1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\" notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\" notice, this list of conditions and the following disclaimer in the
11.\" documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
|
25.\" $FreeBSD: head/lib/libtacplus/libtacplus.3 119893 2003-09-08 19:57:22Z ru $
|
| 25.\" $FreeBSD: head/lib/libtacplus/libtacplus.3 131504 2004-07-02 23:52:20Z ru $ |
26.\"
27.Dd September 2, 1998
28.Dt LIBTACPLUS 3
29.Os
30.Sh NAME
31.Nm libtacplus
32.Nd TACACS+ client library
33.Sh SYNOPSIS
34.In taclib.h
35.Ft int
36.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
37.Ft void
38.Fn tac_clear_avs "struct tac_handle *h"
39.Ft void
40.Fn tac_close "struct tac_handle *h"
41.Ft int
42.Fn tac_config "struct tac_handle *h" "const char *path"
43.Ft int
44.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
45.Ft int
46.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
47.Ft char *
48.Fn tac_get_av "struct tac_handle *h" "u_int index"
49.Ft char *
50.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
51.Ft void *
52.Fn tac_get_data "struct tac_handle *h" "size_t *len"
53.Ft char *
54.Fn tac_get_msg "struct tac_handle *h"
55.Ft struct tac_handle *
56.Fn tac_open "void"
57.Ft int
58.Fn tac_send_authen "struct tac_handle *h"
59.Ft int
60.Fn tac_send_author "struct tac_handle *h"
61.Ft int
62.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
63.Ft int
64.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
65.Ft int
66.Fn tac_set_msg "struct tac_handle *h" "const char *msg"
67.Ft int
68.Fn tac_set_port "struct tac_handle *h" "const char *port"
69.Ft int
70.Fn tac_set_priv "struct tac_handle *h" "int priv"
71.Ft int
72.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
73.Ft int
74.Fn tac_set_user "struct tac_handle *h" "const char *user"
75.Ft const char *
76.Fn tac_strerror "struct tac_handle *h"
77.Sh DESCRIPTION
78The
79.Nm
80library implements the client side of the TACACS+ network access
|
81control protocol. TACACS+ allows clients to perform authentication,
|
81control protocol.
82TACACS+ allows clients to perform authentication, |
83authorization, and accounting by means of network requests to remote
|
83servers. This library currently supports only the authentication
|
84servers.
85This library currently supports only the authentication |
86and authorization portion of the protocol.
87.Sh INITIALIZATION
88To use the library, an application must first call
89.Fn tac_open
90to obtain a
91.Va struct tac_handle * ,
92which provides context for subsequent operations.
93Calls to
94.Fn tac_open
|
93always succeed unless insufficient virtual memory is available. If
|
95always succeed unless insufficient virtual memory is available.
96If |
97the necessary memory cannot be allocated,
98.Fn tac_open
99returns
100.Dv NULL .
101.Pp
102Before issuing any TACACS+ requests, the library must be made aware
|
100of the servers it can contact. The easiest way to configure the
|
103of the servers it can contact.
104The easiest way to configure the |
105library is to call
106.Fn tac_config .
107.Fn tac_config
108causes the library to read a configuration file whose format is
109described in
110.Xr tacplus.conf 5 .
111The pathname of the configuration file is passed as the
112.Va file
113argument to
114.Fn tac_config .
115This argument may also be given as
116.Dv NULL ,
117in which case the standard configuration file
118.Pa /etc/tacplus.conf
119is used.
120.Fn tac_config
121returns 0 on success, or \-1 if an error occurs.
122.Pp
123The library can also be configured programmatically by calls to
124.Fn tac_add_server .
125The
126.Va host
127parameter specifies the server host, either as a fully qualified
128domain name or as a dotted-quad IP address in text form.
129The
130.Va port
|
127parameter specifies the TCP port to contact on the server. If
|
131parameter specifies the TCP port to contact on the server.
132If |
133.Va port
134is given as 0, the library uses port 49, the standard TACACS+ port.
135The shared secret for the server host is passed to the
136.Va secret
|
132parameter. It may be any null-terminated string of bytes.
|
137parameter.
