
Copyright (c) 1995-1998 by Cisco systems, Inc.

Permission to use, copy, modify, and distribute this software for
any purpose and without fee is hereby granted, provided that this
copyright and permission notice appear on all copies of the
software and supporting documentation, the name of Cisco Systems,
Inc. not be used in advertising or publicity pertaining to
distribution of the program without specific prior permission, and
notice be given in supporting documentation that modification,
copying and distribution is by permission of Cisco Systems, Inc.

Cisco Systems, Inc. makes no representations about the suitability
of this software for any purpose.  THIS SOFTWARE IS PROVIDED ``AS
IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE.

------------------------------------------------------------------------------

Copyright (c) 1989, 1993
The Regents of the University of California.  All rights reserved.

This product includes software developed by the University of
California, Berkeley and its contributors.

------------------------------------------------------------------------------

Copyright 1988,1990,1993,1994 by Paul Vixie
All rights reserved

Distribute freely, except: don't remove my name from the source or
documentation (don't take credit for my work), mark your changes (don't
get me blamed for your possible bugs), don't alter or remove this
notice.  May be sold if buildable source is provided to buyer.  No
warrantee of any kind, express or implied, is included with this
software; use at your own risk, responsibility for damages (if any) to
anyone resulting from the use of this software rests entirely with the
user.

------------------------------------------------------------------------------

Portion copyright (c) 1996 by Middle Volga Communications, Ltd.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

------------------------------------------------------------------------------

Copyright (c) 1994
	The Regents of the University of California.  All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
   must display the following acknowledgement:
	This product includes software developed by the University of
	California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors
   may be used to endorse or promote products derived from this software
   without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

------------------------------------------------------------------------------



===================== 1.   tac+ia

    ,   ұ :


- ,  ,      tacacs+
        .    :

      -  libutil,     ,
              
        ,      
         -  utmp(5)  wtmp(5).     
             -   who(1) 
        last(1), -     "/"
        .

      -  libpasswd,       
            
        (passwd(5)/pwd_mkdb(8)).       
          -   pwd_mkdb(8), passwd(1), vipw(8).

-      tac_plus  Cisco
  Systems, Inc.,      
    -    
   .    
    " ".     ı 
  ,        ,
        NAS' (   
     ).

-     acctd  
     macct,  
   ""     .

-     ip  dynipd.

-  ,      tac_plus.   
  :

       - pppd  FreeBSD.

     (Vladimir Barmin, <bwm@simtel.ru>).
     .

   tac+bwm+pasa.      
,     ,    
  (Pavel Vladimirov, <pasa@queen.ru>).

       ,   
 tac+ia,   tacacs+inet-admins -    ,
   .

    ,   ,  
  ,    ,  
 (   ):

  (Paul Antonov <apg@demos.net>)
  (Vladimir Barmin <bwm@simtel.ru>)
  (Igor Valiaev <iv@vsu.ru>)
  (Serge Werner <eff@icomm.ru>)
  (Pavel Vladimirov <pasa@queen.ru>)
  (Vladimir Volovich <vvv@vsu.ru>)
  (Dmitriy Yermakov <dyer@sut.ru>)
  (Andy Igoshin <ai@vsu.ru>)
  (Dmitry Kartashoff <dima@cg.ukrtel.net>)
  (Alexander Kolesnik <sasha@lanck.net>)
  (Ivan V. Sidorenko <ivs@tomsknet.ru>)
  (Vyacheslav Silakov <seal@inar.ru>)
  (Aleksey Fedorov <alexf@vsi.ru>)
  (Denis Shaposhnikov <wizard@vlink.ru>)
  (Mike Shoyher <msh@corbina.net>)

  (0.96)  Andy Igoshin <ai@vsu.ru>,
Vladimir Volovich <vvv@vsu.ru>.

    :
AIX 4.2.1
BSD/OS 2.1, 3.0
FreeBSD 3.0
Linux Slackware/RedHat
Solaris 7

      ftp://ftp.vsu.ru/pub/hardware/cisco/tacacs/.

     .



===================== 2. 


-------------- 2.1.  libutil

          tacacs+
  ,    
   ,     
 ,       (2.1)   
    (2.2).

         
        
    wtmp(5)  utmp(5)  
(       ttys).  ,
         - whotac  lasttac
-    who(1)  last(1).

        
     BSD/OS 2.1  Berkeley Software Design Inc.
(BSDI).           FreeBSD
 Linux.

------ 2.1.1. ,  

 libutil   :

ttys -  .     ttys(5) -   
 ,     , -  
 -    .

   ,   ()  NAS'. 
   , ̱   . , 
ı   '#'    .  
 ,    , .   
  256 .

      (  ű 
),  -  ,      .
      ttys(5)    
,   ,      , 
̱, ,  ̱.

       
   flag=value ( !).   
,      ( ). 
          
 .       
  .          
 ,      . ,
     .

   (      '#') 
   ,     
,        ,  .
,         
,   .    ( 
):

tty1     pool-1    Async1   # line 1

     NAS' pool-1   tty1 ( 
 )        ()   
NAS'   Async1. ,      ,  
  IOS      tac+    .
   ,   ""     
 ,    ,  
 ,   .  :

2345678     pool-1  utmp=no   tty1 Async1   # line 1, phone number 2345678

     ,    ű    ű
 ,       .  ,
          
 ( utmp=no).

       (  ͱ) -  
UT_LINESIZE  ( 8,   . /usr/include/utmp.h).
    - UT_HOSTSIZE.

   .     
    tac+,    
,      .
     (*).

    :

check=(yes|no)             -     ,   
                             alias ( )   
                                 ,   
                                (,  CRON).

pcheck=(yes|no)            -     /,   ű
                             alias     
                               ,     
                              (,  CRON).

utmp=(no|asis|true|alias)  -      
(*)                                
                                :

                                no -    

                                asis -  ,     ttys
                                       (    ,
                                          
                                       ,     )

                                alias - alias,  , 
                                          

                                true -    

wtmp=(no|asis|true|alias)  -   
(*)

acct=(no|asis|true|alias)  -      
                             tac+      
                                .  
                                 
                             utmp.

putmp=(true|alias)         -      
(*)                                
                                :

                                true -    /

                                alias - alias, ..    ttys

pwtmp=(true|alias)         -   
(*)

pacct=(true|alias)         -       
                             tac+      
                                .  
                                 
                             putmp.

        
  tac+ -  3.   ,  
ı       
  - ,  "" , 
 .

      ttys.

utmp, wtmp -  utmp(5), wtmp(5).    
.

   ttys   ,    
  (t_ttyslot() - .  2.1.3)   ,
 ̱   ̱ NAS',   
 ,     ,     
utmp(5), wtmp(5).   ,      
  ,   ۱   -, 
     ttys.       
   (logintac(), login()  loginal() - .
 2.1.3).

   ,   wtmp   
          ı.  
   ,    wtmp 
.

 configure:

--enable-utmpfile=PATH [/DATAPATH/utmp]
--enable-wtmpfile=PATH [/DATAPATH/wtmp]
--enable-ttysfile=PATH [/DATAPATH/ttys]

------ 2.1.2. ,  

     :

 - whotac -   who(1)

 - lasttac -   last(1).  ,   '-s',
          
    - ,   (02:14),   (02:14:25).

 - logtac - , ""     
     - - ..    
   utmp(5)      wtmp(5). :

   logtac <terminal> <NAS> <user>

            
   "".     login() 
      (.  2.1.3)

 - unlogtac - , ""    
   - - ..     utmp(5) 
       wtmp(5). :

   unlogtac <terminal> <NAS>

            
   "".     login() 
      (.  2.1.3)

------ 2.1.3.  

         
,         (2.1)  
      (2.2).

--- 2.1.3.1

int init_utmp(char *reason)

      .  utmp(5) 
  wtmp(5)  

reason       ~                             Mon Nov  3 16:27

   /  .

reason - ,   wtmp(5)

 0    ,    1.

:

init_utmp("reboot");

init_utmp("shutdown");

--- 2.1.3.2

void logwtmp(char *line, char *name, char *host)

   wtmp(5) ,     name 
 line   host.   ( ..  ttys)  .

:

logwtmp("tty1", "guest", "pool-2.provider.com");

--- 2.1.3.3

int t_ttyslot(char *name, char *host, char *alias,
                         char **palias, int *status)

  ttys   ,   host (
alias) - name (  /).    (name
      ttys,     ͱ  
)      utmp,  - 0.

