Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
tac_plus(8)		    System Manager's Manual		   tac_plus(8)

NAME
       tac_plus	- tacacs plus daemon

SYNOPSIS
       tac_plus	-C <configfile>	[-GghiLPSstv] [-B <bind_address>] [-d <level>]
       [-l  <logfile>]	[-m  <max_listen_queue>] [-p <tcp_port>] [-Q <setgid>]
       [-U <setuid>] [-u <wtmpfile>] [-w <wholog>]

DESCRIPTION
       By default, tac_plus listens  on	 tcp  port  49	and  provides  network
       devices	(normally  routers  and	 access	 servers) with authentication,
       authorization and accounting services.

       A  configuration	 file  controls	  the	details	  of   authentication,
       authorization and accounting.

COMMAND-LINE OPTIONS
       -C <configfile>

	      Specify the configuration	file name.  The	-C option is required.

       -B <bind	address>

	      Specify	the  address  on  which	 the  daemon  should  bind(2).
	      Successive instances of  -B  override  previous  instances.   By
	      default,	the  daemon  listens  on  all  addresses.   Note: this
	      changes the name of the pid file created by the daemon.

       -G     Remain in	the foreground,	but not	single-threaded	nor logging to
	      the tty.

       -d <level>
	      Switch on	debugging.  By default the output will appear  in  the
	      log file and syslog(3).

	      NOTE:  The  -g  flag will	cause these messages to	also appear on
	      stdout.  The -t flag  will  cause	 these	messages  to  also  be
	      written to /dev/console.

	      The  value  of  level  is	 as  described	below.	 These	values
	      represent	bits that can be logically OR'd	together.  The	daemon
	      logically	ORs successive occurrences of the -d option.

	      Value   Meaning
	      2	      configuration parsing debugging
	      4	      fork(1) debugging
	      8	      authorization debugging
	      16      authentication debugging
	      32      password file processing debugging
	      64      accounting debugging
	      128     config file parsing & lookup
	      256     packet transmission/reception
	      512     encryption/decryption
	      1024    MD5 hash algorithm debugging
	      2048    very low level encryption/decryption
	      32768   max session debugging
	      65536   lock debugging

       -g     Single threaded mode.  The daemon	will only accept and service a
	      single  connection at a time without forking and without closing
	      file descriptors.	 All log messages appear on standard output.

	      This is intended only for	debugging and not for normal service.

	      This option does not work	with single-connection sessions.

       -h     Display help message.

       -i     tac_plus	will  be  run  from  inetd(8).	 In  inetd  mode,  the
	      configuration file is parsed every time tac_plus starts.

	      If the configuration is large or the frequency of	connections is
	      high,  this  negatively  will  affect  the responsiveness	of the
	      daemon.

	      If the config file is small,  connections	 are  infrequent,  and
	      authentication  is being done via	passwd(5) files	or SKEY	(which
	      are not cached), running in inetd	mode should be tolerable,  but
	      still is not recommended.

	      This option does not work	with single-connection sessions.

       -l <logfile>
	      Specify  an alternate log	file location.	This file is only used
	      when the -d option is  used.   The  logs	are  still  posted  to
	      syslog.

       -m <max_listen_queue>
	      Specify  an  alternative client listen queue limit.  The default
	      is SOMAXCONN or 64, if your O/S does not specify one.

       -L     Lookup DNS PTR (Domain Name System  PoinTeR)  record  of	client
	      addresses.  The resulting	FQDN (Fully Qualified Domain Name), if
	      it   resolves,   will   be   used	  in   log  messages,  libwrap
	      (tcp_wrappers) checks, and for  matching	host  clauses  of  the
	      configuration file.  Also	see tac_plus.conf(5).

       -P     Parse  the  configuration	file, echo it to standard output while
	      parsing, and then	exit.  tac_plus	 will  exit  non-zero  when  a
	      parser error occurs.

	      Useful for debugging configuration file syntax.

       -p <port>
	      Listen  on the specified port number instead of the default port
	      49 for incoming tcp connections.	Note: this changes the name of
	      the pid file created by the daemon.

       -Q <setgid groupname>
	      Specify the groupname or GID to setgid(2).  If  the  daemon  was
	      compiled	with a specific	GID, this option overrides that	value.
	      By default, the daemon inherits the GID from its parent process.

       -S     Enables or allows	client single-connection  mode,	 where-by  the
	      client will create one connection	and interleave queries.

	      Note: this is broken in IOS and IOS-XE.

	      Note: this is currently only partially supported in the daemon.

