.Ft int
62.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
63.Ft int
64.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
65.Ft int
66.Fn tac_set_msg "struct tac_handle *h" "const char *msg"
67.Ft int
68.Fn tac_set_port "struct tac_handle *h" "const char *port"
69.Ft int
70.Fn tac_set_priv "struct tac_handle *h" "int priv"
71.Ft int
72.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
73.Ft int
74.Fn tac_set_user "struct tac_handle *h" "const char *user"
75.Ft const char *
76.Fn tac_strerror "struct tac_handle *h"
77.Sh DESCRIPTION
78The
79.Nm
80library implements the client side of the TACACS+ network access
81control protocol.
82TACACS+ allows clients to perform authentication,
83authorization, and accounting by means of network requests to remote
84servers.
85This library currently supports only the authentication
86and authorization portion of the protocol.
87.Sh INITIALIZATION
88To use the library, an application must first call
89.Fn tac_open
90to obtain a
91.Va struct tac_handle * ,
92which provides context for subsequent operations.
93Calls to
94.Fn tac_open
95always succeed unless insufficient virtual memory is available.
96If
97the necessary memory cannot be allocated,
98.Fn tac_open
99returns
100.Dv NULL .
101.Pp
102Before issuing any TACACS+ requests, the library must be made aware
103of the servers it can contact.
104The easiest way to configure the
105library is to call
106.Fn tac_config .
107.Fn tac_config
108causes the library to read a configuration file whose format is
109described in
110.Xr tacplus.conf 5 .
111The pathname of the configuration file is passed as the
112.Va file
113argument to
114.Fn tac_config .
115This argument may also be given as
116.Dv NULL ,
117in which case the standard configuration file
118.Pa /etc/tacplus.conf
119is used.
120.Fn tac_config
121returns 0 on success, or \-1 if an error occurs.
122.Pp
123The library can also be configured programmatically by calls to
124.Fn tac_add_server .
125The
126.Va host
127parameter specifies the server host, either as a fully qualified
128domain name or as a dotted-quad IP address in text form.
129The
130.Va port
131parameter specifies the TCP port to contact on the server.
132If
133.Va port
134is given as 0, the library uses port 49, the standard TACACS+ port.
135The shared secret for the server host is passed to the
136.Va secret
137parameter.
138It may be any null-terminated string of bytes.
139The timeout for receiving replies from the server is passed to the
140.Va timeout
141parameter, in units of seconds.
142The
143.Va flags
144parameter is a bit mask of flags to specify various characteristics of
145the server.
146It may contain:
147.Pp
148.Bl -tag -width Fl
149.It Dv TAC_SRVR_SINGLE_CONNECT
150Causes the library to attempt to negotiate single connection mode
151when communicating with the server.
152In single connection mode, the
153original TCP connection is held open for multiple TACACS+ sessions.
154Older servers do not support this mode, and some of them become
155confused if the client attempts to negotiate it.
156.El
157.Pp
158.Fn tac_add_server
159returns 0 on success, or \-1 if an error occurs.
160.Pp
161.Fn tac_add_server
162may be called multiple times, and it may be used together with
163.Fn tac_config .
164At most 10 servers may be specified.
165When multiple servers are given, they are tried in round-robin
166fashion until a working, accessible server is found.
167Once the
168library finds such a server, it continues to use it as long as it
169works.
170.Sh CREATING A TACACS+ AUTHENTICATION REQUEST
171To begin constructing a new authentication request, call
172.Fn tac_create_authen .
173The
174.Va action ,
175.Va type ,
176and
177.Va service
178arguments must be set to appropriate values as defined in the
179TACACS+ protocol specification.
180The
181.In taclib.h
182header file contains symbolic constants for these values.
183.Sh CREATING A TACACS+ AUTHORIZATION REQUEST
184To begin constructing a new authorization request, call
185.Fn tac_create_author .
186The
187.Va method ,
188.Va type ,
189and
190.Va service
191arguments must be set to appropriate values as defined in the
192TACACS+ protocol specification.
193The
194.In taclib.h
195header file contains symbolic constants for these values.
196.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
197After creating a request,
198various optional parameters may be attached to it through calls to
199.Fn tac_set_av ,
200.Fn tac_set_data ,
201.Fn tac_set_port ,
202.Fn tac_set_priv ,
203.Fn tac_set_rem_addr ,
204and
205.Fn tac_set_user .