  ,   (   ,  
!) status      ttys   .

alias    host.      alias,  
status   A_FLAG_FOUND_AL.

 alias  ( NULL)       
A_FLAG_TTYS,   alias  ttys  ,    
(host).

 palias      UT_LINESIZE  
( )  (   ,   
name).    strncpy, ..    
   -.

       "own_wtmp.h".

:

char s[UT_LINESIZE];
char *palias = s;
int status = A_FLAG_TTYS;
int slot = t_ttyslot("tty1", "pool-1.provider.com", "pool-1", &palias, &status);

--- 2.1.3.4

void logintac(char *name, long time, char *host, char *alias, char *port,
              char *palias, int slot, int status)

  wtmp(5)  utmp(5)     time 
   name   host ( alias) - port ( palias). 
  utmp   slot.

   host  alias    status:

A_FLAG_UTMP_TR - host

A_FLAG_UTMP_AL - alias

A_FLAG_UTMP_AS -    A_FLAG_FOUND_AL,  alias,  host

       ,    .

   port  palias    status:

A_FLAG_PUTMP_AL -  ,  palias,  port

       "own_wtmp.h".

:

logintac("john", 902089500, "pool-1.provider.com", "pool-1", "tty1", "PORT1",
                                         1, A_FLAG_UTMP_AL | A_FLAG_PUTMP_AL);

--- 2.1.3.5

void login(struct utmp *ut)

front-end  t_ttyslot()  logintac().     ut (.
utmp(5))     ttys,    ,  
wtmp(5)  utmp(5)     
ut->ut_user   ut->ut_time   ut->ut_host   ut->ut_line.

      t_ttyslot  
A_FLAG_UTMP_TR | A_FLAG_PUTMP_AL (      
alias  - ű  ),      ttys
  .

:

 :

    struct utmp u;
    u.ut_time = time(NULL);
    strncpy(u.ut_host, "pool-2.provider.com", UT_HOSTSIZE);
    strncpy(u.ut_line, "tty1", UT_LINESIZE);
    strncpy(u.ut_user, "guest", UT_NAMESIZE);
    login(&u);

  ( ):

    struct utmp u;
    bzero(&u, sizeof(u));
    u.ut_time = time(NULL);
    strncpy(u.ut_host, "pool-2.provider.com", UT_HOSTSIZE);
    strncpy(u.ut_line, "tty1", UT_LINESIZE);
    login(&u);

--- 2.1.3.6

void loginal(struct utmp *ut, char *alias, int logmode)

front-end  t_ttyslot()  logintac().   login().
  ű ,       ttys 
  ut->ut_host,  ݱ  alias ( ) -  
t_ttyslot()  A_FLAG_TTYS .     wtmp(5) 
utmp(5) ,     .  ,  
      ,    
logmode,      (  
 ):

UTMP_LOG_ASIS  (A_FLAG_UTMP_AS) -        ttys
UTMP_LOG_ALIAS (A_FLAG_UTMP_AL) -  alias
UTMP_LOG_TRUE  (A_FLAG_UTMP_TR) -  ut->ut_host
0              (A_FLAG_NO)      -    

    status   t_ttyslot ( 
A_FLAG_TTYS  A_FLAG_PUTMP_AL -    alias  - ű 
). , status     ttys 
 .

       "own_wtmp.h".

:

    struct utmp u;
    u.ut_time = time(NULL);
    strncpy(u.ut_host, "pool-2.provider.com", UT_HOSTSIZE);
    strncpy(u.ut_line, "tty1", UT_LINESIZE);
    strncpy(u.ut_user, "guest", UT_NAMESIZE);
    loginal(&u, "pool-2", UTMP_LOG_ASIS);

------ 2.1.4.  

  ,       ,
 :

#include <utmp.h>
#include "own_wtmp.h"

   

-I<_>

  

-L<_> -lsystem

     ,     
 GNU C.


-------------- 2.2.  libpasswd

          tacacs+
     ,  
    (2.2)       
(3).

         
       ,
      passwd(5)/pwd_mkdb(8).
 ,          -
pwd_mkdbtac, passwdtac, vipwtac -    pwd_mkdb(8),
passwd(1), vipw(8).

        
    FreeBSD 2.2.7.    source/binary license 
 BSD/OS 2.1  Berkeley Software Design Inc. (BSDI),   
 <pasa@queen.ru>,       , 
    (        
    ). ,    
-  ,   ,   BSD/OS, 
  pwd_mkdbtac        
BSD/OS'.

 configure:

--enable-pwddb={ bsd | bsdi }

------ 2.2.1. ,  

 libpasswd  ұ-  ұ   
.        pwd_mkdb(8).

     ,     
 ֱ  ,   ,    
   ,      
  .    .    

/etc/_basename_

:

/etc/master._basename_             - secure plain 
/etc/s_basename_.db                - secure db 
/etc/_basename_.db                 - insecure db 
/etc/_basename_                    - insecure plain   Version 7
                                     (   )

------ 2.2.2. ,  

     :

 - pwd_mkdbtac -  pwd_mkdb(8).   ű  
          (  
   ,    ,   ). 
       :

   pwd_mkdbtac [-c] [-p] [-d <dest dir>] [-u <local username>] file [pwdfile]

 ,    BSD/OS:

   pwd_mkdbtac [-c cachesize] [-d] [-l] [-p] [-r] file [pwdfile]

 - passwdtac -  passwd(1).   ű  
         (    -l),
     (  -f  )   
   (   ,    ,  
   ),       (
              
           ,  passwdtac  
    passwd(1)    ,   -
     "" ,         suid').
        :

       passwdtac [-l] [-f pwdfile] user

  - vipwtac -  vipw(8).   ű   
        (  , 
     ,   ).   
     :

       vipwtac [pwdfile]

------ 2.2.3.  

         
,      (2.2.3),   
 (2.2.4),       (2.2.5).

  ,  "" getpwent(3)  
user_from_uid(3),   setpwfilet().    :

struct passwd *getpwentt(void);
struct passwd *getpwnamt(const char *login);
struct passwd *getpwuidt(uid_t uid);
int setpassentt(int stayopen);
int setpwentt(void);
void endpwentt(void);
char *user_from_uidt(uid_t uid, int nouser);
void setpwfilet(const char *pwdfile);

   setpwfilet()    ,   
 ( NULL    , 
 ).         
 .       
endpwentt().

:

//     1 ("/etc/tac1")
setpwfilet("/etc/tac1");
p1 =  getpwnamt("user1");
p2 =  getpwnamt("user2");
p3 =  getpwnamt("user3");
endpwentt();

//     2 ("/etc/tac2")
setpwfilet("/etc/tac2");
q1 =  getpwnamt("user1");
q2 =  getpwnamt("user2");
endpwentt();

------ 2.2.4.  

  ,       ,
 :

#include "pwdt.h"

   

-I<_>

  

-L<_> -lpasswd

     ,     
 GNU C.

------ 2.2.5.  

 Makefile    ,  
 .

TAC_PLUS_USERID
TAC_PLUS_GROUPID

     .  ,  secure 
     root'. ,   
 tac_plus   TAC_PLUS_USERID  TAC_PLUS_GROUPID, 
        .  
 passwdtac, vipwtac  pwd_mkdbtac    root' 
  effective uid  effective gid,    
       secure .
, passwdtac  vipwtac      
    .

_PATH_DEFAULTT

   '/CONFPATH/tac_passwd'.    
,      ,  
   .

_PATH_PWD_MKDBT

   '/SBINDIR/pwd_mkdbtac'.    
pwd_mkdbtac,      (  
   pwd_mkdbtac   ;  
 make install).

PASSWD_PW_FIELDS

  .   passwd (. getpwent(3)) 
    pw_fields (  FreeBSD),   ,  
,   .   pw_fields 
struct passwd    configure.

LONGPWD

    1.     
 passwdtac  .  '-l'    ű
    (8-) .    0
  .



===================== 3.  tac_plus

      tac_plus 3.0.12 alpha  Cisco
Systems Inc.   ı  ,    
        NAS', 
     NAS'    
 libtac_plus,     .


-------------- 3.1.      

------ 3.1.1.       

         
    ()  ̱ NAS' 
    .     
--enable-cron[=PATH] configure (  ).

    ,     
  tac_plus   ݱ   
      ű .

   ı  ,    
 --enable-cron[=PATH] (TAC_PLUS_CRONDIR) (/DATAPATH/tabs  , 
 α  configure).       ,
    ,    .
    ,      
 tac_plus,      ,  
  (  ), ,    , 
,    ,      , 
  .   ,     
,     .   
,         , 
  .

     crontab(5),     
.         
  crontab(5) -   , -    ,  
۱ .      ,   
   .    

