1tac_plus(8) System Manager's Manual tac_plus(8)
2
6 tac_plus - tacacs plus daemon
7
9 tac_plus -C <configfile> [-GghiLPSstv] [-B <bind_address>] [-d <level>]
10 [-l <logfile>] [-m <max_listen_queue>] [-p <tcp_port>] [-Q <setgid>]
11 [-U <setuid>] [-u <wtmpfile>] [-w <wholog>]
12
14 By default, tac_plus listens on tcp port 49 and provides network
15 devices (normally routers and access servers) with authentication,
16 authorization and accounting services.
17 A configuration file controls the details of authentication,
19 authorization and accounting.
20
22 -C <configfile>
23 Specify the configuration file name. The -C option is required.
25 -B <bind address>
27 Specify the address on which the daemon should bind(2).
29 Successive instances of -B override previous instances. By
30 default, the daemon listens on all addresses. Note: this
31 changes the name of the pid file created by the daemon.
32 -G Remain in the foreground, but not single-threaded nor logging to
34 the tty.
35 -d <level>
37 Switch on debugging. By default the output will appear in the
38 log file and syslog(3).
39 NOTE: The -g flag will cause these messages to also appear on
41 stdout. The -t flag will cause these messages to also be
42 written to /dev/console.
43 The value of level is as described below. These values
45 represent bits that can be logically OR'd together. The daemon
46 logically ORs successive occurrences of the -d option.
47 Value Meaning
49 2 configuration parsing debugging
50 4 fork(1) debugging
51 8 authorization debugging
52 16 authentication debugging
53 32 password file processing debugging
54 64 accounting debugging
55 128 config file parsing & lookup
56 256 packet transmission/reception
57 512 encryption/decryption
58 1024 MD5 hash algorithm debugging
59 2048 very low level encryption/decryption
60 32768 max session debugging
61 65536 lock debugging
62 -g Single threaded mode. The daemon will only accept and service a
64 single connection at a time without forking and without closing
65 file descriptors. All log messages appear on standard output.
66 This is intended only for debugging and not for normal service.
68 This option does not work with single-connection sessions.
70 -h Display help message.
72 -i tac_plus will be run from inetd(8). In inetd mode, the
74 configuration file is parsed every time tac_plus starts.
75 If the configuration is large or the frequency of connections is
77 high, this negatively will affect the responsiveness of the
78 daemon.
79 If the config file is small, connections are infrequent, and
81 authentication is being done via passwd(5) files or SKEY (which
82 are not cached), running in inetd mode should be tolerable, but
83 still is not recommended.
84 This option does not work with single-connection sessions.
86 -l <logfile>
88 Specify an alternate log file location. This file is only used
89 when the -d option is used. The logs are still posted to
90 syslog.
91 -m <max_listen_queue>
93 Specify an alternative client listen queue limit. The default
94 is SOMAXCONN or 64, if your O/S does not specify one.
95 -L Lookup DNS PTR (Domain Name System PoinTeR) record of client
97 addresses. The resulting FQDN (Fully Qualified Domain Name), if
98 it resolves, will be used in log messages, libwrap
99 (tcp_wrappers) checks, and for matching host clauses of the
100 configuration file. Also see tac_plus.conf(5).
101 -P Parse the configuration file, echo it to standard output while
103 parsing, and then exit. tac_plus will exit non-zero when a
104 parser error occurs.
105 Useful for debugging configuration file syntax.
107 -p <port>
109 Listen on the specified port number instead of the default port
110 49 for incoming tcp connections. Note: this changes the name of
111 the pid file created by the daemon.
112 -Q <setgid groupname>
114 Specify the groupname or GID to setgid(2). If the daemon was
115 compiled with a specific GID, this option overrides that value.
116 By default, the daemon inherits the GID from its parent process.
117 -S Enables or allows client single-connection mode, where-by the
119 client will create one connection and interleave queries.
