1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
|
.\" Copyright 1998 Juniper Networks, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd September 2, 1998
.Dt LIBTACPLUS 3
.Os
.Sh NAME
.Nm libtacplus
.Nd TACACS+ client library
.Sh SYNOPSIS
.In taclib.h
.Ft int
.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
.Ft void
.Fn tac_close "struct tac_handle *h"
.Ft int
.Fn tac_config "struct tac_handle *h" "const char *path"
.Ft int
.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
.Ft void *
.Fn tac_get_data "struct tac_handle *h" "size_t *len"
.Ft char *
.Fn tac_get_msg "struct tac_handle *h"
.Ft struct tac_handle *
.Fn tac_open "void"
.Ft int
.Fn tac_send_authen "struct tac_handle *h"
.Ft int
.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
.Ft int
.Fn tac_set_msg "struct tac_handle *h" "const char *msg"
.Ft int
.Fn tac_set_port "struct tac_handle *h" "const char *port"
.Ft int
.Fn tac_set_priv "struct tac_handle *h" "int priv"
.Ft int
.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
.Ft int
.Fn tac_set_user "struct tac_handle *h" "const char *user"
.Ft const char *
.Fn tac_strerror "struct tac_handle *h"
.Sh DESCRIPTION
The
.Nm
library implements the client side of the TACACS+ network access
control protocol. TACACS+ allows clients to perform authentication,
authorization, and accounting by means of network requests to remote
servers. This library currently supports only the authentication
portion of the protocol.
.Sh INITIALIZATION
To use the library, an application must first call
.Fn tac_open
to obtain a
.Va struct tac_handle * ,
which provides context for subsequent operations.
Calls to
.Fn tac_open
always succeed unless insufficient virtual memory is available. If
the necessary memory cannot be allocated,
.Fn tac_open
returns
.Dv NULL .
.Pp
Before issuing any TACACS+ requests, the library must be made aware
of the servers it can contact. The easiest way to configure the
library is to call
.Fn tac_config .
.Fn tac_config
causes the library to read a configuration file whose format is
described in
.Xr tacplus.conf 5 .
The pathname of the configuration file is passed as the
.Va file
argument to
.Fn tac_config .
This argument may also be given as
.Dv NULL ,
in which case the standard configuration file
.Pa /etc/tacplus.conf
is used.
.Fn tac_config
returns 0 on success, or -1 if an error occurs.
.Pp
The library can also be configured programmatically by calls to
.Fn tac_add_server .
The
.Va host
parameter specifies the server host, either as a fully qualified
domain name or as a dotted-quad IP address in text form.
The
.Va port
parameter specifies the TCP port to contact on the server. If
.Va port
is given as 0, the library uses port 49, the standard TACACS+ port.
The shared secret for the server host is passed to the
.Va secret
parameter. It may be any null-terminated string of bytes.
The timeout for receiving replies from the server is passed to the
.Va timeout
parameter, in units of seconds.
The
.Va flags
parameter is a bit mask of flags to specify various characteristics of
the server. It may contain:
.Pp
.Bl -tag -width Fl
.It Dv TAC_SRVR_SINGLE_CONNECT
Causes the library to attempt to negotiate single connection mode
when communicating with the server. In single connection mode, the
original TCP connection is held open for multiple TACACS+ sessions.
Older servers do not support this mode, and some of them become
confused if the client attempts to negotiate it.
.El
.Pp
.Fn tac_add_server
returns 0 on success, or -1 if an error occurs.
.Pp
.Fn tac_add_server
may be called multiple times, and it may be used together with
.Fn tac_config .
At most 10 servers may be specified.
When multiple servers are given, they are tried in round-robin
fashion until a working, accessible server is found. Once the
library finds such a server, it continues to use it as long as it
works.
.Sh CREATING A TACACS+ AUTHENTICATION REQUEST
To begin constructing a new authentication request, call
.Fn tac_create_authen .
The
.Va action ,
.Va type ,
and
.Va service
arguments must be set to appropriate values as defined in the
TACACS+ protocol specification. The
.Aq taclib.h
header file contains symbolic constants for these values.
.Pp
After creating a request with
.Fn tac_create_authen ,
various optional parameters may be attached to it through calls to
.Fn tac_set_data ,
.Fn tac_set_port ,
.Fn tac_set_priv ,
.Fn tac_set_rem_addr ,
and
.Fn tac_set_user .
The library creates its own copies of any strings provided to these
functions, so that it is not necessary for the caller to preserve
them. By default, each of these parameters is empty except for the
privilege level, which defaults to
.Ql USER
privilege.
.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
After the TACACS+ request has been constructed, it is sent by means
of
.Fn tac_send_authen .
This function connects to a server if not already connected, sends
the request, and waits for a reply. On failure,
.Fn tac_send_authen
returns -1. Otherwise, it returns the TACACS+ status code and flags,
packed into an integer value. The status can be extracted using the
macro
.Fn TAC_AUTHEN_STATUS .