<terminal>@<host>

         
 Unix shell (sh(1)/fnmatch(3)),    regexp(3). 
     --enable-cronregexp
configure.    sh(1)/fnmatch(3).  --enable-cronregexp
configure    regexp(3).

 "    "    

*@*

  

*

(        sh(1)/fnmatch(3)).

         
    .   , 
  .    ,     
     (, , ),  
    .

 ,       :

* * * * *	     tty1@pool-1.provider.com
* 22-23,0-4 * * *    tty[2-4]@pool-2.provider.com tty[25]@pool-1.provider.com

  ,         
tty1  NAS' pool-1.provider.com,   22:00  4:59 () 
    tty2, tty3, tty4  NAS' pool-1.provider.com 
 tty2, tty5  NAS' pool-1.provider.com.

 ,        


* 11-15 * * *  tty[12]@pool-2.provider.com

 ,    ۱    tty1, tty2 
NAS' pool-2.provider.com   11:00  15:59 .   
11:00  15:00,       .

  crontab   .

   ,        
   / -   .

       cron(8)   BSD/OS 2.1
 Berkeley Software Design Inc. (BSDI).

,    ,     
/ (   -    
 ,    ,    )
   crondeny.   ,  
, ̱   crondeny,    
,   .   
--enable-cronmsg='MESSAGE' configure.    

"\nSorry, you are not allowed to log in at this time on this line"

 "\n"        
,  "\\n"  "\n".

      (. 
3.1.18)      .

:

crondeny = "\nSorry, this line is for internal use only"

user = fedor {
 crondeny = "\n\n\nFedya, call later, please"
}

------ 3.1.2.  / 

        
/      . 
     --enable-deny[=deny] configure
(  ).

    ,     
  tac_plus (   /,  
 )   ݱ    
     ű .

      ,   
  --enable-denydir=PATH (TAC_PLUS_DENYDIR)  --enable-allowdir=PATH
(TAC_PLUS_ALLOWDIR) (/DATAPATH/deny  /DATAPATH/allow  , 
  configure).          ,
    ,   
.     ,    
   tac_plus,      ,
    (  ), ,   
,  ,    ,      ,
   .   ,     
,     .   
,     ,     , 
  (  allow-)    ( 
deny-).

 ,     deny-,     0,  
  , tac_plus     
 .

    0      ,  
,    / ( 
 -      ,   
,    )    admdeny. 
 ,   , ̱ 
 admdeny,     ,   .
   --enable-denymsg='MESSAGE' configure.
   

"\nSorry, this account has been blocked by administrator"

 "\n"        
,  "\\n"  "\n".

      (. 
3.1.18)      .

:

admdeny = "\nSorry, you're not our customer now"

user = fedor {
 admdeny = "\n\n\nYou fired, jerk!!!"
}

   -     
/ -    --enable-deny=deny (DENY_THEN_ALLOW).
    (  configure)    allow,
 deny -     allow-     
deny-.    ,     deny,
 allow.

   ,      deny   
      allow  / -
  .

------ 3.1.3.     

         
   .     
--enable-db[=old] configure (  ).

    ,     
  tac_plus (    /  
 ,    )  
ݱ          ű .

    db- --enable-db-file=PATH (TAC_PLUS_DBFILE)
(  /DATAPATH/user.db).
       acctd (.  5).
   db2,  db   configure.

    DBF_1 (     ),  
     ( .  5.1).

  ,    . 
,     ( ),  tac_plus 
  :

*** User <_>: time limit EXCEEDED!

     ,     
,    :

*** User <_>: total time limit EXCEEDED!

 

*** User <_>: daily time limit EXCEEDED!

     .

     (  0), ,   
,     ,    , 
 :

*** User <_>: time left <> minutes.

      

*** User <_>: total time left <> minutes, left for today <> minutes.

    <>   unlimited.

     .

      (   ), 
  :

*** User <_>: time is unlimited.

     (   configure
--enable-db-silent,   ,    ).

      .

------ 3.1.3.1.   ,   
                  user.db

         
  , ,     , 
   .      --enable-db-strict
configure (  ).

------ 3.1.4.      

         
  ttys.        
2.1.1.

   ttys     ,
   configure,   ,    alias'
(.  3.1.5).

 configure  (   )   
,     ,     
 alias'  ttys.

--disable-pcheck (  )
--disable-putmp  (  )
--enable-pacct

                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PALIAS_CHECK                              *           pcheck=yes
                                                    pcheck=no

PALIAS_UTMP                               *           putmp=alias
                                                    putmp=true

PALIAS_ACCT                                           pacct=alias
                                        *           pacct=true

       3.1.5.

   ttys      
      - 
utmp(5)  wtmp(5).       --enable-utmp
configure (  ).

     ,    
(login),   PPP   -,    ttys 
    wtmp  utmp -    wtmp(5)
 utmp(5).

   -  ttys   
       (, ,  
-   wtmp=no   ).

  ,    IOS   
,          
       wtmp -  
  .

      IOS   . 
         .
,   --enable-logempty[=NAME] (LOG_EMPTY) ( 
),      .    ,
    ,   EMPTY_NAME ( 
"unknown",    configure).

           
   2.1.

 ,       , 
 ,       "   ", ,
     

tty0  pool-1 Async0
...
tty15 pool-1 Async15

   $palias,     
-   .    alias' ,
,   $port,      ttys.

------ 3.1.5. 

         
         
.  ,       
 ,        
 .      
--enable-aliases configure (  ).

    ,      --enable-aliasesfile=PATH
(TAC_PLUS_ALIAS_FILE) (  /DATAFILE/aliases,   
configure)        / ͱ
NAS'  alias   .

    ,  alias   .  
  , ̱   . ,  ı 
 '#'    .    ,
   , .    
 1024 .

    alias'.

     alias'   
 flag=value ( !).    , 
    ( ).   
         
.         
.            , 
    . ,   
  .

   (      '#') 
 / ,     alias'.

   (  ):

pool-1         pool-1.provider.com 192.0.0.1

     NAS',     
     ,   IP-.

    alias      
/    :

pool           wtmp=true pool-1.provider.com
pool           wtmp=asis pool-2.provider.com

    alias'      /
    .

  alias'    ,    
2.1.1,   :

ttys=(yes|no)              -     ,   
                             alias ( )    
                             ttys (.  3.1.4)

          -
,  "ޱ" ,  
.

   ttys     
 (.  3.1.4).

  aliases   .

 configure  (   )   
,     ,     
 alias'  ttys.

--enable-alias-ttys
--enable-alias-check
--enable-acct-log-mode=MODE
--enable-utmp-log-mode=MODE

                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ALIAS_TTYS                                *           ttys=yes
                                                    ttys=no

ALIAS_CHECK                               *           check=yes
                                                    check=no


ACCT_LOG_MODE    A_FLAG_NO                                  acct=no
                 A_FLAG_ACCT_AS                             acct=asis
                 A_FLAG_ACCT_TR                 *           acct=true
                 A_FLAG_ACCT_AL                             acct=alias

UTMP_LOG_MODE    A_FLAG_NO      (0)                         utmp=no
                 A_FLAG_UTMP_AS (UTMP_LOG_ASIS) *           utmp=asis
                 A_FLAG_UTMP_TR (UTMP_LOG_TRUE)             utmp=true
                 A_FLAG_UTMP_AL (UTMP_LOG_ALIAS)            utmp=alias

  ,    utmp   , 
        
NAS' -        ttys (. 
3.1.4),         
NAS'.

       3.1.4.

   $alias,     
-   .     
 / NAS' (..  ,     $name)
alias',         
 $name.

------ 3.1.6.   log facility

       log facility.   
  --enable-syslog-facility=FACILITY configure ( 
 LOG_LOCAL6).

------ 3.1.7.     DNS

         DNS 
NAS'   .      
--enable-lookup-names configure (.. --disable-lookup-names; 
 ).

    DNS      
ttys (.  3.1.4)       
(.  3.1.1)   IP- NAS',   alias' (.
 3.1.5)

 ,    ޱ --enable-lookup-names (LOOKUP_NAMES)
  tac_plus    DNS ,   
 standalone  ( - inetd).  ,     
  ,      -L.  ,
 --disable-lookup-names,  -L, , .

------ 3.1.8.        

         
   ,    ,  
  ,   ,  
 .  ,       - 
  ,      
    / ( 
).

      --enable-unix-login configure
(  ; : --disable-unix-login). 
   --enable-unix-prompt='STRING',  
   --enable-unix-reject='STRING'.