138It may be any null-terminated string of bytes. |
139The timeout for receiving replies from the server is passed to the
140.Va timeout
141parameter, in units of seconds.
142The
143.Va flags
144parameter is a bit mask of flags to specify various characteristics of
|
139the server. It may contain:
|
145the server.
146It may contain: |
147.Pp
148.Bl -tag -width Fl
149.It Dv TAC_SRVR_SINGLE_CONNECT
150Causes the library to attempt to negotiate single connection mode
|
144when communicating with the server. In single connection mode, the
|
151when communicating with the server.
152In single connection mode, the |
153original TCP connection is held open for multiple TACACS+ sessions.
154Older servers do not support this mode, and some of them become
155confused if the client attempts to negotiate it.
156.El
157.Pp
158.Fn tac_add_server
159returns 0 on success, or \-1 if an error occurs.
160.Pp
161.Fn tac_add_server
162may be called multiple times, and it may be used together with
163.Fn tac_config .
164At most 10 servers may be specified.
165When multiple servers are given, they are tried in round-robin
|
158fashion until a working, accessible server is found. Once the
|
166fashion until a working, accessible server is found.
167Once the |
168library finds such a server, it continues to use it as long as it
169works.
170.Sh CREATING A TACACS+ AUTHENTICATION REQUEST
171To begin constructing a new authentication request, call
172.Fn tac_create_authen .
173The
174.Va action ,
175.Va type ,
176and
177.Va service
178arguments must be set to appropriate values as defined in the
|
170TACACS+ protocol specification. The
|
179TACACS+ protocol specification.
180The |
181.In taclib.h
182header file contains symbolic constants for these values.
183.Sh CREATING A TACACS+ AUTHORIZATION REQUEST
184To begin constructing a new authorization request, call
185.Fn tac_create_author .
186The
187.Va method ,
188.Va type ,
189and
190.Va service
191arguments must be set to appropriate values as defined in the
|
182TACACS+ protocol specification. The
|
192TACACS+ protocol specification.
193The |
194.In taclib.h
195header file contains symbolic constants for these values.
196.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
197After creating a request,
198various optional parameters may be attached to it through calls to
199.Fn tac_set_av ,
200.Fn tac_set_data ,
201.Fn tac_set_port ,
202.Fn tac_set_priv ,
203.Fn tac_set_rem_addr ,
204and
205.Fn tac_set_user .
206The library creates its own copies of any strings provided to these
207functions, so that it is not necessary for the caller to preserve
|
197them. By default, each of these parameters is empty except for the
|
208them.
209By default, each of these parameters is empty except for the |
210privilege level, which defaults to
211.Ql USER
212privilege.
213.Pp
214.Fn tac_set_av
|
203only applies to the context of an authorization request. The format
|
215only applies to the context of an authorization request.
216The format |
217for an attribute value pair is defined in the TACACS+ protocol
|
205specification. The index specified can be any value between 0 and
|
218specification.
219The index specified can be any value between 0 and |
220255 inclusive and indicates the position in the list to place the
|
207attribute value pair. Calling
|
221attribute value pair.
222Calling |
223.Fn tac_set_av
224with same index twice effectively replaces the value at that position.
225Use
226.Fn tac_clear_avs
227to clear all attribute value pairs that may have been set.
228.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
229After the TACACS+ authentication request has been constructed, it is
230sent by means of
231.Fn tac_send_authen .
232This function connects to a server if not already connected, sends
|
218the request, and waits for a reply. On failure,
|
233the request, and waits for a reply.
234On failure, |
235.Fn tac_send_authen
|
220returns \-1. Otherwise, it returns the TACACS+ status code and flags,
221packed into an integer value. The status can be extracted using the
|
236returns \-1.
237Otherwise, it returns the TACACS+ status code and flags,
238packed into an integer value.
239The status can be extracted using the |
240macro
241.Fn TAC_AUTHEN_STATUS .
