#include <taclib.h> int
tac_add_server (struct tac_handle *h const char *host int port const char *secret int timeout int flags); void
tac_clear_avs (struct tac_handle *h); void
tac_close (struct tac_handle *h); int
tac_config (struct tac_handle *h const char *path); int
tac_create_authen (struct tac_handle *h int action int type int service); int
tac_create_author (struct tac_handle *h int method int type int service); char *
tac_get_av (struct tac_handle *h u_int index); char *
tac_get_av_value (struct tac_handle *h const char *attribute); void *
tac_get_data (struct tac_handle *h size_t *len); char *
tac_get_msg (struct tac_handle *h); struct tac_handle *
tac_open (void); int
tac_send_authen (struct tac_handle *h); int
tac_send_author (struct tac_handle *h); int
tac_set_av (struct tac_handle *h u_int index const char *av_pair); int
tac_set_data (struct tac_handle *h const void *data size_t data_len); int
tac_set_msg (struct tac_handle *h const char *msg); int
tac_set_port (struct tac_handle *h const char *port); int
tac_set_priv (struct tac_handle *h int priv); int
tac_set_rem_addr (struct tac_handle *h const char *addr); int
tac_set_user (struct tac_handle *h const char *user); const char *
tac_strerror (struct tac_handle *h);
DESCRIPTION
The
library implements the client side of the TACACS+ network access
control protocol.
TACACS+ allows clients to perform authentication,
authorization, and accounting by means of network requests to remote
servers.
This library currently supports only the authentication
and authorization portion of the protocol.
INITIALIZATION
To use the library, an application must first call
tac_open ();
to obtain a
struct tac_handle *
which provides context for subsequent operations.
Calls to
tac_open ();
always succeed unless insufficient virtual memory is available.
If
the necessary memory cannot be allocated,
tac_open ();
returns
NULL
Before issuing any TACACS+ requests, the library must be made aware
of the servers it can contact.
The easiest way to configure the
library is to call
tac_config (.);
tac_config ();
causes the library to read a configuration file whose format is
described in
tacplus.conf5.
The pathname of the configuration file is passed as the
file
argument to
tac_config (.);
This argument may also be given as
NULL
in which case the standard configuration file
/etc/tacplus.conf
is used.
tac_config ();
returns 0 on success, or -1 if an error occurs.
The library can also be configured programmatically by calls to
tac_add_server (.);
The
host
parameter specifies the server host, either as a fully qualified
domain name or as a dotted-quad IP address in text form.
The
port
parameter specifies the TCP port to contact on the server.
If
port
is given as 0, the library uses port 49, the standard TACACS+ port.
The shared secret for the server host is passed to the
secret
parameter.
It may be any null-terminated string of bytes.
The timeout for receiving replies from the server is passed to the
timeout
parameter, in units of seconds.
The
flags
parameter is a bit mask of flags to specify various characteristics of
the server.
It may contain:
TAC_SRVR_SINGLE_CONNECT
Causes the library to attempt to negotiate single connection mode
when communicating with the server.
In single connection mode, the
original TCP connection is held open for multiple TACACS+ sessions.
Older servers do not support this mode, and some of them become
confused if the client attempts to negotiate it.
tac_add_server ();
returns 0 on success, or -1 if an error occurs.
tac_add_server ();
may be called multiple times, and it may be used together with
tac_config (.);
At most 10 servers may be specified.
When multiple servers are given, they are tried in round-robin
fashion until a working, accessible server is found.
Once the
library finds such a server, it continues to use it as long as it
works.
CREATING A TACACS+ AUTHENTICATION REQUEST
To begin constructing a new authentication request, call
tac_create_authen (.);
The
actiontype
and
service
arguments must be set to appropriate values as defined in the
TACACS+ protocol specification.
The
#include <taclib.h>
header file contains symbolic constants for these values.
CREATING A TACACS+ AUTHORIZATION REQUEST
To begin constructing a new authorization request, call
tac_create_author (.);
The
methodtype
and
service
arguments must be set to appropriate values as defined in the
TACACS+ protocol specification.
The
#include <taclib.h>
header file contains symbolic constants for these values.
SETTING OPTIONAL PARAMETERS ON A REQUEST
After creating a request,
various optional parameters may be attached to it through calls to
tac_set_av (,);
tac_set_data (,);
tac_set_port (,);
tac_set_priv (,);
tac_set_rem_addr (,);
and
tac_set_user (.);
The library creates its own copies of any strings provided to these
functions, so that it is not necessary for the caller to preserve
them.
By default, each of these parameters is empty except for the
privilege level, which defaults to
`USER'
privilege.
tac_set_av ();
only applies to the context of an authorization request.
The format
for an attribute value pair is defined in the TACACS+ protocol
specification.
The index specified can be any value between 0 and
255 inclusive and indicates the position in the list to place the
attribute value pair.
Calling
tac_set_av ();
with same index twice effectively replaces the value at that position.
Use
tac_clear_avs ();
to clear all attribute value pairs that may have been set.
SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
After the TACACS+ authentication request has been constructed, it is
sent by means of
tac_send_authen (.);
This function connects to a server if not already connected, sends
the request, and waits for a reply.
On failure,
tac_send_authen ();
returns -1.
Otherwise, it returns the TACACS+ status code and flags,
packed into an integer value.
