12c195535SJohn Polstra.\" Copyright 1998 Juniper Networks, Inc. 22c195535SJohn Polstra.\" All rights reserved. 32c195535SJohn Polstra.\" 42c195535SJohn Polstra.\" Redistribution and use in source and binary forms, with or without 52c195535SJohn Polstra.\" modification, are permitted provided that the following conditions 62c195535SJohn Polstra.\" are met: 72c195535SJohn Polstra.\" 1. Redistributions of source code must retain the above copyright 82c195535SJohn Polstra.\" notice, this list of conditions and the following disclaimer. 92c195535SJohn Polstra.\" 2. Redistributions in binary form must reproduce the above copyright 102c195535SJohn Polstra.\" notice, this list of conditions and the following disclaimer in the 112c195535SJohn Polstra.\" documentation and/or other materials provided with the distribution. 122c195535SJohn Polstra.\" 132c195535SJohn Polstra.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 142c195535SJohn Polstra.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 152c195535SJohn Polstra.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 162c195535SJohn Polstra.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 172c195535SJohn Polstra.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 182c195535SJohn Polstra.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 192c195535SJohn Polstra.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 202c195535SJohn Polstra.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 212c195535SJohn Polstra.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 222c195535SJohn Polstra.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 232c195535SJohn Polstra.\" SUCH DAMAGE. 242c195535SJohn Polstra.\" 25*21850106SDag-Erling Smørgrav.Dd June 13, 2023 262c195535SJohn Polstra.Dt TACPLUS.CONF 5 27a307d598SRuslan Ermilov.Os 282c195535SJohn Polstra.Sh NAME 292c195535SJohn Polstra.Nm tacplus.conf 302c195535SJohn Polstra.Nd TACACS+ client configuration file 312c195535SJohn Polstra.Sh SYNOPSIS 322c195535SJohn Polstra.Pa /etc/tacplus.conf 332c195535SJohn Polstra.Sh DESCRIPTION 342c195535SJohn Polstra.Nm 352c195535SJohn Polstracontains the information necessary to configure the TACACS+ client 361a0a9345SRuslan Ermilovlibrary. 371a0a9345SRuslan ErmilovIt is parsed by 38265c01dfSRuslan Ermilov.Fn tac_config 39265c01dfSRuslan Ermilov(see 40265c01dfSRuslan Ermilov.Xr libtacplus 3 ) . 412c195535SJohn PolstraThe file contains one or more lines of text, each describing a 421a0a9345SRuslan Ermilovsingle TACACS+ server which is to be used by the library. 431a0a9345SRuslan ErmilovLeading 442c195535SJohn Polstrawhite space is ignored, as are empty lines and lines containing 452c195535SJohn Polstraonly comments. 462c195535SJohn Polstra.Pp 47*21850106SDag-Erling SmørgravA TACACS+ server is described by a minimum of two fields on a line. 48*21850106SDag-Erling SmørgravThe fields are separated by whitespace and follow the same rules for 49*21850106SDag-Erling Smørgravcomments, quoting, escaping, and line continuation as the POSIX shell. 502c195535SJohn Polstra.Pp 512c195535SJohn PolstraThe first field specifies 522c195535SJohn Polstrathe server host, either as a fully qualified domain name or as a 531a0a9345SRuslan Ermilovdotted-quad IP address. 541a0a9345SRuslan ErmilovThe host may optionally be followed by a 552c195535SJohn Polstra.Ql \&: 561a0a9345SRuslan Ermilovand a numeric port number, without intervening white space. 571a0a9345SRuslan ErmilovIf the 582c195535SJohn Polstraport specification is omitted, it defaults to 49, the standard TACACS+ 592c195535SJohn Polstraport. 602c195535SJohn Polstra.Pp 612c195535SJohn PolstraThe second field contains the shared secret, which should be known 621a0a9345SRuslan Ermilovonly to the client and server hosts. 