120 Note: this is broken in IOS and IOS-XE.
122 Note: this is currently only partially supported in the daemon.
124 -s Causes the daemon to always reject authentication requests which
126 contain a minor version number of zero (SENDPASS). This
127 enhances security in the event that someone discovers your
128 encryption key. SENDPASS requests permit requesters to obtain
129 CHAP, PAP and ARAP passwords from the daemon, iff the encryption
130 key is known.
131 Note: IOS versions preceding 11.2 will fail.
133 -t Log all informational, debugging or error messages to
135 /dev/console in addition to logging to syslogd. Useful for
136 debugging.
137 Specify the username or UID to
139 setuid(2). If the daemon was compiled with a specific UID, this
140 option overrides that value. The daemon must be started by root
141 to open the privileged port. By default, it does not change
142 it's UID and therefore remains root.
143 -u <wtmpfile>
145 Write wtmp entries to the specified wtmp file.
146 -v Display version information and exit.
148 -w <wholog>
150 Specify the location of the max session file.
151
153 tac_plus is normally invoked by root, as follows:
154 # tac_plus -C <configfile>
157 where <configfile> is a full path to the configuration file. Tac_plus
160 will background itself and start listening on port 49 for incoming tcp
161 connections.
162 Tac_plus must be invoked as root to obtain privileged network socket 49
164 and to read the protected configuration file, which may contain
165 confidential information such as encryption keys and cleartext
166 passwords.
167 After the port is acquired and the config file is read, root privileges
169 are no longer required. You can arrange that tac_plus will change its
170 user and group IDs to a more innocuous user and group via the
171 configuration file.
172 NOTE: The new user and group still needs permission to read any
174 passwd(5) (and shadow(5)) files and S/KEY database if these are being
175 used.
176
178 If tac_plus was compiled with libwrap (aka. tcp_wrappers) support, upon
179 connection the daemon will consult with tcp_wrappers on whether the
180 client has permission to connect. The daemon name used in a daemon
181 list of the access control file is the name of the executable, normally
182 "tac_plus". See hosts_access(5).
183
185 The configuration file should be unreadable and unwriteable by anyone
186 except root, as it contains passwords and keys.
187
189 If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize
190 itself and re-read its configuration file.
191 Note: if an error is encountered in the configuration file or the file
193 can not be opened for reading, such as due to insufficient permissions
194 resulting from process ownership and file permissions, the daemon will
195 exit.
196 Likewise, if the daemon is configured to send accounting records to a
198 file and that file can not be opened for writing, such as due to
199 insufficient permissions resulting from process ownership and file
200 permissions, the daemon will exit.
201
203 tac_plus logs error and informational messages to syslog facility
204 LOG_DAEMON.
205
207 /var/log/tac_plus.acct Default accounting file.
208 /var/log/tac_plus.log Default log file used when the -d option
210 is used.
211 /var/run/tac_plus.pid Pid file. If the -B option is used,
213 ".bind_address" is appended. If the -p
214 option is used, ".port_number" is
215 appended.
216
218 tac_plus.conf(5), tac_pwd(8)
219 Also see the tac_plus User Guide (user_guide) that came with the
221 distribution. The user guide does not cover all the modifications to
222 the original Cisco version.
223
225 There are at least 3 versions of the authentication protocol that
226 people commonly refer to as "TACACS".
227 The first is ordinary tacacs, which was the first one offered on Cisco
229 boxes and has been in use for many years. The second is an extension
230 to the first, commonly called Extended Tacacs or XTACACS, introduced in
231 1990.
232 The third one is TACACS+ (or T+ or tac_plus) which is what is
234 documented here. TACACS+ is NOT COMPATIBLE with any previous versions
235 of tacacs.
236
238 The tac_plus (tacacs+) developer's kit is a product of Cisco Systems,
239 written by Lol Grant. Made available at no cost and with no warranty
240 of any kind. See the file COPYING and source files that came with the
241 distribution for specifics.
242 Though heavily modified from the original Cisco manual pages, much of
244 the modifications are derived from the tacacs IETF draft and the Cisco
245 user guide.
246 29 December 2014 tac_plus(8)