       -s     Causes the daemon	to always reject authentication	requests which
	      contain  a  minor	 version  number  of  zero  (SENDPASS).	  This
	      enhances security	in  the	 event	that  someone  discovers  your
	      encryption  key.	 SENDPASS requests permit requesters to	obtain
	      CHAP, PAP	and ARAP passwords from	the daemon, iff	the encryption
	      key is known.

	      Note: IOS	versions preceding 11.2	will fail.

       -t     Log  all	informational,	debugging   or	 error	 messages   to
	      /dev/console  in	addition  to  logging  to  syslogd. Useful for
	      debugging.

       -U <setuid username>
	      Specify the username or UID to setuid(2).	  If  the  daemon  was
	      compiled	with a specific	UID, this option overrides that	value.
	      The daemon must be started by root to open the privileged	 port.
	      By  default,  it	does not change	it's UID and therefore remains
	      root.

       -u <wtmpfile>
	      Write wtmp entries to the	specified wtmp file.

       -v     Display version information and exit.

       -w <wholog>
	      Specify the location of the max session file.

STARTING
       tac_plus	is normally invoked by root, as	follows:

	   # tac_plus -C <configfile>

       where <configfile> is a full path to the	configuration file.   Tac_plus
       will  background	itself and start listening on port 49 for incoming tcp
       connections.

       Tac_plus	must be	invoked	as root	to obtain privileged network socket 49
       and to  read  the  protected  configuration  file,  which  may  contain
       confidential   information   such  as  encryption  keys	and  cleartext
       passwords.

       After the port is acquired and the config file is read, root privileges
       are no longer required.	You can	arrange	that tac_plus will change  its
       user  and  group	 IDs  to  a  more  innocuous  user  and	 group via the
       configuration file.

       NOTE: The new user  and	group  still  needs  permission	 to  read  any
       passwd(5)  (and	shadow(5)) files and S/KEY database if these are being
       used.

TCP WRAPPERS
       If tac_plus was compiled	with libwrap (aka. tcp_wrappers) support, upon
       connection the daemon will consult with	tcp_wrappers  on  whether  the
       client  has  permission	to  connect.  The daemon name used in a	daemon
       list of the access control file is the name of the executable, normally
       "tac_plus".  See	hosts_access(5).

PERMISSIONS
       The configuration file should be	unreadable and unwriteable  by	anyone
       except root, as it contains passwords and keys.

SIGNALS
       If  the	daemon	is  receives a SIGHUP or SIGUSR1, it will reinitialize
       itself and re-read its configuration file.

       Note: if	an error is encountered	in the configuration file or the  file
       can  not	be opened for reading, such as due to insufficient permissions
       resulting from process ownership	and file permissions, the daemon  will
       exit.

       Likewise,  if  the daemon is configured to send accounting records to a
       file and	that file can not be  opened  for  writing,  such  as  due  to
       insufficient  permissions  resulting  from  process  ownership and file
       permissions, the	daemon will exit.

LOG MESSAGES
       tac_plus	logs error  and	 informational	messages  to  syslog  facility
       LOG_DAEMON.

FILES
       /var/log/tac_plus.acct	     Default accounting	file.

       /var/log/tac_plus.log	     Default  log file used when the -d	option
				     is	used.

       /var/run/tac_plus.pid	     Pid file.	If  the	 -B  option  is	 used,
				     ".bind_address"  is  appended.  If	the -p
				     option   is   used,   ".port_number"   is
				     appended.

SEE ALSO
       tac_plus.conf(5), tac_pwd(8)

       Also  see  the  tac_plus	 User  Guide  (user_guide)  that came with the
       distribution.  The user guide does not cover all	the  modifications  to
       the original Cisco version.

HISTORY
       There  are  at  least  3	 versions  of the authentication protocol that
       people commonly refer to	as "TACACS".

       The first is ordinary tacacs, which was the first one offered on	 Cisco
       boxes  and  has been in use for many years.  The	second is an extension
       to the first, commonly called Extended Tacacs or	XTACACS, introduced in
       1990.

       The third one  is  TACACS+  (or	T+  or	tac_plus)  which  is  what  is
       documented  here.  TACACS+ is NOT COMPATIBLE with any previous versions
       of tacacs.

AUTHOR
       The tac_plus (tacacs+) developer's kit is a product of  Cisco  Systems,
       written	by  Lol	Grant.	Made available at no cost and with no warranty
       of any kind.  See the file COPYING and source files that	came with  the
       distribution for	specifics.

       Though  heavily	modified from the original Cisco manual	pages, much of
       the modifications are derived from the tacacs IETF draft	and the	 Cisco
       user guide.

			       29 December 2014			   tac_plus(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tac_plus&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help