xref: /freebsd/lib/libtacplus/libtacplus.3 (revision 95eb4b873b6a8b527c5bd78d7191975dfca38998)
1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd December 11, 2009
26.Dt LIBTACPLUS 3
27.Os
28.Sh NAME
29.Nm libtacplus
30.Nd TACACS+ client library
31.Sh SYNOPSIS
32.In taclib.h
33.Ft int
34.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
35.Ft void
36.Fn tac_clear_avs "struct tac_handle *h"
37.Ft void
38.Fn tac_close "struct tac_handle *h"
39.Ft int
40.Fn tac_config "struct tac_handle *h" "const char *path"
41.Ft int
42.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
43.Ft int
44.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
45.Ft int
46.Fn tac_create_acct "struct tac_handle *h" "int acct" "int action" "int type" "int service"
47.Ft char *
48.Fn tac_get_av "struct tac_handle *h" "u_int index"
49.Ft char *
50.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
51.Ft void *
52.Fn tac_get_data "struct tac_handle *h" "size_t *len"
53.Ft char *
54.Fn tac_get_msg "struct tac_handle *h"
55.Ft struct tac_handle *
56.Fn tac_open "void"
57.Ft int
58.Fn tac_send_authen "struct tac_handle *h"
59.Ft int
60.Fn tac_send_author "struct tac_handle *h"
61.Ft int
62.Fn tac_send_acct "struct tac_handle *h"
63.Ft int
64.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
65.Ft int
66.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
67.Ft int
68.Fn tac_set_msg "struct tac_handle *h" "const char *msg"
69.Ft int
70.Fn tac_set_port "struct tac_handle *h" "const char *port"
71.Ft int
72.Fn tac_set_priv "struct tac_handle *h" "int priv"
73.Ft int
74.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
75.Ft int
76.Fn tac_set_user "struct tac_handle *h" "const char *user"
77.Ft const char *
78.Fn tac_strerror "struct tac_handle *h"
79.Sh DESCRIPTION
80The
81.Nm
82library implements the client side of the TACACS+ network access
83control protocol.
84TACACS+ allows clients to perform authentication,
85authorization, and accounting by means of network requests to remote
86servers.
87This library currently supports only the authentication
88and authorization portion of the protocol.
89.Sh INITIALIZATION
90To use the library, an application must first call
91.Fn tac_open
92to obtain a
93.Va struct tac_handle * ,
94which provides context for subsequent operations.
95Calls to
96.Fn tac_open
97always succeed unless insufficient virtual memory is available.
98If
99the necessary memory cannot be allocated,
100.Fn tac_open
101returns
102.Dv NULL .
103.Pp
104Before issuing any TACACS+ requests, the library must be made aware
105of the servers it can contact.
106The easiest way to configure the
107library is to call
108.Fn tac_config .
109.Fn tac_config
110causes the library to read a configuration file whose format is
111described in
112.Xr tacplus.conf 5 .
113The pathname of the configuration file is passed as the
114.Va file
115argument to
116.Fn tac_config .
117This argument may also be given as
118.Dv NULL ,
119in which case the standard configuration file
120.Pa /etc/tacplus.conf
121is used.
122.Fn tac_config
123returns 0 on success, or \-1 if an error occurs.
124.Pp
125The library can also be configured programmatically by calls to
126.Fn tac_add_server .
127The
128.Va host
129parameter specifies the server host, either as a fully qualified
130domain name or as a dotted-quad IP address in text form.
131The
132.Va port
133parameter specifies the TCP port to contact on the server.
134If
135.Va port
136is given as 0, the library uses port 49, the standard TACACS+ port.
137The shared secret for the server host is passed to the
138.Va secret
139parameter.
140It may be any null-terminated string of bytes.
141The timeout for receiving replies from the server is passed to the
142.Va timeout
143parameter, in units of seconds.
144The
145.Va flags
146parameter is a bit mask of flags to specify various characteristics of
147the server.