242Possible status codes, defined in
243.In taclib.h ,
244include:
245.Pp
246.Bl -item -compact -offset indent
247.It
248.Dv TAC_AUTHEN_STATUS_PASS
249.It
250.Dv TAC_AUTHEN_STATUS_FAIL
251.It
252.Dv TAC_AUTHEN_STATUS_GETDATA
253.It
254.Dv TAC_AUTHEN_STATUS_GETUSER
255.It
256.Dv TAC_AUTHEN_STATUS_GETPASS
257.It
258.Dv TAC_AUTHEN_STATUS_RESTART
259.It
260.Dv TAC_AUTHEN_STATUS_ERROR
261.It
262.Dv TAC_AUTHEN_STATUS_FOLLOW
263.El
264.Pp
265The only flag is the no-echo flag, which can be tested using the
266macro
267.Fn TAC_AUTHEN_NOECHO .
268.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
269An authentication response packet from the server may contain a
|
252server message, a data string, or both. After a successful call to
|
270server message, a data string, or both.
271After a successful call to |
272.Fn tac_send_authen ,
273this information may be retrieved from the response by calling
274.Fn tac_get_msg
275and
276.Fn tac_get_data .
277These functions return dynamically-allocated copies of the
|
259information from the packet. The caller is responsible for freeing
260the copies when it no longer needs them. The data returned from
|
278information from the packet.
279The caller is responsible for freeing
280the copies when it no longer needs them.
281The data returned from |
282these functions is guaranteed to be terminated by a null byte.
283.Pp
284In the case of
285.Fn tac_get_data ,
286the
287.Va len
288argument points to a location into which the library will store the
289actual length of the received data, not including the null
|
269terminator. This argument may be given as
|
290terminator.
291This argument may be given as |
292.Dv NULL
293if the caller is not interested in the length.
294.Sh SENDING AUTHENTICATION CONTINUE PACKETS
295If
296.Fn tac_send_authen
297returns a value containing one of the status codes
298.Dv TAC_AUTHEN_STATUS_GETDATA ,
299.Dv TAC_AUTHEN_STATUS_GETUSER ,
300or
301.Dv TAC_AUTHEN_STATUS_GETPASS ,
302then the client must provide additional information to the server by
|
281means of a TACACS+ CONTINUE packet. To do so, the application must
|
303means of a TACACS+ CONTINUE packet.
304To do so, the application must |
305first set the packet's user message and/or data fields using
306.Fn tac_set_msg
307and
308.Fn tac_set_data .
309The client then sends the CONTINUE packet with
310.Fn tac_send_authen .
311N.B.,
312.Fn tac_create_authen
313should
314.Em not
315be called to construct a CONTINUE packet; it is used only for the
316initial authentication request.
317.Pp
318When it receives the CONTINUE packet, the server may again request
319more information by returning
320.Dv TAC_AUTHEN_STATUS_GETDATA ,
321.Dv TAC_AUTHEN_STATUS_GETUSER ,
322or
323.Dv TAC_AUTHEN_STATUS_GETPASS .
324The application should send further CONTINUEs until some other
325status is received from the server.
326.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
327After the TACACS+ authorization request has been constructed, it
328is sent by means of
329.Fn tac_send_author .
330This function connects to a server if not already connected, sends
|
308the request, and waits for a reply. On failure,
|
331the request, and waits for a reply.
332On failure, |
333.Fn tac_send_author
|
310returns \-1. Otherwise, it returns the TACACS+ status code and
|
334returns \-1.
335Otherwise, it returns the TACACS+ status code and |
336number of attribute value (AV) pairs received packed into an
|
312integer value. The status can be extracted using the macro
|
337integer value.
338The status can be extracted using the macro |
339.Fn TAC_AUTHOR_STATUS .
340Possible status codes, defined in
341.In taclib.h ,
342include:
343.Pp
344.Bl -item -compact -offset indent
345.It
346.Dv TAC_AUTHOR_STATUS_PASS_ADD
347.It
348.Dv TAC_AUTHOR_STATUS_PASS_REPL
349.It
350.Dv TAC_AUTHOR_STATUS_FAIL
351.It
352.Dv TAC_AUTHOR_STATUS_ERROR
353.El
354.Pp
355The number of AV pairs received is obtained using
356.Fn TAC_AUTHEN_AV_COUNT .