     

"\nUser Access Verification\n\nlogin: "



"Login incorrect"

       " " 
     - prompt  reject .
 "\n"        
,  "\\n"  "\n".

      (. 
3.1.18)      .

:

prompt = "\nCISCO router\n\nlogin: "
reject = "Authentication failed"

user = fedor {
 reject = "Login incorrect"
}

------ 3.1.9.      

         
  (   ).   
  --enable-bwm-date configure (  ).

  - :

YYYY/MM/DD HH:MM:SS     <seconds from epoch>

:

1997/11/06 14:20:09     878815209      pool-2.provider.com       pasa    tty18
      111.11.11.10    stop    task_id=14     start_time=878805339
      timezone=MSK      service=shell     elapsed_time=9869

   :

Wed Nov  5 17:56:21 1997 pool-2.provider.com      pasa      tty18
      111.11.11.10    stop    task_id=13      start_time=878735683
      timezone=MSK      service=shell     elapsed_time=6098

------ 3.1.10.        

         
    LOG_INFO.

:

Nov 12 17:01:38 tacserver tac_plus[23011]: login query for 'hacker' tty1 from
                pool-2.provider.com rejected
Nov 15 18:31:11 tacserver tac_plus[12457]: enable query for 'lamer' tty18 from
                pool-2.provider.com rejected

------ 3.1.11.     

      -C.     
  ,    --enable-taccfgfile=PATH
configure (  /CONFPATH/tac_plus.conf).

------ 3.1.12.      

         (accounting
file),   .    --enable-acctfile=PATH
configure (  /DATAPATH/acctfile).

------ 3.1.13.      
               

--- 3.1.13.1.     

    ޱ  --enable-name-regexp configure
(  ),     
 ,   user,  .
       ,
   ,  ,    
  (   ).

      - Unix shell
(sh(1)/fnmatch(3))  regexp(3).    
--enable-name-regexp[=literal] (  ,  
regexp(3)).

       
,  ,   ,       
ı :

!*?[                             -  sh(1)/fnmatch(3)

^$.[()|?+*\                      -  regexp(3)

       
-    ,   . 
      (   
      ,  
 ,    ).

 ,         
,        
 .

 ,  ,   
ݱ    ,      
  ,  --enable-name-regexp=literal.

:

user = who[0-9] {
 member = group1
}

user = who* {
 member = group2
}

user = who5 {
 member = group3
}

  'who[0-9]'  'who*'   (
 sh(1)/fnmatch(3)),   ,      
 , 
         
  'group1'  'group2'.

who1 who2   -> who[0-9] (   ) ... group1
whois       -> who* ... group2

 'who5', ر      ,    
    ,   .

    'who[0-9]'    
      --enable-name-regexp=literal,  
     'who*',  ı   .
    'who*'     
     --enable-name-regexp=literal,   
         .

    regexp(3)   '$enable$'
 '$enab%d$'     ,    
(    -   sh(1)/fnmatch(3)   -)
 '$'  α    ,  
--enable-name-regexp-prefix=VALUE configure (   "__" (
ޱ),       '__enable__'  '__enab%d__').
ݱ   ,     sh(1)/fnmatch(3) 
    .

--- 3.1.13.2. Auto membering

         auto membering'. 
    --enable-auto-members configure ( 
).

    ,      
       users  .
   ( ), ,
        
(   ).

      - Unix shell
(sh(1)/fnmatch(3))  regexp(3).    
--enable-auto-regexp configure (  ,  
sh(1)/fnmatch(3)).

         
    ,     auto membering.

       , 
     ,   auto membering   
     --enable-auto-infile (  ).
     --enable-name-regexp (. 
3.1.13.1) ,     , 
 auto membering    --enable-name-regexp=literal.

  auto membering  .

 ,         ,
         
.

:

group = admin {
}

group = who {
 users = who*
}

user = whotinenko {
 member = admin
}

user = whoall {
}

     who,     
 ,      'who*' (
 sh(1)/fnmatch(3)).

,     'who1' -   who.

    'whotinenko' -   admin, 
    .

    'whoall'    who  
     --enable-auto-infile.

--- 3.1.13.3.    

  ,      , 
        
 :

1.      

     ,  .2.

    ,       --enable-name-regexp
    .2.

       ,    --enable-auto-members 
   --enable-auto-infile, 
   {

         auto membering'    .

       ,     .

   }

    ().

2.    --disable-name-regexp,  .3.

             .

     ,  .3.

       ,    --enable-auto-members,
   --enable-auto-infile  --enable-name-regexp=literal, 
   {

         auto membering'     
     .

       ,     .

   }

    ().

3.    --disable-auto-members,  .4.

        auto membering'    .

      ,     , 
   .4.

    ()

4.    --disable-defuser-always,  .5.

       --enable-default-username='STRING'  .

     ,  .6.

       ,    --enable-auto-members 
   --enable-auto-infile, 
   {

         auto membering'    .

       ,     .

   }

    ()

5.     ,  .6.

     == --enable-default-username='STRING',  .6.

    = --enable-default-username='STRING'

     .1

6.  ( )


 .4-5       3.1.24
.

------ 3.1.14.    enable-

    (--enable-cron, --enable-deny, --enable-db
- .  3.1.1 - 3.1.3)     
,      enable (  tac_plus
enable-       
 $enable*$,   -       
,    ,      
  ,        
enable-).

         enable-. 
         
$enable*$.     --enable-cronenable,
--enable-denyenable  --enable-db-enable configure (  ).

------ 3.1.15.    login

        
  login     -   ű
   ݱ  "permit", "deny", "none"  "nopassword".

    --enable-none-login configure ( 
).

   :

permit     -    Password:    
                . (==nopassword).

deny       -    Password:    
                 .

none       -    Password:   
              (  )      
             .    .

:

group g1 {
 login = none
}

user u1 {
 login = permit
}

     enable-  , 
     $enable*$ (  
,      ).

------ 3.1.16.    

     message 
/.       
,   .      
,    enable-  , 
 emessage,     --enable-emessage
configure (  ).    
  ,    enable-.   
.

 "\n"       
  ,  "\\n"  "\n".

      (. 
3.1.18)      .

------ 3.1.17. enable-  per user 

        
enable-  per user .   
 --enable-peruser-enable configure (  ).

          enable,
  :

   enable   = <enable_spec>


   <enable_spec>    := file <filename> |
		       cleartext <password> |
                       des <password> |
                       permit |
                       deny |
                       none |
                       login

   .     /
(  ű    ),   
enable-  ,       (..
 enable-),         
.    :

file <filename>
cleartext <password>
des <password>
         -       ,  
           (   -    ,  
           enable-)      
            ,   ,  
            (-    ) 
             ޱ  XXXX_FOR_ENABLE (. 
           3.1.14),   ,   message,
            ,   emessage (. 
           3.1.16).    .

none   -       :     
           .  .

login    -     : /  
                .   
                 ,  
           /   login = none, deny  permit, 
              ı   login, global,  
               ..  .

permit   -    Password:    
              

deny     -    Password:    
              

:

group g1 {
 enable = none
}

user u1 {
 login = cleartext "noproblem"
 enable = login
}

------ 3.1.18.     

        
     /- ,   
,   prompt, reject, message, emessage, crondeny,
admdeny,    .    
--enable-more-subst configure (  ; :
--disable-more-subst).

  ,      
prompt, reject, message, emessage, crondeny  admdeny   
 .      ,  
 , NAS',   ..,   .
     programs.c    lookup() 
lookup2().

------ 3.1.19.   finger'  MAXSESS

           
     (MAXSESS)  
finger'.    tac_plus      
  ,     
          .
       --disable-finger
configure (  --enable-finger).

------ 3.1.20.     NAS   Unix-boxes

        NAS  
Unix-boxes,        
 libtac_plus (.  3.2),      
     (3.1.21)

--- 3.1.20.1.  

NAS,    ,     
   --enable-resolvfile=PATH (TAC_RESOLV_FILE) ( 
/CONFPATH/tac_plus.conf).

        3.2.

--- 3.1.20.2.  -

NAS,    ,   
  tac_plus   ,  --enable-connect-timeout[=VALUE]
 (  10),      .

        3.2.

--- 3.1.20.3.  uid, gid, home, shell  ,
                 passwd

 tac_plus   NAS',   
,     (.  3.2),
   uid, gid,    shell.     
passwd- tac_plus.        , 
ı     tac_plus,    uid, gid,
   shell'    --enable-nopuid=UID,
--enable-nopgid=GID, --enable-nophome=PATH  --enable-nopshell=PATH
 (  32767, 32766, ""  "" ).

