## xtacacs config file. Use with xtacacsd v2.x # # All entries are processed and in the order they are read. # The first permit or deny match will stop searching any further. # ACL entries do not set permit or deny. However, most other # entries will set permit or deny, and will cause an immediate # return if they explicity set permit or deny. # Boolean options BLANKPASSWORD #NONAMESERVER IGNORECASE #HostWTMP LOGGING # To behave in quiet mode only if user does not exist, set QUIETNOUSER. QUIETNOUSER # To never send back a DENY response, set QUIET #QUIET DEBUGLEVEL 2 ## If processing a request takes longer than ABORTSECS, the process will # exit if this is set. A crude way to flush any pending requests in the # system queue. Use only under inetd. Added on special request,,, #ABORTSECS 15 # Specify alternate wtmp and utmp files if different from compile time WTMP /var/xtacacs/wtmp UTMP /var/xtacacs/utmp # Upto 5 password files. Command line arguments will precede this list. # Specify DEFAULT if you want to search the default password file (which # can use NIS)- however this default system password file will be # searched in a case-sensitive manner since the getpwnam() call does not # permit case-insensitive searching. # All the other password files listed here will be searched using the # Getpw() routines (which does not support YP style entries). You can # create DBM style databases for fast accesses using Getpw -c PASSWD DEFAULT PASSWD /usr/local/tacacs/passwd PASSWD /etc/passwd.local ## # For password authentication using Enigma Logic or SDI cards, use the # 'AUTHTOKEN' config lines.The password string is case sensitive and # the program to exec must exist and be executable. It should exit with # 1 to permit access, and 0 to deny access. # AUTHTOKEN AUTHTOKEN ENIGMA /usr/local/xtacacs/bin/enigma AUTHTOKEN SDI /usr/local/xtacacs/bin/sdcheck ## ## For the CSO QI Name server support, make sure that you define ## QI while compiling the software (see Makefile). The following fields ## if uncommented must match the field names in your QI records. # QI_host1 qi.abc.com # QI_host2 qi-backup.abc.com # QI_timeout 10 # QI_type dialup # QI_uid pw_uid # QI_gid pw_gid # QI_shell pw_shell # QI_gecos pw_gecos ## ## To put restrictions on the connections... ## # # While doing an 'exec', it adds on the username, host & line number # at the end as an argument. # # \ # HOST {hostname} [MASK ] [LINE ,] \ # |ALL [] # # where # is one of: # USER GROUP or GECO # is one of: # arap chap login connect enable slip slipaddr old any/all # is one of: # acl permit deny getok norouting numlogin execpermit execdeny # # The list can further be tailored using HOST to specify the terminal # server that is sending the tacacs request and LINE to specify the # tty line number (the LINE's are optional). A HOST can be an IP # address in dotted notation and have a corresponding MASK. The mask # is in the traditional 'Cisco' syntax (ignore all 1 bits). # # For the user-list, the is the username, for the group-list # it is the gid (NOT group-name) and for the geco-list it is an geco # string match (the last portion of the geco string if it has fields # separated by commas). # # The first explicit 'permit' or 'deny' match will return. Hence, put # 'acl' entries first. # # In following example, the user 'admin' will have an ACL of '0' (no # access-list) and a permit for *all* types of requests. SLIP requests # will have the program 'mail_download' run on the server host. # Users in group 10 will be okay-ed against the program 'daytime_logins' # (which will automatically be run with the username, gid, host & port # as args. This check is done AFTER the password has been verified. # User 'bin' is denied all access. # Users with the keyword 'dialback' as the last string in the geco field # will be denied access (execdeny) and the program 'dialback.csh' will be run. # Users with 'slip' as the last string in the geco field will be # permitted access (subject to that fact that no previous line has denied # them access (order is important). # All remaining users will have an ACL of '8' on all connections. SLIP # requests will have an inbound ACL of 101, outbound ACL of 202 and a limit # of 5 on the number of logins. # ## # # USER admin HOST all all acl 0 USER admin HOST all slip execpermit /usr/bin/mail_download USER admin HOST all LINE 1,2,5-9 all permit GROUP 10 HOST noontime login getok /bin/daytime_logins GROUP 20 HOST noontime login getok /usr/local/bin/getok.pl USER bin HOST all all deny GROUP all HOST all all numlogin 2 GECO dialback HOST cs500 login execdeny /bin/dialback.csh # Use the mask of 0.0.0.255 for the entire class C GROUP all HOST 198.138.178.0 MASK 0.0.0.255 all acl 8 GROUP all HOST all slip acl 101-202 ## since slipaddr requests are all authenticated anyway GROUP all HOST all slipaddr permit ## permit doing a slip default on the following lines GECO slip HOST all LINE 5,6,10-12,15 slip permit ## Cisco v10.3 allows user's to specify the enable level using 'enable N' GROUP cisco HOST all enable LEVEL 8 permit GROUP admin HOST all enable LEVEL 15 permit USER all HOST all enable deny # all queries not matched are denied access by default