From 7d2e07fd4502aed3b841484855031ca8a48aebba Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 2 May 2021 19:07:13 +0200 Subject: Initial import of libtacplus-map (1.0.1-cl3u3) --- README | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 README (limited to 'README') diff --git a/README b/README new file mode 100644 index 0000000..4d0be82 --- /dev/null +++ b/README @@ -0,0 +1,51 @@ + +libtacplus_map v1.0.0 +June 22, 2016 + +This library supports local mapping of users authenticated via TACACS with +the pam_tacplus module. + +The TACACS+ users do not need entries in /etc/passwd to supply home directory, uid, +and gid information. + +This is done by creating local users called tacacs0 ... tacacs15 (at least +one, but up to all 16). The tacacs user's privilege level is used to select +the local tacacsN user, starting with an exact match, and working down to 0. + +A new libtacplus_map library (map_tacplus_user.c) writes the mappings into +a local file in /run, and cleans up on exit (for unexpected exits without +cleanups, the file is validated and cleaned up whenever a new entry is added +or an old entry removed). + +audit_[gs]etloginuid() is used to set a stable uid identifier as well as +triggering the /proc/$$/sessionid in the process. These are both recorded +in the mapping file, along with tty, rhost, etc. + +Also see the comments about immutable loginuid in Pam.d.common-example +in the libpam-tacplus package. + +A separate package libnss_tacplus uses the mapping library to do lookups by +both name and uid. uid lookups are only possible while a tacacs user is +logged in. + +If multiple tacacs users at the same privilege level are logged in, the +current behavior is that is that if a call is done from within the login +session, the correct (login) name will be returned. If from outside the +session (audit uid and/or session don't match in the mapping file), the name +from first map entry is used, much like normal systems where multiple users +have the same UID. + +Enabled -Werror to catch errors early (and fixed a few related items). + +This code is based in the pam_tacplus plugin, written by +Pawel Krawczyk and Jeroen Nijhof +, as well as others. It is based +on version pam_tacplus version 1.3.9. It uses the libtac +as found in pam_tacplus. A few minor changes have been made, +and libtac is built as a static archive library. + + +Author: +~~~~~~~ + +Dave Olson -- cgit v1.2.3