631a0a9345SRuslan ErmilovIt is an arbitrary string 642c195535SJohn Polstraof characters, though it must be enclosed in double quotes if it 651a0a9345SRuslan Ermilovcontains white space or is empty. 661a0a9345SRuslan ErmilovAn empty secret disables the 672c195535SJohn Polstranormal encryption mechanism, causing all data to cross the network in 682c195535SJohn Polstracleartext. 692c195535SJohn Polstra.Pp 70*21850106SDag-Erling SmørgravThe optional third field may contain a decimal integer specifying the 71*21850106SDag-Erling Smørgravtimeout in seconds for communicating with the server. 721a0a9345SRuslan ErmilovThe timeout applies 731a0a9345SRuslan Ermilovseparately to each connect, write, and read operation. 74*21850106SDag-Erling SmørgravIf this field is omitted, it defaults to 3 seconds. 752c195535SJohn Polstra.Pp 762c195535SJohn PolstraThe optional fourth field may contain the string 772c195535SJohn Polstra.Ql single-connection . 782c195535SJohn PolstraIf this option is included, the library will attempt to negotiate 792c195535SJohn Polstrawith the server to keep the TCP connection open for multiple 801a0a9345SRuslan Ermilovsessions. 811a0a9345SRuslan ErmilovSome older TACACS+ servers become confused if this option 822c195535SJohn Polstrais specified. 832c195535SJohn Polstra.Pp 84*21850106SDag-Erling SmørgravAny subsequent fields must be of the form 85*21850106SDag-Erling Smørgrav.Ar attribute Ns = Ns Ar value 86*21850106SDag-Erling Smørgravand will be appended to authorization responses as if they had been 87*21850106SDag-Erling Smørgravsent by the server. 88*21850106SDag-Erling Smørgrav.Pp 891a0a9345SRuslan ErmilovUp to 10 TACACS+ servers may be specified. 901a0a9345SRuslan ErmilovThe servers are tried in 912c195535SJohn Polstraorder, until a valid response is received or the list is exhausted. 922c195535SJohn Polstra.Pp 932c195535SJohn PolstraThe standard location for this file is 942c195535SJohn Polstra.Pa /etc/tacplus.conf . 952c195535SJohn PolstraAn alternate pathname may be specified in the call to 96265c01dfSRuslan Ermilov.Fn tac_config 97265c01dfSRuslan Ermilov(see 98265c01dfSRuslan Ermilov.Xr libtacplus 3 ) . 992c195535SJohn PolstraSince the file contains sensitive information in the form of the 1002c195535SJohn Polstrashared secrets, it should not be readable except by root. 1012c195535SJohn Polstra.Sh FILES 1022710751bSJoel Dahl.Bl -tag -width Pa 1032710751bSJoel Dahl.It Pa /etc/tacplus.conf 1042710751bSJoel Dahl.El 1052c195535SJohn Polstra.Sh EXAMPLES 1062c195535SJohn Polstra.Bd -literal 1072c195535SJohn Polstra# A simple entry using all the defaults: 1082c195535SJohn Polstratacserver.domain.com OurLittleSecret 1092c195535SJohn Polstra 1102c195535SJohn Polstra# A server using a non-standard port, with an increased timeout and 111*21850106SDag-Erling Smørgrav# the "single-connection" option, and overrides for the for uid, gid 112*21850106SDag-Erling Smørgrav# and shell attributes. 113*21850106SDag-Erling Smørgravauth.domain.com:4333 "Don't tell!!" 15 single-connection \e 114*21850106SDag-Erling Smørgrav uid=1001 gid=20 shell="/usr/local/bin/zsh" 1152c195535SJohn Polstra 1162c195535SJohn Polstra# A server specified by its IP address: 117*21850106SDag-Erling Smørgrav192.168.27.81 $X*#..38947ax-+= shell="/sbin/nologin" 1182c195535SJohn Polstra.Ed 1192c195535SJohn Polstra.Sh SEE ALSO 1202c195535SJohn Polstra.Xr libtacplus 3 1212c195535SJohn Polstra.Sh AUTHORS 1222c195535SJohn PolstraThis documentation was written by 1232c195535SJohn Polstra.An John Polstra , 124b5c508fbSRuslan Ermilovand donated to the 125b5c508fbSRuslan Ermilov.Fx 126b5c508fbSRuslan Ermilovproject by Juniper Networks, Inc. 127