diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-06-21 22:11:44 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2023-06-22 22:37:41 +0200 |
| commit | 3ec727670de02cac06321719a0323650046d54a1 (patch) | |
| tree | c1a2932dbec7dc3e498ad5bd9db2831249c4b1fa /data/templates/login/tacplus_servers.j2 | |
| parent | 69ce448cbb02be5c29f6420dc91618639ec30301 (diff) | |
| download | vyos-1x-3ec727670de02cac06321719a0323650046d54a1.tar.gz vyos-1x-3ec727670de02cac06321719a0323650046d54a1.zip | |
tacacs: T141: initial implementation
Diffstat (limited to 'data/templates/login/tacplus_servers.j2')
| -rw-r--r-- | data/templates/login/tacplus_servers.j2 | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2 new file mode 100644 index 000000000..5a65d6e68 --- /dev/null +++ b/data/templates/login/tacplus_servers.j2 @@ -0,0 +1,59 @@ +# Automatically generated by system-login.py +# TACACS+ configuration file + +# This is a common file used by audisp-tacplus, libpam_tacplus, and +# libtacplus_map config files as shipped. +# +# Any tac_plus client config can go here that is common to all users of this +# file, but typically it's just the TACACS+ server IP address(es) and shared +# secret(s) +# +# This file should normally be mode 600, if you care about the security of your +# secret key. When set to mode 600 NSS lookups for TACACS users will only work +# for tacacs users that are logged in, via the local mapping. For root, lookups +# will work for any tacacs users, logged in or not. + +# Set a per-connection timeout of 10 seconds, and enable the use of poll() when +# trying to read from tacacs servers. Otherwise standard TCP timeouts apply. +# Not set or set to a negative value disables use of poll(). There are usually +# multiple connection attempts per login. +timeout={{ tacacs.timeout }} + +{% if tacacs.server is vyos_defined %} +{% for server, server_config in tacacs.server.items() %} +secret={{ server_config.key }} +server={{ server }}:{{ server_config.port }} +{% endfor %} +{% endif %} + +# If set, login/logout accounting records are sent to all servers in +# the list, otherwise only to the first responding server +# Also used by audisp-tacplus per-command accounting, if it sources this file. +acct_all=1 + +{% if tacacs.vrf is vyos_defined %} +# If the management network is in a vrf, set this variable to the vrf name. +# This would usually be "mgmt". When this variable is set, the connection to the +# TACACS+ accounting servers will be made through the named vrf. +vrf={{ tacacs.vrf }} +{% endif %} + +{% if tacacs.source_address is vyos_defined %} +# Sets the IPv4 address used as the source IP address when communicating with +# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames. +# The address must work when passsed to the bind() system call, that is, it must +# be valid for the interface being used. +source_ip={{ tacacs.source_address }} +{% endif %} + +# If user_homedir=1, then tacacs users will be set to have a home directory +# based on their login name, rather than the mapped tacacsN home directory. +# mkhomedir_helper is used to create the directory if it does not exist (similar +# to use of pam_mkhomedir.so). This flag is ignored for users with restricted +# shells, e.g., users mapped to a tacacs privilege level that has enforced +# per-command authorization (see the tacplus-restrict man page). +user_homedir=1 + +service=shell +protocol=ssh + |