summaryrefslogtreecommitdiff
path: root/tacc.1
blob: 7847d2cb8845e429d3c9802247a1c4af7b13c66c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
.TH TACC 1
.SH NAME
tacc \- simple TACACS+ client and login program
.SH SYNOPSIS
.B tacc
[-TRAVh] [-qwn] [-u \fIusername\fR] [-p \fIpassword\fR] [-s \fIserver\fR]
[-k \fIsecret\fR] [-c \fI'command'\fR] [--username=\fIusername\fR]
[--password=\fIpassword\fR] [--server=\fIserver\fR] [--secret=\fIsecret\fR]
[--sourceip=\fI'IPv4_address'\fR]
[--command=\fI'command'\fR | --exec=\fI'command'\fR] [--quiet | --silent]
[--no-wtmp] [--no-encrypt]
.PP
.B tacc
\fIusername\fR
.SH DESCRIPTION
.B tacc
is simple TACACS+ client, designed mainly for two purposes:
.TP
.B command line mode
sending arbitrary TACACS+ requests from command line
.TP
.B login mode
sending authentication and authorization requests for username
supplied in command line and password read from standard input;
in this case \fBtacc\fR is working in "dumb" mode and compiled-in
defaults are used
.PP
\fBtacc\fR will run in either command line mode or login mode depending
on parameters passed from command line. When there's only one non-option
(i.e. not starting with "\-") parameter, \fBtacc\fR will run in login mode.
Otherwise, it will parse other parameters described below. Any data not
explicitly set from command line will be set to default, compiled in
value.
.SH "COMMAND LINE OPTIONS"
Options specifying action to be performed. At least one is required.
.TP
.I "\-T, \-\-authenticate"
perform authentication of username and password supplied with
\-u and \-p options
.TP
.I "\-R, \-\-authorize"
request authorization for particular service (in current version
this is limited to service \fBppp\fR and protocol \fBip\fR)
.TP
.I "\-A, \-\-account"
send accounting requests on session beginning and end
.IP "Data\ options"
.TP
.I "\-h, \-\-help"
display brief listing of options and exit
.TP
.I "\-V, \-\-version"
display program name, program version and exit

.PP
Options for passing various data to the program. Only \fB\-u\fR is required.
If any of other options is not specified, the compiled-in defaul is used.

.TP
.I "\-u, \-\-username"
username for authentication, authorization and accounting
.TP
.I "\-p, \-\-password"
password for authentication; if not specified from command line,
prompt is displayed and password is read from standard input
.TP
.I "\-s, \-\-server"
TACACS+ server address, either IP address or host name; this option
can be given up to two times, specifying primary and secondary servers
.TP
.I "\-k, \-\-secret"
shared secret used to encrypt and decrypt packets exchanged with
TACACS+ server
.TP
.I "\-i, \-\-sourceip"
Set the IPv4 address used as the source IP address when communicating with
the TACACS+ server.  IPv6 addresses are not supported, nor are hostnames.
The address must work when passsed to the
.BR bind ()
system call, that is, it must be valid for interface being used.
.TP
.I "\-c, \-\-command, \-\-exec"
command to execute after successful performing all specified actions;
this usually starts PPP or SLIP driver

.PP
Options modifying program's behaviour.

.TP
.I "\-q, \-\-quiet, \-\-silent"
supresses displaying informational and error messages to standard
output, but still report errors to syslog(3)
.TP
.I "\-w, \-\-no\-wtmp"
supresses writing accounting records to local wtmp(5) files
.TP
.I "\-n, \-\-no\-encrypt"
disables encryption of packets sent to TACACS+ server

.SH "LOGIN MODE"
In this mode \fBtacc\fR will accept only one parameter, the \fIusername\fR,
as passed from \fIgetty\fR style programs. It is intended for use as
replacement for \fIlogin\fR program in \fIgetty\fR configuration file.
In login mode \fBtacc\fR will use compiled in defaults for server address,
secret key and command to run after successful authentication and
authorization. It will also prompt for password and read it from standard
input, like the \fIlogin\fR program.

.SH LIMITATIONS
In current version there is no other way to change login mode parameters
than changing them in the source file and recompiling \fBtacc\fR. It also
does not implement the full TACACS+ specification, only the subset of
TACACS+ required to perform PAP authentication, IP authorization
and start/stop accounting.
.PP
There are also some limitations in information sent in accounting packets,
caused by the fact that \fBtacc\fR doesn't perform PPP connection itself,
but only spawns \fIpppd\fR to handle the PPP protocol. Because of this
\fBtacc\fR has no idea on how many data was exchanged with the peer.

.SH "EXIT CODE"
\fBtacc\fR returns the following codes at exit:
.TP
.B 0
to indicate success
.TP
.B 1
to indicate authentication failure or remote server error
.TP
.B 2
to indicate local error

.SH "SEE ALSO"
.TP
.I ftp://ftp-eng.cisco.com/tacplus/
CISCO archive with latest versions of TACACS+ specification, API and
server source code
.TP
.I TAC_PLUS Developer's Kit
distributed with TACACS+ server source code
.TP
.I http://ceti.com.pl/~kravietz/progs/tacacs.html
more information on \fBtacc\fR and TACACS+ support for \fIpppd\fR

.SH AUTHOR
Pawel Krawczyk <kravietz@ceti.com.pl>