148It may contain:
149.Bl -tag -width Fl
150.It Dv TAC_SRVR_SINGLE_CONNECT
151Causes the library to attempt to negotiate single connection mode
152when communicating with the server.
153In single connection mode, the
154original TCP connection is held open for multiple TACACS+ sessions.
155Older servers do not support this mode, and some of them become
156confused if the client attempts to negotiate it.
157.El
158.Pp
159.Fn tac_add_server
160returns 0 on success, or \-1 if an error occurs.
161.Pp
162.Fn tac_add_server
163may be called multiple times, and it may be used together with
164.Fn tac_config .
165At most 10 servers may be specified.
166When multiple servers are given, they are tried in round-robin
167fashion until a working, accessible server is found.
168Once the
169library finds such a server, it continues to use it as long as it
170works.
171.Sh CREATING A TACACS+ AUTHENTICATION REQUEST
172To begin constructing a new authentication request, call
173.Fn tac_create_authen .
174The
175.Va action ,
176.Va type ,
177and
178.Va service
179arguments must be set to appropriate values as defined in the
180TACACS+ protocol specification.
181The
182.In taclib.h
183header file contains symbolic constants for these values.
184.Sh CREATING A TACACS+ AUTHORIZATION REQUEST
185To begin constructing a new authorization request, call
186.Fn tac_create_author .
187The
188.Va method ,
189.Va type ,
190and
191.Va service
192arguments must be set to appropriate values as defined in the
193TACACS+ protocol specification.
194The
195.In taclib.h
196header file contains symbolic constants for these values.
197.Sh CREATING A TACACS+ ACCOUNTING REQUEST
198To begin constructing a new accounting request, call
199.Fn tac_create_acct .
200The
201.Va acct ,
202.Va action ,
203.Va type ,
204and
205.Va service
206arguments must be set to appropriate values as defined in the
207TACACS+ protocol specification.
208The
209.In taclib.h
210header file contains symbolic constants for these values.
211.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
212After creating a request,
213various optional parameters may be attached to it through calls to
214.Fn tac_set_av ,
215.Fn tac_set_data ,
216.Fn tac_set_port ,
217.Fn tac_set_priv ,
218.Fn tac_set_rem_addr ,
219and
220.Fn tac_set_user .
221The library creates its own copies of any strings provided to these
222functions, so that it is not necessary for the caller to preserve
223them.
224By default, each of these parameters is empty except for the
225privilege level, which defaults to
226.Ql USER
227privilege.
228.Pp
229.Fn tac_set_av
230only applies to the context of an authorization request.
231The format
232for an attribute value pair is defined in the TACACS+ protocol
233specification.
234The index specified can be any value between 0 and
235255 inclusive and indicates the position in the list to place the
236attribute value pair.
237Calling
238.Fn tac_set_av
239with same index twice effectively replaces the value at that position.
240Use
241.Fn tac_clear_avs
242to clear all attribute value pairs that may have been set.
243.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
244After the TACACS+ authentication request has been constructed, it is
245sent by means of
246.Fn tac_send_authen .
247This function connects to a server if not already connected, sends
248the request, and waits for a reply.
249On failure,
250.Fn tac_send_authen
251returns \-1.
252Otherwise, it returns the TACACS+ status code and flags,
253packed into an integer value.
254The status can be extracted using the
255macro
256.Fn TAC_AUTHEN_STATUS .
257Possible status codes, defined in
258.In taclib.h ,
259include:
260.Pp
261.Bl -item -compact -offset indent
262.It
263.Dv TAC_AUTHEN_STATUS_PASS
264.It
265.Dv TAC_AUTHEN_STATUS_FAIL
266.It
267.Dv TAC_AUTHEN_STATUS_GETDATA
268.It
269.Dv TAC_AUTHEN_STATUS_GETUSER
270.It
271.Dv TAC_AUTHEN_STATUS_GETPASS
272.It
273.Dv TAC_AUTHEN_STATUS_RESTART
274.It
275.Dv TAC_AUTHEN_STATUS_ERROR
276.It
277.Dv TAC_AUTHEN_STATUS_FOLLOW
278.El
279.Pp
280The only flag is the no-echo flag, which can be tested using the
281macro
282.Fn TAC_AUTHEN_NOECHO .