357.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
358Like an authentication response packet, an authorization
359response packet from the
|
334server may contain a server message, a data string, or both. Refer
|
360server may contain a server message, a data string, or both.
361Refer |
362to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
363for instruction on extraction of those values.
364.Pp
365An authorization response packet from the server may also contain
|
339attribute value (AV) pairs. To extract these, use
|
366attribute value (AV) pairs.
367To extract these, use |
368.Fn tac_get_av
369or
370.Fn tac_get_av_value .
371.Fn tac_get_av
372takes the index of the AV pair as it is positioned in the list.
373The indexes start at 0 (use
374.Fn TAC_AUTHEN_AV_COUNT
375on the return value of
376.Fn tac_send_author
377to get the total number of items in this list).
378Alternatively,
379.Fn tac_get_av_value
380can be used.
381.Fn tac_get_av_value
382takes the attribute name and returns the
|
355corresponding value only, not the AV pair. These functions return
|
383corresponding value only, not the AV pair.
384These functions return |
385dynamically-allocated copies of the information from the packet.
386The caller is responsible for freeing the copies when it no longer
|
358needs them. The data returned from these functions is guaranteed
|
387needs them.
388The data returned from these functions is guaranteed |
389to be terminated by a null byte.
390.Sh OBTAINING ERROR MESSAGES
391Those functions which accept a
392.Va struct tac_handle *
|
363argument record an error message if they fail. The error message
|
393argument record an error message if they fail.
394The error message |
395can be retrieved by calling
396.Fn tac_strerror .
397The message text is overwritten on each new error for the given
398.Va struct tac_handle * .
399Thus the message must be copied if it is to be preserved through
400subsequent library calls using the same handle.
401.Sh CLEANUP
402To free the resources used by the TACACS+ library, call
403.Fn tac_close .
404.Sh RETURN VALUES
|
374The following functions return a non-negative value on success. If
|
405The following functions return a non-negative value on success.
406If |
407they detect an error, they return \-1 and record an error message
408which can be retrieved using
409.Fn tac_strerror .
410.Pp
411.Bl -item -offset indent -compact
412.It
413.Fn tac_add_server
414.It
415.Fn tac_config
416.It
417.Fn tac_create_authen
418.It
419.Fn tac_create_author
420.It
421.Fn tac_send_authen
422.It
423.Fn tac_send_author
424.It
425.Fn tac_set_av
426.It
427.Fn tac_set_data
428.It
429.Fn tac_set_msg
430.It
431.Fn tac_set_port
432.It
433.Fn tac_set_priv
434.It
435.Fn tac_set_rem_addr
436.It
437.Fn tac_set_user
438.El
439.Pp
440The following functions return a
441.No non- Ns Dv NULL
|
410pointer on success. If they are unable to allocate sufficient
|
442pointer on success.
443If they are unable to allocate sufficient |
444virtual memory, they return
445.Dv NULL
446and record an error message which can be retrieved using
447.Fn tac_strerror .
448.Pp
449.Bl -item -offset indent -compact
450.It
451.Fn tac_get_av
452.It
453.Fn tac_get_av_pair
454.It
455.Fn tac_get_data
456.It
457.Fn tac_get_msg
458.El
459.Pp
460The following functions return a
461.No non- Ns Dv NULL
|
429pointer on success. If they are unable to allocate sufficient
|
462pointer on success.
463If they are unable to allocate sufficient |
464virtual memory, they return
465.Dv NULL ,
466without recording an error message.
467.Pp
468.Bl -item -offset indent -compact
469.It
470.Fn tac_open
471.El
472.Sh FILES
473.Pa /etc/tacplus.conf
474.Sh SEE ALSO
475.Xr tacplus.conf 5
476.Rs
477.%A D. Carrel
478.%A Lol Grant
479.%T The TACACS+ Protocol, Version 1.78
480.%O draft-grant-tacacs-02.txt (Internet Draft)
481.Re
482.Sh AUTHORS
483.An -nosplit
484This software was written by
485.An John Polstra
486and
487.An Paul Fraley ,
488and donated to the
489.Fx
490project by Juniper Networks, Inc.
|