1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd September 2, 1998 28.Dt LIBTACPLUS 3 29.Os 30.Sh NAME 31.Nm libtacplus 32.Nd TACACS+ client library 33.Sh SYNOPSIS 34.In taclib.h 35.Ft int 36.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags" 37.Ft void 38.Fn tac_clear_avs "struct tac_handle *h" 39.Ft void 40.Fn tac_close "struct tac_handle *h" 41.Ft int 42.Fn tac_config "struct tac_handle *h" "const char *path" 43.Ft int 44.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service" 45.Ft int 46.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service" 47.Ft char * 48.Fn tac_get_av "struct tac_handle *h" "u_int index" 49.Ft char * 50.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute" 51.Ft void * 52.Fn tac_get_data "struct tac_handle *h" "size_t *len" 53.Ft char * 54.Fn tac_get_msg "struct tac_handle *h" 55.Ft struct tac_handle * 56.Fn tac_open "void" 57.Ft int 58.Fn tac_send_authen "struct tac_handle *h" 59.Ft int 60.Fn tac_send_author "struct tac_handle *h" 61.Ft int 62.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair" 63.Ft int 64.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len" 65.Ft int 66.Fn tac_set_msg "struct tac_handle *h" "const char *msg" 67.Ft int 68.Fn tac_set_port "struct tac_handle *h" "const char *port" 69.Ft int 70.Fn tac_set_priv "struct tac_handle *h" "int priv" 71.Ft int 72.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr" 73.Ft int 74.Fn tac_set_user "struct tac_handle *h" "const char *user" 75.Ft const char * 76.Fn tac_strerror "struct tac_handle *h" 77.Sh DESCRIPTION 78The 79.Nm 80library implements the client side of the TACACS+ network access 81control protocol. 82TACACS+ allows clients to perform authentication, 83authorization, and accounting by means of network requests to remote 84servers. 85This library currently supports only the authentication 86and authorization portion of the protocol. 87.Sh INITIALIZATION 88To use the library, an application must first call 89.Fn tac_open 90to obtain a 91.Va struct tac_handle * , 92which provides context for subsequent operations. 93Calls to 94.Fn tac_open 95always succeed unless insufficient virtual memory is available. 96If 97the necessary memory cannot be allocated, 98.Fn tac_open 99returns 100.Dv NULL . 101.Pp 102Before issuing any TACACS+ requests, the library must be made aware 103of the servers it can contact. 104The easiest way to configure the 105library is to call 106.Fn tac_config . 107.Fn tac_config 108causes the library to read a configuration file whose format is 109described in 110.Xr tacplus.conf 5 . 111The pathname of the configuration file is passed as the 112.Va file 113argument to 114.Fn tac_config . 115This argument may also be given as 116.Dv NULL , 117in which case the standard configuration file 118.Pa /etc/tacplus.conf 119is used. 120.Fn tac_config 121returns 0 on success, or \-1 if an error occurs. 122.Pp 123The library can also be configured programmatically by calls to 124.Fn tac_add_server . 125The 126.Va host 127parameter specifies the server host, either as a fully qualified 128domain name or as a dotted-quad IP address in text form. 129The 130.Va port 131parameter specifies the TCP port to contact on the server. 132If 133.Va port 134is given as 0, the library uses port 49, the standard TACACS+ port. 135The shared secret for the server host is passed to the 136.Va secret 137parameter. 138It may be any null-terminated string of bytes. 139The timeout for receiving replies from the server is passed to the 140.Va timeout 141parameter, in units of seconds. 142The 143.Va flags 144parameter is a bit mask of flags to specify various characteristics of 145the server. 146It may contain: 147.Pp 148.Bl -tag -width Fl 149.It Dv TAC_SRVR_SINGLE_CONNECT 150Causes the library to attempt to negotiate single connection mode 151when communicating with the server. 152In single connection mode, the 153original TCP connection is held open for multiple TACACS+ sessions. 154Older servers do not support this mode, and some of them become 155confused if the client attempts to negotiate it. 156.El 157.Pp 158.Fn tac_add_server 159returns 0 on success, or \-1 if an error occurs. 160.Pp 161.Fn tac_add_server 162may be called multiple times, and it may be used together with 163.Fn tac_config . 164At most 10 servers may be specified. 165When multiple servers are given, they are tried in round-robin 166fashion until a working, accessible server is found. 167Once the 168library finds such a server, it continues to use it as long as it 169works. 