1 .\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Nd TACACS+ client library
36 .Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
38 .Fn tac_clear_avs "struct tac_handle *h"
40 .Fn tac_close "struct tac_handle *h"
42 .Fn tac_config "struct tac_handle *h" "const char *path"
44 .Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
46 .Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
48 .Fn tac_create_acct "struct tac_handle *h" "int acct" "int action" "int type" "int service"
50 .Fn tac_get_av "struct tac_handle *h" "u_int index"
52 .Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
54 .Fn tac_get_data "struct tac_handle *h" "size_t *len"
56 .Fn tac_get_msg "struct tac_handle *h"
57 .Ft struct tac_handle *
60 .Fn tac_send_authen "struct tac_handle *h"
62 .Fn tac_send_author "struct tac_handle *h"
64 .Fn tac_send_acct "struct tac_handle *h"
66 .Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
68 .Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
70 .Fn tac_set_msg "struct tac_handle *h" "const char *msg"
72 .Fn tac_set_port "struct tac_handle *h" "const char *port"
74 .Fn tac_set_priv "struct tac_handle *h" "int priv"
76 .Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
78 .Fn tac_set_user "struct tac_handle *h" "const char *user"
80 .Fn tac_strerror "struct tac_handle *h"
84 library implements the client side of the TACACS+ network access
86 TACACS+ allows clients to perform authentication,
87 authorization, and accounting by means of network requests to remote
89 This library currently supports only the authentication
90 and authorization portion of the protocol.
92 To use the library, an application must first call
95 .Va struct tac_handle * ,
96 which provides context for subsequent operations.
99 always succeed unless insufficient virtual memory is available.
101 the necessary memory cannot be allocated,
106 Before issuing any TACACS+ requests, the library must be made aware
107 of the servers it can contact.
108 The easiest way to configure the
112 causes the library to read a configuration file whose format is
115 The pathname of the configuration file is passed as the
119 This argument may also be given as
121 in which case the standard configuration file
122 .Pa /etc/tacplus.conf
125 returns 0 on success, or \-1 if an error occurs.
127 The library can also be configured programmatically by calls to
131 parameter specifies the server host, either as a fully qualified
132 domain name or as a dotted-quad IP address in text form.
135 parameter specifies the TCP port to contact on the server.
138 is given as 0, the library uses port 49, the standard TACACS+ port.
139 The shared secret for the server host is passed to the
142 It may be any null-terminated string of bytes.
143 The timeout for receiving replies from the server is passed to the
145 parameter, in units of seconds.
148 parameter is a bit mask of flags to specify various characteristics of
152 .It Dv TAC_SRVR_SINGLE_CONNECT
153 Causes the library to attempt to negotiate single connection mode
154 when communicating with the server.
155 In single connection mode, the
156 original TCP connection is held open for multiple TACACS+ sessions.
157 Older servers do not support this mode, and some of them become
158 confused if the client attempts to negotiate it.
162 returns 0 on success, or \-1 if an error occurs.
165 may be called multiple times, and it may be used together with
167 At most 10 servers may be specified.
168 When multiple servers are given, they are tried in round-robin
169 fashion until a working, accessible server is found.
171 library finds such a server, it continues to use it as long as it
173 .Sh CREATING A TACACS+ AUTHENTICATION REQUEST
174 To begin constructing a new authentication request, call
175 .Fn tac_create_authen .
181 arguments must be set to appropriate values as defined in the
182 TACACS+ protocol specification.
185 header file contains symbolic constants for these values.
186 .Sh CREATING A TACACS+ AUTHORIZATION REQUEST
187 To begin constructing a new authorization request, call
188 .Fn tac_create_author .
194 arguments must be set to appropriate values as defined in the
195 TACACS+ protocol specification.
198 header file contains symbolic constants for these values.
199 .Sh CREATING A TACACS+ ACCOUNTING REQUEST
200 To begin constructing a new accounting request, call
201 .Fn tac_create_acct .
208 arguments must be set to appropriate values as defined in the
209 TACACS+ protocol specification.
212 header file contains symbolic constants for these values.
213 .Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
214 After creating a request,
215 various optional parameters may be attached to it through calls to
220 .Fn tac_set_rem_addr ,
223 The library creates its own copies of any strings provided to these
224 functions, so that it is not necessary for the caller to preserve
226 By default, each of these parameters is empty except for the
227 privilege level, which defaults to
232 only applies to the context of an authorization request.
234 for an attribute value pair is defined in the TACACS+ protocol
236 The index specified can be any value between 0 and
237 255 inclusive and indicates the position in the list to place the
238 attribute value pair.
241 with same index twice effectively replaces the value at that position.
244 to clear all attribute value pairs that may have been set.
245 .Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
246 After the TACACS+ authentication request has been constructed, it is
248 .Fn tac_send_authen .
249 This function connects to a server if not already connected, sends
250 the request, and waits for a reply.
254 Otherwise, it returns the TACACS+ status code and flags,
255 packed into an integer value.
256 The status can be extracted using the
258 .Fn TAC_AUTHEN_STATUS .