206The library creates its own copies of any strings provided to these
207functions, so that it is not necessary for the caller to preserve
208them.
209By default, each of these parameters is empty except for the
210privilege level, which defaults to
211.Ql USER
212privilege.
213.Pp
214.Fn tac_set_av
215only applies to the context of an authorization request.
216The format
217for an attribute value pair is defined in the TACACS+ protocol
218specification.
219The index specified can be any value between 0 and
220255 inclusive and indicates the position in the list to place the
221attribute value pair.
222Calling
223.Fn tac_set_av
224with same index twice effectively replaces the value at that position.
225Use
226.Fn tac_clear_avs
227to clear all attribute value pairs that may have been set.
228.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
229After the TACACS+ authentication request has been constructed, it is
230sent by means of
231.Fn tac_send_authen .
232This function connects to a server if not already connected, sends
233the request, and waits for a reply.
234On failure,
235.Fn tac_send_authen
236returns \-1.
237Otherwise, it returns the TACACS+ status code and flags,
238packed into an integer value.
239The status can be extracted using the
240macro
241.Fn TAC_AUTHEN_STATUS .
242Possible status codes, defined in
243.In taclib.h ,
244include:
245.Pp
246.Bl -item -compact -offset indent
247.It
248.Dv TAC_AUTHEN_STATUS_PASS
249.It
250.Dv TAC_AUTHEN_STATUS_FAIL
251.It
252.Dv TAC_AUTHEN_STATUS_GETDATA
253.It
254.Dv TAC_AUTHEN_STATUS_GETUSER
255.It
256.Dv TAC_AUTHEN_STATUS_GETPASS
257.It
258.Dv TAC_AUTHEN_STATUS_RESTART
259.It
260.Dv TAC_AUTHEN_STATUS_ERROR
261.It
262.Dv TAC_AUTHEN_STATUS_FOLLOW
263.El
264.Pp
265The only flag is the no-echo flag, which can be tested using the
266macro
267.Fn TAC_AUTHEN_NOECHO .
268.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
269An authentication response packet from the server may contain a
270server message, a data string, or both.
271After a successful call to
272.Fn tac_send_authen ,
273this information may be retrieved from the response by calling
274.Fn tac_get_msg
275and
276.Fn tac_get_data .
277These functions return dynamically-allocated copies of the
278information from the packet.
279The caller is responsible for freeing
280the copies when it no longer needs them.
281The data returned from
282these functions is guaranteed to be terminated by a null byte.
283.Pp
284In the case of
285.Fn tac_get_data ,
286the
287.Va len
288argument points to a location into which the library will store the
289actual length of the received data, not including the null
290terminator.
291This argument may be given as
292.Dv NULL
293if the caller is not interested in the length.
294.Sh SENDING AUTHENTICATION CONTINUE PACKETS
295If
296.Fn tac_send_authen
297returns a value containing one of the status codes
298.Dv TAC_AUTHEN_STATUS_GETDATA ,
299.Dv TAC_AUTHEN_STATUS_GETUSER ,
300or
301.Dv TAC_AUTHEN_STATUS_GETPASS ,
302then the client must provide additional information to the server by
303means of a TACACS+ CONTINUE packet.
304To do so, the application must
305first set the packet's user message and/or data fields using
306.Fn tac_set_msg
307and
308.Fn tac_set_data .
309The client then sends the CONTINUE packet with
310.Fn tac_send_authen .
311N.B.,
312.Fn tac_create_authen
313should
314.Em not
315be called to construct a CONTINUE packet; it is used only for the
316initial authentication request.
317.Pp
318When it receives the CONTINUE packet, the server may again request
319more information by returning
320.Dv TAC_AUTHEN_STATUS_GETDATA ,
321.Dv TAC_AUTHEN_STATUS_GETUSER ,
322or
323.Dv TAC_AUTHEN_STATUS_GETPASS .
324The application should send further CONTINUEs until some other
325status is received from the server.
326.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
327After the TACACS+ authorization request has been constructed, it
328is sent by means of
329.Fn tac_send_author .
330This function connects to a server if not already connected, sends
331the request, and waits for a reply.
332On failure,
333.Fn tac_send_author
334returns \-1.
335Otherwise, it returns the TACACS+ status code and
336number of attribute value (AV) pairs received packed into an
337integer value.