------ 3.1.21.    PAP/CHAP-

    (--enable-cron, --enable-deny, --enable-db
- .  3.1.1 - 3.1.3)     
   login,      
PAP/CHAP.

         PAP/CHAP-.
    --enable-cronppp, --enable-denyppp 
--enable-db-ppp (  ).

------ 3.1.22.     MAXSESS

  ,       
,     ۱ 
   --enable-wlogfile=PATH configure
(  /DATAPATH/tac_who.log),      
    

wholog file <string>

:

wholog file /tmp/tacwho

------ 3.1.23.      socket'

         
  socket'   --enable-somaxconn=VALUE configure (  5).
 . listen(2).

------ 3.1.24.  --  

       
--  ,   ,  
,      ,   
     ,   .
 configure --enable-default-username='STRING'
(  - DEFAULT).

 ,   --     
    ,      
          auto
membering.      configure 
--enable-defuser-always (  ).

------ 3.1.25.     passwd(5)/pwd_mkdb(8)

          
 passwd(5)/pwd_mkdb(8)   .    
  --enable-pwddb={ bsd | bsdi } configure ( 
).

   expire     .    
    shell' -     
 (  )  expire.

:     ,   
  (        /etc/passwd),
      (3.1.26).

        
 2.2.1.

         ( 
   pwd_mkdbtac    libpasswd (.
 2.2.2)):

,    /etc/tac_passwd

mv /etc/tac_passwd /etc/tac_passwd.backup
awk -F ':' '{print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }' \
                        /etc/tac_passwd.backup > /etc/tac_passwd.xxx
cp /dev/null /etc/master.tac_passwd
pwd_mkdbtac -p /etc/tac_passwd.xxx /etc/tac_passwd

     /etc/tac_passwd.backup

       uid/gid, 
      uid/gid  , 
        (
   /   ,    
). [  configure   ]

------ 3.1.26.  expires

    expires   ϱ  (MON DD YYYY),  
  ,         GMT.
,   - ,  
,      ű    
 .      expires 
 ,       shell'  .

  ,       
 (        /etc/passwd) 
    expire (     shell'),
  configure --enable-exp-sys (  ).

        
      configure
--enable-exp-warn=VALUE ( ) (  1209600  (14 )).

    ()   (
--enable-exp-warn=VALUE)    .     
  tac+      GMT,   
        GMT    
     GMT.       ,
      ݱ .

      expiring' 
 shadow- Solaris',    
  (  ?).   ,    
   ,    configure 
--enable-exp-shadow (  ).

  ,  /   
  ޱ / (    ),  
 configure  --enable-exp-local (  ).

  , ,  MSK:

,     expires:

Nov 11 1998

,   :

910786163

    

Nov 11 15:09:23 MSK 1998

  - 

Nov 11 1998

    --enable-exp-warn

282656

   

259200 (   )

    

Nov 12 00:00:00 MSK 1998

    α  

Nov 9 00:00:00 MSK 1998

    ,   configure 
--enable-exp-fine (  ).    
,   ,    ,     tac+
 -     GMT   
(  --enable-exp-local)  .      
      ,     
. --enable-exp-warn     , 
,    .

           
.



Nov 11 1998

  

Nov 11 00:00:00 MSK 1998

   

910731600

       .   
 α  

910731600 - 282656 = 910448944

 

Nov  7 17:29:04 MSK 1998

   :

910786163

Nov 11 15:09:23 MSK 1998

-    .

910786163 - 282656 = 910503507

Nov  8 08:38:27 MSK 1998

-   .

        ,
 ,     / , 
     .

 ,  ,  :

  / --enable-exp-local:      
  GMT ( ),   -    
/ .

  / --enable-exp-fine:   expiring  
 ,     ,   -   
.

------ 3.1.27.   

  tac_plus      SIGUSR1,  finger
     NAS'    
  utmp/wtmp.     --enable-regnas
configure (  ).

 ,   dynipd,  regnas   
rsh  NAS IP   ,   
 dynipd.

  ,  NAS'   regnas, tacacs  
 ,   nas (3.1.37),   NAS'
    tac_plus.conf.

------ 3.1.28.  tac_plus.conf allow-from

 tac_plus.conf allow-from     
ip .     allow-from.    
 ,      . 
 :

allow-from = <hostip>

------ 3.1.29.  tac_plus.conf listen-on

 tac_plus.conf listen-on  tac_plus   bind(3)
  ip .    ,   bind(3)
INADDR_ANY.   :

listen-on = <hostip>

------ 3.1.30.    SMB

 tac_plus      SMB
  Samba  Windows NT.    
--enable-auth-smb[=crypt|plain] (  crypt) configure ( 
).    ,   login/pap
tac_plus.conf  :

  < login | pap > = smb
    {
	primary = <SMB-SRV1>		# primary domain controller name
	backup  = <SMB-SRV2>		# backup  domain controller name
	domain  = <SMB-DOMAIN>		# domain name
    }

------ 3.1.31.    LDAP

 tac_plus      LDAP.
    --enable-auth-ldap[=(v2|v3|sasl|ns-ssl)]
configure (  ).     
 LDAP toolkit.    , 
 login/pap tac_plus.conf  :

  < login | pap > = ldap
    {
	basedn      = <ldap info>	# for example: "o=JOFA,c=UK"

	server      = <ip-addr[:port]>	# ip address of LDAP server
					# for example:
					# "host.domain.com" or
					# "host1.dom.com host2.dom.com:380"

	binddn      = <ldap info>	# for authenticated access on
					# LDAP server
					# for example: "cn=root,o=JOFA,c=UK",
					# "" - for anonymous access

	bindpw      = <password>	# password for authenticated access on
					# LDAP server
					# for example: "qwerty",
					# "" - for anonymous access

	saslmech    = <mechanism>	# SASL mechanism for authentication on
					# LDAP server, server must be supported
					# specifying mechanism
					# for example:
					# "CRAM-MD5"

	saslcred    = <cred>		# SASL credentials for authentication on
					# LDAP server
					# for example:
					# "qwerty"

	sslpath     = <path to cert>	# path to cert .db file (for Netscape
					# ldap ssl)
					# for example:
					# "/u/mozilla/.netscape/cert7.db"
    }

 -  ,     "" (
).

------ 3.1.32.   PPP/PAP

 tac_plus   ppp  pap   
  tac_plus.conf.   :

    pap = des <des-hash>

------ 3.1.33.    

       
--enable-maxuserlen=LENGTH configure (  16).

------ 3.1.34.    DCE

 tac_plus      DCE.
    --enable-auth-dce configure ( 
).       DCE toolkit. 
  ,   login/pap tac_plus.conf
 :

  < login | pap > = dce

------ 3.1.35.   regexp

 configure --with-regexp[=(system|pcre|rx)]   
regexp,    tacacs+.    
  (system).     PCRE -
Perl-compatible regular expressions  RX.

------ 3.1.36.   before/after authorization 

 configure --enable-assemble-msg   
 ,   before / after authorization .
 ,        
 'msg=' ( ).  :

#!/usr/local/bin/perl

$user = $ARGV[0];

if ($user eq "seal") {
    print "msg=Hello seal!\n";
    print "msg=How are you?\n";
    exit 0;
} elsif ($user eq "dust") {
    print "msg=Come closer... closer...\n";
    exit 0;
} else {
    print "msg=Goodbye cruel world...\n";
    exit 1;
}

------ 3.1.37.   NAS

  NAS  tac_plus.conf:

nas = <nas-name> {                       #  
                                         # 

    nasaddr        = <ip-addr>           #  NAS

    key            = <key-value>         # ,   
                                         #     
					 # NAS

    snmp-community = <community-name>    # SNMP community name NAS 
                                         #   --enable-snmp
                                         # README-3.1.38

    rsh-user       = <user>              #     rsh
                                         # ( , dxs1)
}

 ,  NAS     key  
snmp-community.

------ 3.1.38.    SNMP

         
     (MAXSESS)  
SNMP.    tac_plus      
  ,     
          .
 configure --enable-snmp (  ),  
 SNMP: ftp://ftp.net.cmu.edu/pub/snmp/cmu-snmp-*.tar.gz. 
mib.txt     /etc,  ,     .
  . README-3.1.37.

------ 3.1.39.   regexp

  users  group    regexp, 
   .      9
. ,   pptest 

users = ^pp(.+)

   $1  'test' ( ).   ,
     9 - $1 ... $9.   $0 
  .     ױ 
 group.  configure --enable-auto-members, --enable-auto-regexp.

