Skip to content

Commit

Permalink
Use markup for README
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeroennijhof
jeroennijhof committed Apr 22, 2014
1 parent e02d06d commit 379a665
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 57 deletions.
11 changes: 3 additions & 8 deletions INSTALL
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,9 @@ without warranty of any kind.

Basic Installation
==================
$ aclocal
$ autoconf
$ autoheader
$ libtoolize
$ automake --add-missing

Briefly, the shell commands `./configure; make; make install' should
configure, build, and install this package. The following

Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
Expand Down
81 changes: 32 additions & 49 deletions README
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@

pam_tacplus v1.3.8
Jul 1 2013
# pam_tacplus

This PAM module support the following functions:

Expand All @@ -17,66 +15,64 @@ encrypted. This module is an attempt to provide most useful part of
TACACS+ functionality to applications using the PAM interface on Linux.


Recognized options:
~~~~~~~~~~~~~~~~~~~
## Recognized options:

Option Management group Description
--------------- ----------------------- ----------------------------------
debug ALL output debugging information via
syslog(3); note, that the debugging
is heavy, including passwords!
| Option | Management group | Description |
|------------------- | ---------------- | ----------- |
| debug | ALL | output debugging information via
syslog(3); note, that the debugging
is heavy, including passwords! |

secret=STRING ALL can be specified more than once;
| secret=STRING | ALL | can be specified more than once;
secret key used to encrypt/decrypt
packets sent/received from the server
packets sent/received from the server |

server=HOSTNAME auth, session can be specified more than once;
server=IP_ADDR adds a TACACS+ server to the servers
server=HOSTNAME:PORT list
server=IP_ADDR:PORT
| server=HOSTNAME | auth, session | can be specified more than once;
server=IP_ADDR adds a TACACS+ server to the servers
server=HOSTNAME:PORT list |
server=IP_ADDR:PORT

timeout=INT ALL connection timeout in seconds
default is 5 seconds
| timeout=INT | ALL | connection timeout in seconds
default is 5 seconds |

login=STRING auth TACACS+ authentication service,
| login=STRING | auth | TACACS+ authentication service,
this can be "pap", "chap" or "login"
at the moment. Default is pap.
at the moment. Default is pap. |

prompt=STRING auth Custom password prompt. If you want
| prompt=STRING | auth | Custom password prompt. If you want
to use a space use '_' character
instead.
instead. |

acct_all session if multiple servers are supplied,
| acct_all | session | if multiple servers are supplied,
pam_tacplus will send accounting
start/stop packets to all servers
on the list
on the list |

service account, session TACACS+ service for authorization
and accounting
| service | account, session | TACACS+ service for authorization
and accounting |

protocol account, session TACACS+ protocol for authorization
and accounting
| protocol | account, session | TACACS+ protocol for authorization
and accounting |

The last two items are widely described in TACACS+ draft [1]. They are
required by the server, but it will work if they don't match the real
service authorized :)
During PAM account the AV pairs returned by the TACACS+ servers are made available to the
PAM environment, so you can use i.e. pam_exec.so to do something with these AV pairs.

Example configuration:
~~~~~~~~~~~~~~~~~~~~~~
## Example configuration:

```
#%PAM-1.0
auth required /lib/security/pam_tacplus.so debug server=1.1.1.1 secret=SECRET-1
account required /lib/security/pam_tacplus.so debug secret=SECRET-1 service=ppp protocol=lcp
account sufficient /lib/security/pam_exec.so /usr/local/bin/showenv.sh
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow use_authtok
session required /lib/security/pam_tacplus.so debug server=1.1.1.1 server=2.2.2.2 secret=SECRET-1 secret=SECRET-2 service=ppp protocol=lcp
```


More on server lists:
~~~~~~~~~~~~~~~~~~~~~
## More on server lists:

1. Having more that one TACACS+ server defined for given management group
has following effects on authentication:
Expand Down Expand Up @@ -116,8 +112,7 @@ authorization.
on all of them at the same time


Short introduction to PAM via TACACS+:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Short introduction to PAM via TACACS+:

This diagram should show general idea of how the whole process looks:

Expand Down Expand Up @@ -155,8 +150,7 @@ Consider `login' application:
7. When user logs out, pam_sm_close_session() sends STOP packet to the
server. The whole session is closed.

Limitations:
~~~~~~~~~~~~
## Limitations:

Many of them for now :)

Expand All @@ -165,18 +159,7 @@ Many of them for now :)
* utilize PAM_SERVICE item obtained from PAM for TACACS+ services
* clean options and configuration code

References:
~~~~~~~~~~~

TACACS+
1. ftp://ftpeng.cisco.com/pub/tacplus/tac_plus.rfc.1.76.txt
2. ftp://ftpeng.cisco.com/pub/tacplus/tac_plus.3.0.12.alpha.tar.Z

PAM
3. http://parc.power.net/morgan/Linux-PAM/index.html

Authors:
~~~~~~~
## Authors:

Pawel Krawczyk <[email protected]>
http://ipsec.pl
Expand Down

0 comments on commit 379a665

Please sign in to comment.