170.Sh CREATING A TACACS+ AUTHENTICATION REQUEST 171To begin constructing a new authentication request, call 172.Fn tac_create_authen . 173The 174.Va action , 175.Va type , 176and 177.Va service 178arguments must be set to appropriate values as defined in the 179TACACS+ protocol specification. 180The 181.In taclib.h 182header file contains symbolic constants for these values. 183.Sh CREATING A TACACS+ AUTHORIZATION REQUEST 184To begin constructing a new authorization request, call 185.Fn tac_create_author . 186The 187.Va method , 188.Va type , 189and 190.Va service 191arguments must be set to appropriate values as defined in the 192TACACS+ protocol specification. 193The 194.In taclib.h 195header file contains symbolic constants for these values. 196.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST 197After creating a request, 198various optional parameters may be attached to it through calls to 199.Fn tac_set_av , 200.Fn tac_set_data , 201.Fn tac_set_port , 202.Fn tac_set_priv , 203.Fn tac_set_rem_addr , 204and 205.Fn tac_set_user . 206The library creates its own copies of any strings provided to these 207functions, so that it is not necessary for the caller to preserve 208them. 209By default, each of these parameters is empty except for the 210privilege level, which defaults to 211.Ql USER 212privilege. 213.Pp 214.Fn tac_set_av 215only applies to the context of an authorization request. 216The format 217for an attribute value pair is defined in the TACACS+ protocol 218specification. 219The index specified can be any value between 0 and 220255 inclusive and indicates the position in the list to place the 221attribute value pair. 222Calling 223.Fn tac_set_av 224with same index twice effectively replaces the value at that position. 225Use 226.Fn tac_clear_avs 227to clear all attribute value pairs that may have been set. 228.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE 229After the TACACS+ authentication request has been constructed, it is 230sent by means of 231.Fn tac_send_authen . 232This function connects to a server if not already connected, sends 233the request, and waits for a reply. 234On failure, 235.Fn tac_send_authen 236returns \-1. 237Otherwise, it returns the TACACS+ status code and flags, 238packed into an integer value. 239The status can be extracted using the 240macro 241.Fn TAC_AUTHEN_STATUS . 242Possible status codes, defined in 243.In taclib.h , 244include: 245.Pp 246.Bl -item -compact -offset indent 247.It 248.Dv TAC_AUTHEN_STATUS_PASS 249.It 250.Dv TAC_AUTHEN_STATUS_FAIL 251.It 252.Dv TAC_AUTHEN_STATUS_GETDATA 253.It 254.Dv TAC_AUTHEN_STATUS_GETUSER 255.It 256.Dv TAC_AUTHEN_STATUS_GETPASS 257.It 258.Dv TAC_AUTHEN_STATUS_RESTART 259.It 260.Dv TAC_AUTHEN_STATUS_ERROR 261.It 262.Dv TAC_AUTHEN_STATUS_FOLLOW 263.El 264.Pp 265The only flag is the no-echo flag, which can be tested using the 266macro 267.Fn TAC_AUTHEN_NOECHO . 268.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE 269An authentication response packet from the server may contain a 270server message, a data string, or both. 271After a successful call to 272.Fn tac_send_authen , 273this information may be retrieved from the response by calling 274.Fn tac_get_msg 275and 276.Fn tac_get_data . 277These functions return dynamically-allocated copies of the 278information from the packet. 279The caller is responsible for freeing 280the copies when it no longer needs them. 281The data returned from 282these functions is guaranteed to be terminated by a null byte. 283.Pp 284In the case of 285.Fn tac_get_data , 286the 287.Va len 288argument points to a location into which the library will store the 289actual length of the received data, not including the null 290terminator. 291This argument may be given as 292.Dv NULL 293if the caller is not interested in the length. 294.Sh SENDING AUTHENTICATION CONTINUE PACKETS 295If 296.Fn tac_send_authen 297returns a value containing one of the status codes 298.Dv TAC_AUTHEN_STATUS_GETDATA , 299.Dv TAC_AUTHEN_STATUS_GETUSER , 300or 301.Dv TAC_AUTHEN_STATUS_GETPASS , 302then the client must provide additional information to the server by 303means of a TACACS+ CONTINUE packet. 304To do so, the application must 305first set the packet's user message and/or data fields using 306.Fn tac_set_msg 307and 308.Fn tac_set_data . 309The client then sends the CONTINUE packet with 310.Fn tac_send_authen . 311N.B., 312.Fn tac_create_authen 313should 314.Em not 315be called to construct a CONTINUE packet; it is used only for the 316initial authentication request. 