Possible status codes, defined in
.Aq taclib.h ,
include:
.Pp
.Bl -item -compact -offset indent
.It
.Dv TAC_AUTHEN_STATUS_PASS
.It
.Dv TAC_AUTHEN_STATUS_FAIL
.It
.Dv TAC_AUTHEN_STATUS_GETDATA
.It
.Dv TAC_AUTHEN_STATUS_GETUSER
.It
.Dv TAC_AUTHEN_STATUS_GETPASS
.It
.Dv TAC_AUTHEN_STATUS_RESTART
.It
.Dv TAC_AUTHEN_STATUS_ERROR
.It
.Dv TAC_AUTHEN_STATUS_FOLLOW
.El
.Pp
The only flag is the no-echo flag, which can be tested using the
macro
.Fn TAC_AUTHEN_NOECHO .
.Sh EXTRACTING INFORMATION FROM THE SERVER'S RESPONSE
An authentication response packet from the server may contain a
server message, a data string, or both. After a successful call to
.Fn tac_send_authen ,
this information may be retrieved from the response by calling
.Fn tac_get_msg
and
.Fn tac_get_data .
These functions return dynamically-allocated copies of the
information from the packet. The caller is responsible for freeing
the copies when it no longer needs them. The data returned from
these functions is guaranteed to be terminated by a null byte.
.Pp
In the case of
.Fn tac_get_data ,
the
.Va len
argument points to a location into which the library will store the
actual length of the received data, not including the null
terminator. This argument may be given as
.Dv NULL
if the caller is not interested in the length.
.Sh SENDING AUTHENTICATION CONTINUE PACKETS
If
.Fn tac_send_authen
returns a value containing one of the status codes
.Dv TAC_AUTHEN_STATUS_GETDATA ,
.Dv TAC_AUTHEN_STATUS_GETUSER ,
or
.Dv TAC_AUTHEN_STATUS_GETPASS ,
then the client must provide additional information to the server by
means of a TACACS+ CONTINUE packet. To do so, the application must
first set the packet's user message and/or data fields using
.Fn tac_set_msg
and
.Fn tac_set_data .
The client then sends the CONTINUE packet with
.Fn tac_send_authen .
N.B.,
.Fn tac_create_authen
should
.Em not
be called to construct a CONTINUE packet; it is used only for the
initial authentication request.
.Pp
When it receives the CONTINUE packet, the server may again request
more information by returning
.Dv TAC_AUTHEN_STATUS_GETDATA ,
.Dv TAC_AUTHEN_STATUS_GETUSER ,
or
.Dv TAC_AUTHEN_STATUS_GETPASS .
The application should send further CONTINUEs until some other
status is received from the server.
.Sh OBTAINING ERROR MESSAGES
Those functions which accept a
.Va struct tac_handle *
argument record an error message if they fail. The error message
can be retrieved by calling
.Fn tac_strerror .
The message text is overwritten on each new error for the given
.Va struct tac_handle * .
Thus the message must be copied if it is to be preserved through
subsequent library calls using the same handle.
.Sh CLEANUP
To free the resources used by the TACACS+ library, call
.Fn tac_close .
.Sh RETURN VALUES
The following functions return a non-negative value on success. If
they detect an error, they return -1 and record an error message
which can be retrieved using
.Fn tac_strerror .
.Pp
.Bl -item -offset indent -compact
.It
.Fn tac_add_server
.It
.Fn tac_config
.It
.Fn tac_create_authen
.It
.Fn tac_send_authen
.It
.Fn tac_set_data
.It
.Fn tac_set_msg
.It
.Fn tac_set_port
.It
.Fn tac_set_priv
.It
.Fn tac_set_rem_addr
.It
.Fn tac_set_user
.El
.Pp
The following functions return a
.No non- Ns Dv NULL
pointer on success. If they are unable to allocate sufficient
virtual memory, they return
.Dv NULL
and record an error message which can be retrieved using
.Fn tac_strerror .
.Pp
.Bl -item -offset indent -compact
.It
.Fn tac_get_data
.It
.Fn tac_get_msg
.El
.Pp
The following functions return a
.No non- Ns Dv NULL
pointer on success. If they are unable to allocate sufficient
virtual memory, they return
.Dv NULL ,
without recording an error message.
.Pp
.Bl -item -offset indent -compact
.It
.Fn tac_open
.El
.Sh FILES
.Pa /etc/tacplus.conf
.Sh SEE ALSO
.Xr tacplus.conf 5
.Rs
.%A D. Carrel
.%A Lol Grant
.%T The TACACS+ Protocol, Version 1.78
.%O draft-grant-tacacs-02.txt (Internet Draft)
.Re
.Sh AUTHORS
This software was written by
.An John Polstra ,
and donated to the
.Fx
project by Juniper Networks, Inc.
|