259 Possible status codes, defined in
263 .Bl -item -compact -offset indent
265 .Dv TAC_AUTHEN_STATUS_PASS
267 .Dv TAC_AUTHEN_STATUS_FAIL
269 .Dv TAC_AUTHEN_STATUS_GETDATA
271 .Dv TAC_AUTHEN_STATUS_GETUSER
273 .Dv TAC_AUTHEN_STATUS_GETPASS
275 .Dv TAC_AUTHEN_STATUS_RESTART
277 .Dv TAC_AUTHEN_STATUS_ERROR
279 .Dv TAC_AUTHEN_STATUS_FOLLOW
282 The only flag is the no-echo flag, which can be tested using the
284 .Fn TAC_AUTHEN_NOECHO .
285 .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
286 An authentication response packet from the server may contain a
287 server message, a data string, or both.
288 After a successful call to
289 .Fn tac_send_authen ,
290 this information may be retrieved from the response by calling
294 These functions return dynamically-allocated copies of the
295 information from the packet.
296 The caller is responsible for freeing
297 the copies when it no longer needs them.
298 The data returned from
299 these functions is guaranteed to be terminated by a null byte.
305 argument points to a location into which the library will store the
306 actual length of the received data, not including the null
308 This argument may be given as
310 if the caller is not interested in the length.
311 .Sh SENDING AUTHENTICATION CONTINUE PACKETS
314 returns a value containing one of the status codes
315 .Dv TAC_AUTHEN_STATUS_GETDATA ,
316 .Dv TAC_AUTHEN_STATUS_GETUSER ,
318 .Dv TAC_AUTHEN_STATUS_GETPASS ,
319 then the client must provide additional information to the server by
320 means of a TACACS+ CONTINUE packet.
321 To do so, the application must
322 first set the packet's user message and/or data fields using
326 The client then sends the CONTINUE packet with
327 .Fn tac_send_authen .
329 .Fn tac_create_authen
332 be called to construct a CONTINUE packet; it is used only for the
333 initial authentication request.
335 When it receives the CONTINUE packet, the server may again request
336 more information by returning
337 .Dv TAC_AUTHEN_STATUS_GETDATA ,
338 .Dv TAC_AUTHEN_STATUS_GETUSER ,
340 .Dv TAC_AUTHEN_STATUS_GETPASS .
341 The application should send further CONTINUEs until some other
342 status is received from the server.
343 .Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
344 After the TACACS+ authorization request has been constructed, it
346 .Fn tac_send_author .
347 This function connects to a server if not already connected, sends
348 the request, and waits for a reply.
352 Otherwise, it returns the TACACS+ status code and
353 number of attribute value (AV) pairs received packed into an
355 The status can be extracted using the macro
356 .Fn TAC_AUTHOR_STATUS .
357 Possible status codes, defined in
361 .Bl -item -compact -offset indent
363 .Dv TAC_AUTHOR_STATUS_PASS_ADD
365 .Dv TAC_AUTHOR_STATUS_PASS_REPL
367 .Dv TAC_AUTHOR_STATUS_FAIL
369 .Dv TAC_AUTHOR_STATUS_ERROR
372 The number of AV pairs received is obtained using
373 .Fn TAC_AUTHEN_AV_COUNT .
374 .Sh SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE
375 After the TACACS+ authorization request has been constructed, it
378 This function connects to a server if not already connected, sends
379 the request, and waits for a reply.
383 Otherwise, it returns the TACACS+ status code.
384 Possible status codes, defined in
388 .Bl -item -compact -offset indent
390 .Dv TAC_ACCT_STATUS_SUCCESS
392 .Dv TAC_ACCT_STATUS_ERROR
394 .Dv TAC_ACCT_STATUS_FOLLOW
396 .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
397 Like an authentication response packet, an authorization
398 response packet from the
399 server may contain a server message, a data string, or both.
401 to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
402 for instruction on extraction of those values.
404 An authorization response packet from the server may also contain
405 attribute value (AV) pairs.
406 To extract these, use
409 .Fn tac_get_av_value .
411 takes the index of the AV pair as it is positioned in the list.
412 The indexes start at 0 (use
413 .Fn TAC_AUTHEN_AV_COUNT
414 on the return value of
416 to get the total number of items in this list).
421 takes the attribute name and returns the
422 corresponding value only, not the AV pair.
423 These functions return
424 dynamically-allocated copies of the information from the packet.
425 The caller is responsible for freeing the copies when it no longer
427 The data returned from these functions is guaranteed
428 to be terminated by a null byte.
429 .Sh OBTAINING ERROR MESSAGES
430 Those functions which accept a
431 .Va struct tac_handle *
432 argument record an error message if they fail.
434 can be retrieved by calling
436 The message text is overwritten on each new error for the given
437 .Va struct tac_handle * .
438 Thus the message must be copied if it is to be preserved through
439 subsequent library calls using the same handle.
441 To free the resources used by the TACACS+ library, call
444 The following functions return a non-negative value on success.
446 they detect an error, they return \-1 and record an error message
447 which can be retrieved using
450 .Bl -item -offset indent -compact
456 .Fn tac_create_authen
458 .Fn tac_create_author
483 The following functions return a
486 If they are unable to allocate sufficient
487 virtual memory, they return
489 and record an error message which can be retrieved using
492 .Bl -item -offset indent -compact
503 The following functions return a
506 If they are unable to allocate sufficient
507 virtual memory, they return
509 without recording an error message.
511 .Bl -item -offset indent -compact
517 .It Pa /etc/tacplus.conf
524 .%T The TACACS+ Protocol, Version 1.78
525 .%O draft-grant-tacacs-02.txt (Internet Draft)
529 This software was written by
535 project by Juniper Networks, Inc.