283.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
284An authentication response packet from the server may contain a
285server message, a data string, or both.
286After a successful call to
287.Fn tac_send_authen ,
288this information may be retrieved from the response by calling
289.Fn tac_get_msg
290and
291.Fn tac_get_data .
292These functions return dynamically-allocated copies of the
293information from the packet.
294The caller is responsible for freeing
295the copies when it no longer needs them.
296The data returned from
297these functions is guaranteed to be terminated by a null byte.
298.Pp
299In the case of
300.Fn tac_get_data ,
301the
302.Va len
303argument points to a location into which the library will store the
304actual length of the received data, not including the null
305terminator.
306This argument may be given as
307.Dv NULL
308if the caller is not interested in the length.
309.Sh SENDING AUTHENTICATION CONTINUE PACKETS
310If
311.Fn tac_send_authen
312returns a value containing one of the status codes
313.Dv TAC_AUTHEN_STATUS_GETDATA ,
314.Dv TAC_AUTHEN_STATUS_GETUSER ,
315or
316.Dv TAC_AUTHEN_STATUS_GETPASS ,
317then the client must provide additional information to the server by
318means of a TACACS+ CONTINUE packet.
319To do so, the application must
320first set the packet's user message and/or data fields using
321.Fn tac_set_msg
322and
323.Fn tac_set_data .
324The client then sends the CONTINUE packet with
325.Fn tac_send_authen .
326N.B.,
327.Fn tac_create_authen
328should
329.Em not
330be called to construct a CONTINUE packet; it is used only for the
331initial authentication request.
332.Pp
333When it receives the CONTINUE packet, the server may again request
334more information by returning
335.Dv TAC_AUTHEN_STATUS_GETDATA ,
336.Dv TAC_AUTHEN_STATUS_GETUSER ,
337or
338.Dv TAC_AUTHEN_STATUS_GETPASS .
339The application should send further CONTINUEs until some other
340status is received from the server.
341.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
342After the TACACS+ authorization request has been constructed, it
343is sent by means of
344.Fn tac_send_author .
345This function connects to a server if not already connected, sends
346the request, and waits for a reply.
347On failure,
348.Fn tac_send_author
349returns \-1.
350Otherwise, it returns the TACACS+ status code and
351number of attribute value (AV) pairs received packed into an
352integer value.
353The status can be extracted using the macro
354.Fn TAC_AUTHOR_STATUS .
355Possible status codes, defined in
356.In taclib.h ,
357include:
358.Pp
359.Bl -item -compact -offset indent
360.It
361.Dv TAC_AUTHOR_STATUS_PASS_ADD
362.It
363.Dv TAC_AUTHOR_STATUS_PASS_REPL
364.It
365.Dv TAC_AUTHOR_STATUS_FAIL
366.It
367.Dv TAC_AUTHOR_STATUS_ERROR
368.El
369.Pp
370The number of AV pairs received is obtained using
371.Fn TAC_AUTHEN_AV_COUNT .
372.Sh SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE
373After the TACACS+ authorization request has been constructed, it
374is sent by means of
375.Fn tac_send_acct .
376This function connects to a server if not already connected, sends
377the request, and waits for a reply.
378On failure,
379.Fn tac_send_acct
380returns \-1.
381Otherwise, it returns the TACACS+ status code.