------ 3.1.40.  new-user  db-user

  group    

new-user = <user-name>	#     
			# 

    ,    ۱,  ,
       .
   .    ,
,   (README-3.3)    
     .  configure
--enable-auto-members, --enable-auto-regexp.

    

db-user = <user-name>	#     
			#  $0 ... $9

          
     %0 .. %9.  
, .,       
-,   :

group = ppp_plain {
  users = "^pp(.+)"
  db = "/path/to/tacacs.db"
  db-user = $1
  chap = cleartext %0
  ... [   %1 .. %9 ] ...
}

group = ppp_callback {
  users = "^pc(.+)"
  db = "/path/to/tacacs.db"
  db-user = $1
  chap = cleartext %0
  ... [   %1 .. %9 ] ...
}

           ,
 .     ,  ,
 ,    / .

db-user  ,     configure:
--enable-db-passwd
--enable-auto-regexp
--enable-more-subst (  )
--enable-auto-members (  )

------ 3.1.41.     

 tac_plus      
.     --enable-auth-extern configure
(  ).    , 
 tac_plus.conf  :

    < login |
      pap   |
      chap  |
      ms-chap > = extern "/some/path/passcheck $user $type"

 stdin    .   login  pap -
cleartext,   chap -     
.          
( 0 ).       dollar
variables.        0,  
 ,  - .   
         
 tac_plus  ,    .
  : contrib/misc/passcheck

------ 3.1.42.      BSD-style db.

      
,   BSD-style   ( configure
--enable-db-passwd). :

	user = ol.* {
	      login      = "db /noc/tac/db/online.db"

	      service = exec {
		      autocommand = "rlogin %1 /user %2"
	      }
	      . . .
	}

  `%'      
 .     `1';  
`0'   (DES/MD5)   ( 
,     -- chap, mschap,
arap, opap) . [[     __ 
  (  )]].

 %-    :
 -   ,   AV 
 -   "member = "   user
 -   "access-group"   user

      username-value,    `value'
  `|'.       
:

	user1     uK28sm3kdkdf8|dream.demos.su|otheruser

(,  oluser1    dream.demos.su  
otheruser).

------ 3.1.43.  db-  .

default authentication = db "dbname"

:       
  . [[    
   default-group,      
 ,      exec
]].

------ 3.1.44.  access-control (ACL).

   (access-control) ( configure --enable-acl)
   "access-group"   
(     ):

	access-group = <access_group_name> {
		[ default authentication = (deny|permit) ]
		[ deny message = "your text" ]
		(deny|permit) {
			[ access-group = <access_group_name> ]
			[ nas-group    = <nas_group_name> ]
			[ dxs1         = "<dxs1_regexp>" ]
			[ from         = "<from_regexp>" ]
			[ group        = "<group_regexp>" ]
			[ time         = "<time_grade>" ]
			[ tty          = "<tty_regexp>" ]
			[ user         = "<user_regexp>" ]
		}
	}
	nas-group = <nas_name> {
		<ip_address>[/<ip_wildcardmask>]
		...
	}

    __  
permit/deny.     permit/deny  , 
 default  (. 3.1.43).   -- DENY.
 permit/deny     __ ̱
.

    access-groups   permit/deny 
   .

   permit/deny   , 
    (nas-group, access-group 
timegrades).      
 `from':

	async           - user coming from async line
	<ip address>    - user coming from some host via vty
	Serial          - user coming via sync serial line

  nas-group    IP   NAS  
 NAS'.

 `timegrade'    
Taylor-UUCP-style;    ,  
 `,':

	!       - negate meaning of next token
	su      - Sunday
	mo      - Monday
	tu      - Tuesday
	we      - Wednesday
	th      - Thursday
	fr      - Friday
	sa      - Saturday
	any     - (any day)
	wk      - Any weekday (!su,!sa)
	never   - Never
	none    - -/-

:		!wk0900-2200,!sa1000-1500
        09:00 
   10:00-15:00  .

:      
crontab-like    tac+ia.

 `dxs1'      
    (., -  
).       rsh ( MIB'
 , -, ).  ,  ,
  rsh-user   nas,   . 3.1.37
(,     ).

: show line X :

[skip]
Modem state: Ready
  modem(slot/port)=1/9, state=CONNECTED
  dsx1(slot/unit/channel)=0/3/23,
status=VDEV_STATUS_ACTIVE_CALL.VDEV_STATUS_ALLOCATED.
Modem hardware state: CTS DSR  DTR RTS
Line is running PPP for address 195.170.60.110.
[skip]

  'dsx1(slot/unit/channel)=0/3/23'.


slot - ,     ( as5300  ,  0),
unit -  ( E1,  0-4, 0-8 -   ),
channel -     ( E1 0-30).

,   E1    (dxs1 = "0/0/.*"),  E1 
-   (dxs1 = "0/1/.*").

    (),     ().
,        
.      .

 dxs1  ACL    . 
dxs1    configure --enable-dxs1.

   access-group,  'access-group = <name>' 
 user  group.

------ 3.1.45. - SVC-DEFAULT.

  "aaa authorize network"    
PPP,     - SVC-DEFAULT (
,   __  
ACL).  :

	access-group = PPP-DEFAULT {
		permit  { tty = "^(Serial|Hssi|Async).*$" }
	}
	user = SVC-DEFAULT {
		access-group = PPP-DEFAULT
		service = ppp protocol = ip { }
		service = slip {}
	}

------ 3.1.46.  cleartext       .

  ,    cleartext 
(chap, mschap, arap, opap),    
    passwd-like    . .., ,


	chap = cleartext "top_secret"

(  )  

	chap = file "/path/to/passwd-chap"

(   ) 

	chap = db "/path/to/passwd-chap.db"

      chap- 
 .

   -       cleartext
     ,   
 ,   . 3.1.42,    group
( user) - 

  db = "/path/to/passwd-login.db"
  login = cleartext %0

------ 3.1.47.     parrot.

 "time limit", "day limit", "parrot limit" 
   , ..  
 , ̱  (  macct,  
),     .   
     .  
 (.. time limit    ,  parrot
limit  ).    acctd   .

------ 3.1.48.      accounting-.

  user  group     (),
      NAS accounting-.
 3  : start, stop, update. 
:

  acct_start "/path/to/program [arguments]"
  acct_stop "/path/to/program [arguments]"
  acct_update "/path/to/program [arguments]"

   user  group      
,    accounting-   
  .     
:

username
NAS name
NAS port
NAC address

    AV-  accounting-.


-------------- 3.2.  libtac_plus

        NAS  
Unix-boxes,        
 libtac_plus,         
     (4).

------ 3.2.1.  

NAS,    ,     
 tac_plus.conf,   :    
  -    , ̱  /
.       server  key,
     - IP- (  !)  tac_plus 
MD5-     .   
  .

  tac_plus.conf   .

           
    3.1.20.1.

------ 3.2.2.  

 ,    tac_plus,     
,      stderr.    :

  -          
         ,   :

	*** ERROR: UNABLE TO AUTHENTICATE: <>

    ,       tac_plus,  :

	*** ERROR: UNABLE TO AUTHENTICATE: connection refused

  -        (,
          Ethernet),  
       :

	*** ERROR: TACACS+ SERVER NOT RESPONDING!
	*** ERROR: UNABLE TO AUTHENTICATE: interrupted system call

              
      3.1.20.2.

  -       ,
     ,      ,
         :

	*** ERROR: TOO LONG ARGUMENT
	*** ERROR: UNABLE TO AUTHENTICATE: unknown error

------ 3.2.2.1

struct passwd *tacacs_plus_auth(char *user, char *password, char *tty)

      (user), 
(password)    (tty).

       
  passwd (. getpwent(3))    :

pw_name		-  
pw_uid		- uid 
pw_gid		- gid 
pw_dir		-   
pw_shell	- shell 

 pw_name, pw_dir, pw_shell   ,   
       
.

     0  NULL,    .

    NULL.

       3.1.20.3.

------ 3.2.2.2

int tacacs_plus_auth_pap(char *user, char *password, char *tty)

 PAP-     (user), 
(password)    (tty).

     1,  - 0.

------ 3.2.2.3

int tacacs_plus_acct(char *user, char *tty, int action, ...)

     tac_plus   user 
 tty.

action    :

TAC_PLUS_ACCT_FLAG_MORE		-      :) (c) .   :)
TAC_PLUS_ACCT_FLAG_START	-    
TAC_PLUS_ACCT_FLAG_STOP		-    

   -     (char *) -   
 .     NULL.

