Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
TACPLUS.CONF(5)		      File Formats Manual	       TACPLUS.CONF(5)

NAME
       tacplus.conf -- TACACS+ client configuration file

SYNOPSIS
       /etc/tacplus.conf

DESCRIPTION
       tacplus.conf  contains  the  information	 necessary  to	configure  the
       TACACS+	client	library.   It	is   parsed   by   tac_config()	  (see
       libtacplus(3)).	 The file contains one or more lines of	text, each de-
       scribing	a single TACACS+ server	which is to be used  by	 the  library.
       Leading white space is ignored, as are empty lines and lines containing
       only comments.

       A  TACACS+  server  is  described by a minimum of two fields on a line.
       The fields are separated	by whitespace and follow the  same  rules  for
       comments, quoting, escaping, and	line continuation as the POSIX shell.

       The  first field	specifies the server host, either as a fully qualified
       domain name or as a dotted-quad IP address.  The	host may optionally be
       followed	by a `:' and a numeric port number, without intervening	 white
       space.	If  the	 port specification is omitted,	it defaults to 49, the
       standard	TACACS+	port.

       The second field	contains the shared secret, which should be known only
       to the client and server	hosts.	It is an arbitrary string  of  charac-
       ters,  though it	must be	enclosed in double quotes if it	contains white
       space or	is empty.  An empty  secret  disables  the  normal  encryption
       mechanism, causing all data to cross the	network	in cleartext.

       The  optional  third field may contain a	decimal	integer	specifying the
       timeout in seconds for communicating with the server.  The timeout  ap-
       plies  separately  to each connect, write, and read operation.  If this
       field is	omitted, it defaults to	3 seconds.

       The optional fourth field may contain the  string  `single-connection'.
       If  this	option is included, the	library	will attempt to	negotiate with
       the server to keep the TCP connection open for multiple sessions.  Some
       older TACACS+ servers become confused if	this option is specified.

       Any subsequent fields must be of	the form attribute=value and  will  be
       appended	 to  authorization  responses  as if they had been sent	by the
       server.

       Up to 10	TACACS+	servers	may be specified.  The servers	are  tried  in
       order, until a valid response is	received or the	list is	exhausted.

       The standard location for this file is /etc/tacplus.conf.  An alternate
       pathname	  may	be   specified	 in  the  call	to  tac_config()  (see
       libtacplus(3)).	Since the file contains	sensitive information  in  the
       form of the shared secrets, it should not be readable except by root.

FILES
       /etc/tacplus.conf

EXAMPLES
       # A simple entry	using all the defaults:
       tacserver.domain.com    OurLittleSecret

       # A server using	a non-standard port, with an increased timeout and
       # the "single-connection" option, and overrides for the for uid,	gid
       # and shell attributes.
       auth.domain.com:4333    "Don't tell!!"  15      single-connection \
	   uid=1001 gid=20 shell="/usr/local/bin/zsh"

       # A server specified by its IP address:
       192.168.27.81	       $X*#..38947ax-+=	       shell="/sbin/nologin"

SEE ALSO
       libtacplus(3)

AUTHORS
       This  documentation  was	 written  by  John Polstra, and	donated	to the
       FreeBSD project by Juniper Networks, Inc.

FreeBSD	14.3			 June 13, 2023		       TACPLUS.CONF(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tacplus.conf&sektion=5&manpath=FreeBSD+14.3-RELEASE+and+Ports>

home | help