317.Pp 318When it receives the CONTINUE packet, the server may again request 319more information by returning 320.Dv TAC_AUTHEN_STATUS_GETDATA , 321.Dv TAC_AUTHEN_STATUS_GETUSER , 322or 323.Dv TAC_AUTHEN_STATUS_GETPASS . 324The application should send further CONTINUEs until some other 325status is received from the server. 326.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE 327After the TACACS+ authorization request has been constructed, it 328is sent by means of 329.Fn tac_send_author . 330This function connects to a server if not already connected, sends 331the request, and waits for a reply. 332On failure, 333.Fn tac_send_author 334returns \-1. 335Otherwise, it returns the TACACS+ status code and 336number of attribute value (AV) pairs received packed into an 337integer value. 338The status can be extracted using the macro 339.Fn TAC_AUTHOR_STATUS . 340Possible status codes, defined in 341.In taclib.h , 342include: 343.Pp 344.Bl -item -compact -offset indent 345.It 346.Dv TAC_AUTHOR_STATUS_PASS_ADD 347.It 348.Dv TAC_AUTHOR_STATUS_PASS_REPL 349.It 350.Dv TAC_AUTHOR_STATUS_FAIL 351.It 352.Dv TAC_AUTHOR_STATUS_ERROR 353.El 354.Pp 355The number of AV pairs received is obtained using 356.Fn TAC_AUTHEN_AV_COUNT . 357.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE 358Like an authentication response packet, an authorization 359response packet from the 360server may contain a server message, a data string, or both. 361Refer 362to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE 363for instruction on extraction of those values. 364.Pp 365An authorization response packet from the server may also contain 366attribute value (AV) pairs. 367To extract these, use 368.Fn tac_get_av 369or 370.Fn tac_get_av_value . 371.Fn tac_get_av 372takes the index of the AV pair as it is positioned in the list. 373The indexes start at 0 (use 374.Fn TAC_AUTHEN_AV_COUNT 375on the return value of 376.Fn tac_send_author 377to get the total number of items in this list). 378Alternatively, 379.Fn tac_get_av_value 380can be used. 381.Fn tac_get_av_value 382takes the attribute name and returns the 383corresponding value only, not the AV pair. 384These functions return 385dynamically-allocated copies of the information from the packet. 386The caller is responsible for freeing the copies when it no longer 387needs them. 388The data returned from these functions is guaranteed 389to be terminated by a null byte. 390.Sh OBTAINING ERROR MESSAGES 391Those functions which accept a 392.Va struct tac_handle * 393argument record an error message if they fail. 394The error message 395can be retrieved by calling 396.Fn tac_strerror . 397The message text is overwritten on each new error for the given 398.Va struct tac_handle * . 399Thus the message must be copied if it is to be preserved through 400subsequent library calls using the same handle. 401.Sh CLEANUP 402To free the resources used by the TACACS+ library, call 403.Fn tac_close . 404.Sh RETURN VALUES 405The following functions return a non-negative value on success. 406If 407they detect an error, they return \-1 and record an error message 408which can be retrieved using 409.Fn tac_strerror . 410.Pp 411.Bl -item -offset indent -compact 412.It 413.Fn tac_add_server 414.It 415.Fn tac_config 416.It 417.Fn tac_create_authen 418.It 419.Fn tac_create_author 420.It 421.Fn tac_send_authen 422.It 423.Fn tac_send_author 424.It 425.Fn tac_set_av 426.It 427.Fn tac_set_data 428.It 429.Fn tac_set_msg 430.It 431.Fn tac_set_port 432.It 433.Fn tac_set_priv 434.It 435.Fn tac_set_rem_addr 436.It 437.Fn tac_set_user 438.El 439.Pp 440The following functions return a 441.No non- Ns Dv NULL 442pointer on success. 443If they are unable to allocate sufficient 444virtual memory, they return 445.Dv NULL 446and record an error message which can be retrieved using 447.Fn tac_strerror . 448.Pp 449.Bl -item -offset indent -compact 450.It 451.Fn tac_get_av 452.It 453.Fn tac_get_av_pair 454.It 455.Fn tac_get_data 456.It 457.Fn tac_get_msg 458.El 459.Pp 460The following functions return a 461.No non- Ns Dv NULL 462pointer on success. 463If they are unable to allocate sufficient 464virtual memory, they return 465.Dv NULL , 466without recording an error message. 467.Pp 468.Bl -item -offset indent -compact 469.It 470.Fn tac_open 471.El 472.Sh FILES 473.Pa /etc/tacplus.conf 474.Sh SEE ALSO 475.Xr tacplus.conf 5 476.Rs 477.%A D. Carrel 478.%A Lol Grant 479.%T The TACACS+ Protocol, Version 1.78 480.%O draft-grant-tacacs-02.txt (Internet Draft) 481.Re 482.Sh AUTHORS 483.An -nosplit 484This software was written by 485.An John Polstra 486and 487.An Paul Fraley , 488and donated to the 489.Fx 490project by Juniper Networks, Inc. 491