:

tacacs_plus_acct("gog", "ttye8", TAC_PLUS_ACCT_FLAG_START,
	 "task_id=6484", "start_time=845156684", "service=exec", NULL);

1996/10/13 01:44:45     845156685       pool-2.provider.com  gog     ttye8
 111.11.11.1    start   task_id=6484    start_time=845156684    service=exec

tacacs_plus_acct("gog", "ttye8", TAC_PLUS_ACCT_FLAG_START,
	 "task_id=6496", "start_time=845156685", "service=slip", NULL);

1996/10/13 01:44:45     845156685       pool-2.provider.com  gog     ttye8
 111.11.11.1    start   task_id=6496    start_time=845156685    service=slip

tacacs_plus_acct("gog", "ttye8", TAC_PLUS_ACCT_FLAG_STOP,
	"task_id=6484", "start_time=845156684", "service=exec",
	"elapsed_time=2066", NULL);

1996/10/13 02:19:10     845158750       pool-2.provider.com  gog     ttye8
 111.11.11.1    stop    task_id=6484    start_time=845156684    service=exec
 elapsed_time=2066

tacacs_plus_acct("gog", "ttye8", TAC_PLUS_ACCT_FLAG_STOP,
	"task_id=6496", "start_time=845156685", "service=slip",
	"elapsed_time=2098", NULL);

1996/10/13 02:19:43     845158783       pool-2.provider.com    gog    ttye8
 111.11.11.1    stop    task_id=6496    start_time=845156685    service=slip
 elapsed_time=2098

------ 3.2.2.4

int tacacs_plus_author (char* user, char* port, AVpair** av)

      (user),
  (port)   - (av).

av -       :

typedef struct pair {
       char * attr;		/*  		*/
       char * val;		/*  	*/
       char data[256];		/* ???			*/
} AVpair;

     NULL.

     1,  - 0.

------ 3.2.3.  

  ,       ,
 :

#include "tac_lib.h"

   

-I<_>

  

-L<_> -ltac_plus

     ,     
 GNU C.


-------------- 3.3. 

    :
 a)  tac_plus     ;
 b)      wildcard/regex 
     , tac_plus  ,   NAS,  
           ;
 c)   ̱   ;
 d) ̱   .

------ 3.3.1.  tacacs-tacacs

 tacacs-tacacs   configure --enable-roaming-tacacs.
   ,   login/pap
tac_plus.conf  :

   < login | pap > = tacacs+
     {
	tacaddr = <ip-addr>       #  tacacs+ , 
	                          #     

	key     = <key-value>     # ,    
	                          #     tacacs+
				  # 
     }

 tac_plus.conf ̱ tacacs+   tacacs+  
   nas (. README-3.1.37), , ,  
     .   . README-3.1.39, 3.1.40.

------ 3.3.2.  tacacs-radius

 tacacs-radius   configure --enable-roaming-radius.
   ,   login/pap
tac_plus.conf  :

   < login | pap > = radius
     {
	authhost1 = <ip-addr>		#  radius ,  
					#    

	authhost2 = <ip-addr>		#  radius  (backup),  
					#    

	accthost1 = <ip-addr>		#  radius ,  
					#   .

	accthost2 = <ip-addr>		#  radius  (backup),  
					#   .

	secret    = <secret>		# secret key
     }

     ݱ  ,  
  RADIUS .
  . README-3.1.39, 3.1.40.



===================== 4.  

     ,   
 tacacs+.       contrib. 
 ı      ,     
   .


-------------- 4.1. rluucpd

rluucpd -- rlogin-uucp proxy (contrib/rluucpd).  configure
--enable-rluucpd (  )  --enable-rluucpd-uucico - 
   uucico (  /usr/local/lib/uucp/uucico).
        UUCP   cisco  
  UUCP.    uucico,
  ,     
  /etc/passwd.

  inetd.conf rluucpd    :

login   stream  tcp     nowait  root    /usr/local/sbin/rluucpd rluucpd

  tac_plus.conf   , , :

group = uucp
{
    login = none
    maxsess = 1
    users = uu*
    service = exec
    {
	noescape = true
	autocmd = "rlogin <ip address> /user $user"
    }
}

 <ip address> -  UUCP .



===================== 5.  acctd

          tacacs+
   ,      (5)
      (6).


-------------- 5.1.  

    tacacs+     
      (Ա 
 DB, .  3.1.3).    tac_plus  
      .

,         
    tac_plus,    acctd.  , 
 macct,     
(db-  db2-).

-------------- 5.1.1  

     user.db.

------ 5.1.1.1  0

-  
- ,     

,         
    ( acctd       
 ).

------ 5.1.1.2.  1

-  
-    ,  
-  ,    
-    ,  
-  ,    
-  ޱ ,  

     ,    
 ,    . 
  ޱ   (  
   ).

        
  . ޱ ""   
   ı -   .   acctd
      .

------ 5.1.1.3.  2

-  
-    ,  
-  ,    
-    ,  
-  ,    
-  ޱ ,  
- ,    
- ,     

     ,    
 ,    . 
  ޱ   (  
   ).

        
  . ޱ ""   
   ı -   .   acctd
      .

,       , 
  ,       
   .     ̱ 
PARROT_OFF,  ,     ޱ parrot
 .

,       
  ,  .  ,  , 
      ,    
 .  ,      
   .


-------------- 5.2.   acctd

------ 5.2.1.  

 configure   ,    
acctd:

--enable-db-file=PATH -     ( 
/DATAPATH/user.db).         -u.

--enable-scantime=VALUE -      
 " "  (    
  ) (  - 60 ).      
  -t.      utmp(5),   tac_plus
    ޱ    
(.  3.1.4). --enable-scantime=VALUE  ,  
ı .

--enable-denydir=PATH -       
       , 
     (  /DATAPATH/deny).
        -r.

--enable-actprog=PATH -    ,    
   "" ,   
(  /usr/local/sbin/killuser).      
  -k.
     :

  -  
  - ,    
  -  ( alias)  (NAS'),    

    utmp(5),     
ALIASES  UTMP_LOG_xxxx,    tac_plus (.  3.1.5),
          
NAS'.

   -  killuser -    acctd.
  killuser ,   cisco   
:
ip rcmd rsh-enable
ip rcmd remote-host <cisco user> <unix host> <unix user> enable

--enable-reinit=VALUE -    ,   
       "" (  0,
,     ).     
   -a. "" .

--enable-syslog-facility=FACILITY - log facility (  LOG_LOCAL6).

--enable-db -      ,   
   (  ).

     ,   ""  
 .  ,    db  db2  
  :

db_dump185 user.db | db_load new_user.db

--enable-strict-time-check -      ,  
acctd      ,   
  /DATAPATH/tabs. ,   pptest  
/DATAPATH/tabs   pptest:

* 14-15 * * *	*

 ,     --enable-strict-time-check,  acctd
  pptest   (   --enable-actprog=PATH),
    16:00,    ,   
     (  ). 
    /. (.  3.1.1, 3.1.3).

--enable-parrot[=PATH] -      ,  
acctd    (, ),     
 cron   /DATAPATH/parrot (  ). 
    / (.  3.1.1).  
      ,  
configure --enable-parrot-interval. ,   pptest 
 /DATAPATH/parrot   pptest:

* 14-15 * * *   2.1
* 16-18 * * *   3.3

 ,    ,   configure
--enable-parrot-interval,     user.db parrot  
 ,     14:00-15:59   2.1,
    16:00-18:59   3.3. !!! 
         pptest
(for example!),    parrot    ,  
   .    ,   
       , :

* 14-15 * * *   2.1
* 16-18 * * *   3.3
* * * * *       3.0

        
/DATAPATH/parrot,    parrot   user.db  ,
     .

 ,   parrot   -parrot_credit ( ),
 tac_plus       :

*** User <_>: parrot limit EXCEEDED!

     .

 configure --enable-parrot     --enable-db.

--enable-parrot-interval[=SECONDS] -      ,
  acctd,     (, ), 
     (  60 ), 
       cron  
/DATAPATH/parrot.

--enable-acctd-notify -      ,  
acctd    ,     .
   WinPopup,    
 smbclient  Samba.   notifyuser ( --
 killuser),    . ,
   ( Windows-)     Cisco.


------ 5.2.2. ,   

-d

  - acctd        
  .

-w <file>

   --enable-utmpfile=PATH  utmp(5).

-u <file>

   ( --enable-db-file=PATH) 
.

