xtacacsd Feature List

This page describes the features available in the version of xtacacsd maintained by Vikas Aggarwal at this Web location

These features are NOT the same as in the Cisco xtacacsd daemon

DBM Password files
Can create and use DBM format database files for extracting user entries from the Unix password files (use Getpw -c).
QI/PH Name server support
Support for the QI/PH name server database from ftp.cso.uiuc.edu
DEC SIA Authentication
Support for DEC SIA routines and Solaris shadow passwords
ASCII Wtmp file
As of v4.1, the binary wtmp file has been replaced with an ascii wtmp file (wtmp.ascii) and taclast suitably updated to handle these ascii files.
Special Password Keywords
support for calling an external password verification program if the password entry for a user matches a special keyword. This allows support for TokenCard software such as the Enigma Logic SafeWord system, Security Dynamics SecurID card, etc.
External authorization Program
allows calling an external program AFTER the password verification to allow finer control over permitting or denying a user. The program is run with the username, terminal server and line number as arguments (can be used to deny access to certain users dialing in on restricted ports at certain times, etc.)
Case Insensitive username matches
Almost necessary for SLIP/PPP username matching since the Cisco converts the username in PPP queries into all uppercase.
Separate UTMP and WTMP files
updates and maintain its UTMP file (as well as its WTMP file). The UTMP file indicates which users are currently logged into all network devices on your network.
Configuration file
optionally reads a configuration file on startup containing commands to allow extensive control of responses based on the username, group-id or geco string matches. Allows permitting or denying a request based on its type, originating host and line numbers, and setting access control lists.
Run external program on login
Execute a program on the Unix server (not on the client) on getting a request from a specified user & host (can be used to initiate dialback)
Inactivity timer under inetd
When run under inetd, it has an inactivity timer of 15 minutes before exiting. This provides the speed of a standalone process while preserving system resources when idle.
Can send back a SLIP ACL in/out list in tacacs response (need cisco software v9.21(5.2) or higher).
Separate WTMP file per host
Can update a separate WTMP file for each host sending the TACACS query- this is needed so that the system's last program can parse the WTMP sensibly (its back on `popular' request). Note however, that this is not required anymore since xtacacsd comes with its own taclast utility.

Other `standard' tacacs features are:

Multiple password files
can process multiple password files (upto 5 files).
Inetd or standalone
Can run under inetd or in standalone mode as a daemon.
Backward compatible
can process either the old tacacs queries or the new extended tacacs format queries.
Disable Nameservers
optionally disable the use of nameservers for faster response times or avoid depending on the nameservers.
Quiet Mode
optionally not send DENY type responses so that the client can query multiple tacacs servers.

Old features deleted in this version are:

GID Usage
Does not use the gid as the access list number. Now specify the access-list using the config file. Also does not use the group gid to permit/deny access.


Copyright © 1994-1997 Vikas Aggarwal