382Possible status codes, defined in
383.In taclib.h ,
384include:
385.Pp
386.Bl -item -compact -offset indent
387.It
388.Dv TAC_ACCT_STATUS_SUCCESS
389.It
390.Dv TAC_ACCT_STATUS_ERROR
391.It
392.Dv TAC_ACCT_STATUS_FOLLOW
393.El
394.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
395Like an authentication response packet, an authorization
396response packet from the
397server may contain a server message, a data string, or both.
398Refer
399to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
400for instruction on extraction of those values.
401.Pp
402An authorization response packet from the server may also contain
403attribute value (AV) pairs.
404To extract these, use
405.Fn tac_get_av
406or
407.Fn tac_get_av_value .
408.Fn tac_get_av
409takes the index of the AV pair as it is positioned in the list.
410The indexes start at 0 (use
411.Fn TAC_AUTHEN_AV_COUNT
412on the return value of
413.Fn tac_send_author
414to get the total number of items in this list).
415Alternatively,
416.Fn tac_get_av_value
417can be used.
418.Fn tac_get_av_value
419takes the attribute name and returns the
420corresponding value only, not the AV pair.
421These functions return
422dynamically-allocated copies of the information from the packet.
423The caller is responsible for freeing the copies when it no longer
424needs them.
425The data returned from these functions is guaranteed
426to be terminated by a null byte.
427.Sh OBTAINING ERROR MESSAGES
428Those functions which accept a
429.Va struct tac_handle *
430argument record an error message if they fail.
431The error message
432can be retrieved by calling
433.Fn tac_strerror .
434The message text is overwritten on each new error for the given
435.Va struct tac_handle * .
436Thus the message must be copied if it is to be preserved through
437subsequent library calls using the same handle.
438.Sh CLEANUP
439To free the resources used by the TACACS+ library, call
440.Fn tac_close .
441.Sh RETURN VALUES
442The following functions return a non-negative value on success.
443If
444they detect an error, they return \-1 and record an error message
445which can be retrieved using
446.Fn tac_strerror .
447.Pp
448.Bl -item -offset indent -compact
449.It
450.Fn tac_add_server
451.It
452.Fn tac_config
453.It
454.Fn tac_create_authen
455.It
456.Fn tac_create_author
457.It
458.Fn tac_create_acct
459.It
460.Fn tac_send_authen
461.It
462.Fn tac_send_author
463.It
464.Fn tac_send_acct
465.It
466.Fn tac_set_av
467.It
468.Fn tac_set_data
469.It
470.Fn tac_set_msg
471.It
472.Fn tac_set_port
473.It
474.Fn tac_set_priv
475.It
476.Fn tac_set_rem_addr
477.It
478.Fn tac_set_user
479.El
480.Pp
481The following functions return a
482.No non- Ns Dv NULL
483pointer on success.
484If they are unable to allocate sufficient
485virtual memory, they return
486.Dv NULL
487and record an error message which can be retrieved using
488.Fn tac_strerror .
489.Pp
490.Bl -item -offset indent -compact
491.It
492.Fn tac_get_av
493.It
494.Fn tac_get_av_value
495.It
496.Fn tac_get_data
497.It
498.Fn tac_get_msg
499.El
500.Pp
501The following functions return a
502.No non- Ns Dv NULL
503pointer on success.
504If they are unable to allocate sufficient
505virtual memory, they return
506.Dv NULL ,
507without recording an error message.
508.Pp
509.Bl -item -offset indent -compact
510.It
511.Fn tac_open
512.El
513.Sh FILES
514.Bl -tag -width Pa
515.It Pa /etc/tacplus.conf
516.El
517.Sh SEE ALSO
518.Xr tacplus.conf 5
519.Rs
520.%A D. Carrel
521.%A Lol Grant
522.%T The TACACS+ Protocol, Version 1.78
523.%O draft-grant-tacacs-02.txt (Internet Draft)
524.Re
525.Sh AUTHORS
526.An -nosplit
527This software was written by
528.An John Polstra
529and
530.An Paul Fraley ,
531and donated to the
532.Fx
533project by Juniper Networks, Inc.
534