338The status can be extracted using the macro
339.Fn TAC_AUTHOR_STATUS .
340Possible status codes, defined in
341.In taclib.h ,
342include:
343.Pp
344.Bl -item -compact -offset indent
345.It
346.Dv TAC_AUTHOR_STATUS_PASS_ADD
347.It
348.Dv TAC_AUTHOR_STATUS_PASS_REPL
349.It
350.Dv TAC_AUTHOR_STATUS_FAIL
351.It
352.Dv TAC_AUTHOR_STATUS_ERROR
353.El
354.Pp
355The number of AV pairs received is obtained using
356.Fn TAC_AUTHEN_AV_COUNT .
357.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
358Like an authentication response packet, an authorization
359response packet from the
360server may contain a server message, a data string, or both.
361Refer
362to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
363for instruction on extraction of those values.
364.Pp
365An authorization response packet from the server may also contain
366attribute value (AV) pairs.
367To extract these, use
368.Fn tac_get_av
369or
370.Fn tac_get_av_value .
371.Fn tac_get_av
372takes the index of the AV pair as it is positioned in the list.
373The indexes start at 0 (use
374.Fn TAC_AUTHEN_AV_COUNT
375on the return value of
376.Fn tac_send_author
377to get the total number of items in this list).
378Alternatively,
379.Fn tac_get_av_value
380can be used.
381.Fn tac_get_av_value
382takes the attribute name and returns the
383corresponding value only, not the AV pair.
384These functions return
385dynamically-allocated copies of the information from the packet.
386The caller is responsible for freeing the copies when it no longer
387needs them.
388The data returned from these functions is guaranteed
389to be terminated by a null byte.
390.Sh OBTAINING ERROR MESSAGES
391Those functions which accept a
392.Va struct tac_handle *
393argument record an error message if they fail.
394The error message
395can be retrieved by calling
396.Fn tac_strerror .
397The message text is overwritten on each new error for the given
398.Va struct tac_handle * .
399Thus the message must be copied if it is to be preserved through
400subsequent library calls using the same handle.
401.Sh CLEANUP
402To free the resources used by the TACACS+ library, call
403.Fn tac_close .
404.Sh RETURN VALUES
405The following functions return a non-negative value on success.
406If
407they detect an error, they return \-1 and record an error message
408which can be retrieved using
409.Fn tac_strerror .
410.Pp
411.Bl -item -offset indent -compact
412.It
413.Fn tac_add_server
414.It
415.Fn tac_config
416.It
417.Fn tac_create_authen
418.It
419.Fn tac_create_author
420.It
421.Fn tac_send_authen
422.It
423.Fn tac_send_author
424.It
425.Fn tac_set_av
426.It
427.Fn tac_set_data
428.It
429.Fn tac_set_msg
430.It
431.Fn tac_set_port
432.It
433.Fn tac_set_priv
434.It
435.Fn tac_set_rem_addr
436.It
437.Fn tac_set_user
438.El
439.Pp
440The following functions return a
441.No non- Ns Dv NULL
442pointer on success.
443If they are unable to allocate sufficient
444virtual memory, they return
445.Dv NULL
446and record an error message which can be retrieved using
447.Fn tac_strerror .
448.Pp
449.Bl -item -offset indent -compact
450.It
451.Fn tac_get_av
452.It
453.Fn tac_get_av_value
454.It
455.Fn tac_get_data
456.It
457.Fn tac_get_msg
458.El
459.Pp
460The following functions return a
461.No non- Ns Dv NULL
462pointer on success.
463If they are unable to allocate sufficient
464virtual memory, they return
465.Dv NULL ,
466without recording an error message.
467.Pp
468.Bl -item -offset indent -compact
469.It
470.Fn tac_open
471.El
472.Sh FILES
473.Pa /etc/tacplus.conf
474.Sh SEE ALSO
475.Xr tacplus.conf 5
476.Rs
477.%A D. Carrel
478.%A Lol Grant
479.%T The TACACS+ Protocol, Version 1.78
480.%O draft-grant-tacacs-02.txt (Internet Draft)
481.Re
482.Sh AUTHORS
483.An -nosplit
484This software was written by
485.An John Polstra
486and
487.An Paul Fraley ,
488and donated to the
489.Fx
490project by Juniper Networks, Inc.
491