The status can be extracted using the
macro
TAC_AUTHEN_STATUS (.);
Possible status codes, defined in
In taclib.h ,
include:
TAC_AUTHEN_STATUS_PASS
TAC_AUTHEN_STATUS_FAIL
TAC_AUTHEN_STATUS_GETDATA
TAC_AUTHEN_STATUS_GETUSER
TAC_AUTHEN_STATUS_GETPASS
TAC_AUTHEN_STATUS_RESTART
TAC_AUTHEN_STATUS_ERROR
TAC_AUTHEN_STATUS_FOLLOW
The only flag is the no-echo flag, which can be tested using the
macro
TAC_AUTHEN_NOECHO (.);
EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
An authentication response packet from the server may contain a
server message, a data string, or both.
After a successful call to
tac_send_authen (,);
this information may be retrieved from the response by calling
tac_get_msg ();
and
tac_get_data (.);
These functions return dynamically-allocated copies of the
information from the packet.
The caller is responsible for freeing
the copies when it no longer needs them.
The data returned from
these functions is guaranteed to be terminated by a null byte.
In the case of
tac_get_data (,);
the
len
argument points to a location into which the library will store the
actual length of the received data, not including the null
terminator.
This argument may be given as
NULL
if the caller is not interested in the length.
SENDING AUTHENTICATION CONTINUE PACKETS
If
tac_send_authen ();
returns a value containing one of the status codes
TAC_AUTHEN_STATUS_GETDATATAC_AUTHEN_STATUS_GETUSER
or
TAC_AUTHEN_STATUS_GETPASS
then the client must provide additional information to the server by
means of a TACACS+ CONTINUE packet.
To do so, the application must
first set the packet's user message and/or data fields using
tac_set_msg ();
and
tac_set_data (.);
The client then sends the CONTINUE packet with
tac_send_authen (.);
N.B.,
tac_create_authen ();
should
not
be called to construct a CONTINUE packet; it is used only for the
initial authentication request.
When it receives the CONTINUE packet, the server may again request
more information by returning
TAC_AUTHEN_STATUS_GETDATATAC_AUTHEN_STATUS_GETUSER
or
TAC_AUTHEN_STATUS_GETPASS
The application should send further CONTINUEs until some other
status is received from the server.
SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
After the TACACS+ authorization request has been constructed, it
is sent by means of
tac_send_author (.);
This function connects to a server if not already connected, sends
the request, and waits for a reply.
On failure,
tac_send_author ();
returns -1.
Otherwise, it returns the TACACS+ status code and
number of attribute value (AV) pairs received packed into an
integer value.
The status can be extracted using the macro
TAC_AUTHOR_STATUS (.);
Possible status codes, defined in
In taclib.h ,
include:
TAC_AUTHOR_STATUS_PASS_ADD
TAC_AUTHOR_STATUS_PASS_REPL
TAC_AUTHOR_STATUS_FAIL
TAC_AUTHOR_STATUS_ERROR
The number of AV pairs received is obtained using
TAC_AUTHEN_AV_COUNT (.);
EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
Like an authentication response packet, an authorization
response packet from the
server may contain a server message, a data string, or both.
Refer
to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
for instruction on extraction of those values.
An authorization response packet from the server may also contain
attribute value (AV) pairs.
To extract these, use
tac_get_av ();
or
tac_get_av_value (.);
tac_get_av ();
takes the index of the AV pair as it is positioned in the list.
The indexes start at 0 (use
TAC_AUTHEN_AV_COUNT ();
on the return value of
tac_send_author ();
to get the total number of items in this list).
Alternatively,
tac_get_av_value ();
can be used.
tac_get_av_value ();
takes the attribute name and returns the
corresponding value only, not the AV pair.
These functions return
dynamically-allocated copies of the information from the packet.
The caller is responsible for freeing the copies when it no longer
needs them.
The data returned from these functions is guaranteed
to be terminated by a null byte.
OBTAINING ERROR MESSAGES
Those functions which accept a
struct tac_handle
argument record an error message if they fail.
The error message
can be retrieved by calling
tac_strerror (.);
The message text is overwritten on each new error for the given
struct tac_handle *
Thus the message must be copied if it is to be preserved through
subsequent library calls using the same handle.
CLEANUP
To free the resources used by the TACACS+ library, call
tac_close (.);
RETURN VALUES
The following functions return a non-negative value on success.
If
they detect an error, they return -1 and record an error message
which can be retrieved using
tac_strerror (.);
Fn tac_add_server
Fn tac_config
Fn tac_create_authen
Fn tac_create_author
Fn tac_send_authen
Fn tac_send_author
Fn tac_set_av
Fn tac_set_data
Fn tac_set_msg
Fn tac_set_port
Fn tac_set_priv
Fn tac_set_rem_addr
Fn tac_set_user
The following functions return a
non- NULL
pointer on success.
If they are unable to allocate sufficient
virtual memory, they return
NULL
and record an error message which can be retrieved using
tac_strerror (.);
Fn tac_get_av
Fn tac_get_av_value
Fn tac_get_data
Fn tac_get_msg
The following functions return a
non- NULL
pointer on success.
If they are unable to allocate sufficient
virtual memory, they return
NULL
without recording an error message.
Fn tac_open
FILES
/etc/tacplus.conf
SEE ALSO
tacplus.conf5
D. Carrel
Lol Grant
The TACACS+ Protocol, Version 1.78
draft-grant-tacacs-02.txt (Internet Draft)
AUTHORS
An -nosplit
This software was written by
An John Polstra
and
An Paul Fraley ,
and donated to the
Fx project by Juniper Networks, Inc.
