# Automatically generated by system-login.py
# TACACS+ configuration file

# This is a common file used by audisp-tacplus, libpam_tacplus, and
# libtacplus_map config files as shipped.
#
# Any tac_plus client config can go here that is common to all users of this
# file, but typically it's just the TACACS+ server IP address(es) and shared
# secret(s)
#
# This file should normally be mode 600, if you care about the security of your
# secret key. When set to mode 600 NSS lookups for TACACS users will only work
# for tacacs users that are logged in, via the local mapping. For root, lookups
# will work for any tacacs users, logged in or not.

# Set a per-connection timeout of 10 seconds, and enable the use of poll() when
# trying to read from tacacs servers. Otherwise standard TCP timeouts apply.
# Not set or set to a negative value disables use of poll(). There are usually
# multiple connection attempts per login.
timeout={{ tacacs.timeout }}

{% if tacacs.server is vyos_defined %}
{%     for server, server_config in tacacs.server.items() %}
secret={{ server_config.key }}
server={{ server }}:{{ server_config.port }}
{%     endfor %}
{% endif %}

# If set, login/logout accounting records are sent to all servers in
# the list, otherwise only to the first responding server
# Also used by audisp-tacplus per-command accounting, if it sources this file.
acct_all=1

{% if tacacs.vrf is vyos_defined %}
# If the management network is in a vrf, set this variable to the vrf name.
# This would usually be "mgmt". When this variable is set, the connection to the
# TACACS+ accounting servers will be made through the named vrf.
vrf={{ tacacs.vrf }}
{% endif %}

{% if tacacs.source_address is vyos_defined %}
# Sets the IPv4 address used as the source IP address when communicating with
# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames.
# The address must work when passsed to the bind() system call, that is, it must
# be valid for the interface being used.
source_ip={{ tacacs.source_address }}
{% endif %}

# If user_homedir=1, then tacacs users will be set to have a home directory
# based on their login name, rather than the mapped tacacsN home directory.
# mkhomedir_helper is used to create the directory if it does not exist (similar
# to use of pam_mkhomedir.so). This flag is ignored for users with restricted
# shells, e.g., users mapped to a tacacs privilege level that has enforced
# per-command authorization (see the tacplus-restrict man page).
user_homedir=1

service=shell
protocol=ssh