-r [<dir>]

      <dir> (,   <dir>
,   ,   --enable-denydir=PATH)  
 ,       -
,   :

*** Sorry, your time limit is exceeded at <time>

 time -        
ctime(3).

       ,   
.      acctd  .

    ,  tac_plus  - 
   --enable-db[=old] (.  3.1.3),   
--enable-deny[=deny]  (.  3.1.2).

-t <time>

        
          ,
 <time> -  ̱   --enable-scantime=VALUE.

-a <time>

    ,     
 ,    "",  <time>, 
̱   --enable-reinit=VALUE. ,  0, ,
    .

-k <path>

   ( --enable-actprog=PATH)
 ""    .

-n <path>

   (NOTIFYPROG  acctd-config.h)
     .  
  ,  ޱ --enable-acctd-notify.

-o <time>

      <time> ,  
  (  NOTIFYTIME  acctd-config.h 
2 ).     ,  ޱ
--enable-acctd-notify.

-------------- 5.3.  macct

    ""     - 
     ,      
. .  macct(1).

 ,     ,  
.

------ 5.3.1.      0

     :

---
-h|--help

   ,   .

---
-c|--create <user> --tl <time>

 ,     <user>,   ű
    ,  <time>.    
  ,     
   .

---
-m|--modify <user> --tl <time>

 ,     <user>,   
,   ,  <time>.   
  <time>.      
,     .

---
-d|--delete <user>

   ,     <user>. 
  ,      .

---
-l|--list <user>

  ,     <user>
 

*** User `<user>', time left <time> minutes

     <user>  ,  

*** Time limit not set for user `<user>'

       <user>   '-'
( ).        (
  ):

user1           0
user2         -57

,   ,     "-l -".


------ 5.3.2.      1

     :

-c|s|m|d|l|t <user|-|c> [--tl <time_lim>]  [--tll <time_lim_left>]
[--dl <day_lim>] [--dll <day_lim_left>] [--tu <tot_used|c>] [-f <format>]


--tl|--total-lim
    .
      ,   
 ,   "nolimit".   
  ̱  TIME_LIMIT_NO.   
       
 ,    "off".
     ̱
 TIME_LIMIT_OFF       
 .

--tll|--total-lim-left
    .

--dl|--day-lim
    .
      ,   
 ,   "nolimit".   
  ̱  TIME_LIMIT_NO.   
       
 ,    "off".
     ̱
 TIME_LIMIT_OFF       
 .

--dll|--day-lim-left
    .

--tu|--total-used
   ޱ ,  .
  , tu = tl - tll,      
 .      tl  tll  ,
 macct     tu, 
`c`   .  tu   , 
 tl    `nolimit`  `off`.

---
-h|--help

   ,   .

---
-c|--create

      .     
 ,      
  .     
  .

---
-s|--set

        . 
    .   
 .       , 
    .

---
-m|--modify

 ,     <user>, 
     .   
  .      .
      ,  
   .

---
-d|--delete

   ,     <user>. 
  ,      .

---
-l|--list

  ,     <user>
(   ,    <user>  '-' (
))

     .    
-f|--format    "tl,tll,dl".     
  -  ,     -.
  (   ):

tl      .
tll     .
dl      .
dll     .
tu     ޱ ,  .

+      2
pl     "".
pc       "".

       / .

 ,     FORMAT   
    (   ):

   user            t-limit   t-left  d-limit   d-left   t-used
 user1                -100       20        5        5      -20
 user2                 -85       80       20       20       10
Last modify 'day limits' table: 2000/04/08 12:12:12

     <user>  ,  
*** Time limit not set for user `<user>'

,   ,     "l -".

---
-t|--time <time>

         
  .     (  
       'l')   <time>,
    'c'|'current' -   .

 <time>    (    
!):

YYYY/MM/DD HH:MM:SS

:

2000/03/08 12:34:56

<time> -   ,       shell' 
     .


------ 5.3.3.      2

    1   :

---
[--pl|--parrot-lim <parrot_lim|off>]

    <parrot_lim>,  
,   ,  .
      ,  100.5. 
 <parrot_lim>  off,     user.db,  
parrot   ̱  PARROT_OFF, 
,     ޱ parrot  .
    parrot  ,  
      /DATAPATH/parrot.

---
[--pc|--parrot-credit <parrot_credit>]

  <parrot_credit>     
 <user>  ,     
<parrot_lim>.  ,  ,     
  ,      . 
,          .

    user.db     <user>  
.       -c,  
README-5.3.2.  ,      parrot ̱
 PARROT_OFF,  ,     ޱ
parrot           ;
  parrot_credit   0.0,   
   ,       
,   .


===================== 6.   

      --enable-dyna configure
(  ).


-------------- 6.1.  dynipd

      tac_plus ip   ı  
<> = <ip >.      
 ip ,        .
,        .
   ip     ,  -
 ߱      , ,
        
,      .
   ,     
    .

------ 6.1.1.      dynipd

  dynipd ,    
/CONFPATH/dynipd.conf.       
   --enable-dyncfgfile=PATH configure  
 dynipd  -c (   
dynipd . ).

  dynipd.conf:

    update  <secs>          - number of seconds for external
                              IP database update. 30 secs default.
    db      <dbname>        - full pathname of cache database
                              (  /DATAPATH/ipaddr.db, 
                                 
                              --enable-cdbfile=PATH configure
                                  -D)
    pool <name> x.x.x.x y.y.y.y
                            - define pool name and range of IP numbers
                              for allocation. You can specify multiple
                              ranges for each pool name.
    range x.x.x.x y.y.y.y   - synonym for "pool default x.x.x.x y.y.y.y"
    port <portnum>          - use alternate TCP port
    allow-from <hostip>     - allow connections _only_ from given
                              IP number. You can specify multiple
                              allow-from instances. If no such
                              instances specified, connections are
                              permitted from everywhere - be careful!
    logfile <name>            log IP space allocations to file
                              (  /LOGPATH/dynipd.log, 
                                 
                              --enable-dynlogfile=PATH configure)

  :

        ,  
    ip    ,  
   IP.  ,   
 IP   ,    
 .      :

frog	time=42356	addr=10.10.10.193

frog -  
time -  ,     dynipd
       since creation of ipaddr.db.  ,  
        .
addr -  ,  .

       
  static.    .

  :

    -g              - debug mode. Don't go background.
    -c confname     - take configuration file from specified location
    -D dbname       - specify other cache dabatase location
    -p port         - use alternate TCP port.

      ,  
 .


-------------- 6.2.  tdb     dynipd

        
  dynipd,     ,   
     dynipd.

   ip    dynipd, tdb  
   -i.

   ,      
  ip ,    , etc.
..  dynipd      ,    
   tdb,    dynipd.

  :
    -C      - create new database. Warning: this option will
	      OVERWRITE old database. With this option, tdb reads
	      standard input for (tab|blank)-separated key-data pairs.
    -a      - append standard input to database
    -e name - edit particular entry. Actually it calls dbappend
	      after editing, so if you change key field you will
	      just add entry to db.

    -d keylist ...
	    - delete all specified keys from database
    -g keylist ...
	    - fetch all specified keys from database

    -p name [des-password]
	    - change password for user 'name'. This is a special
	      case because it modifies only first field in '|'-
	      separated data. Second arguments applies if you want
	      to explicitly set DES password, otherwise tdb will
	      prompt you to type it in. (*)
    -P name [cleartext_password]
	    - similar with -p, but you can specify cleartext
	      password - tdb will encrypt it. (*)

    -L      - dumps whole file in format acceptale for tdb -C

    -v      - turn on verbose mode.

    -i	    - specific for dynipd databases

(*) -       dynipd

 -i ,        
    ip .    , 
      ip .

 :
    gendialups | tdb dialups -C
    tdb adm -p apg
    tdb dialups -g slap dark


-------------- 6.3. tac_plus  dynipd

     ,  
     tac_plus:

    user = xxx {
        [ address-pool = mypool ]
        service = exec {
	    autocommand = "ppp $dyna"
        }
    }

  $dyna    dynipd ip .
   ;    
'default'. ̱      - 'static'.
 , tac_plus     ip  (dynipd)
 localhost (127.0.0.1),    dynipd    ,
 -     tac_plus 

    dynip-server = "hostname"



===================== 7.   

    ,    .

./configure ...
make
make install



===================== 8.  ݱ?

     ݱ   ,   
:

 - dialup shell  NAS'   Unix-boxes
   (<http://www.mv.ru/~bwm/soft/dsh.tar.gz>)

       
          
 .  ,      
        .

