1 .\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Nd TACACS+ client library
36 .Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
38 .Fn tac_clear_avs "struct tac_handle *h"
40 .Fn tac_close "struct tac_handle *h"
42 .Fn tac_config "struct tac_handle *h" "const char *path"
44 .Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
46 .Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
48 .Fn tac_get_av "struct tac_handle *h" "u_int index"
50 .Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
52 .Fn tac_get_data "struct tac_handle *h" "size_t *len"
54 .Fn tac_get_msg "struct tac_handle *h"
55 .Ft struct tac_handle *
58 .Fn tac_send_authen "struct tac_handle *h"
60 .Fn tac_send_author "struct tac_handle *h"
62 .Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
64 .Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
66 .Fn tac_set_msg "struct tac_handle *h" "const char *msg"
68 .Fn tac_set_port "struct tac_handle *h" "const char *port"
70 .Fn tac_set_priv "struct tac_handle *h" "int priv"
72 .Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
74 .Fn tac_set_user "struct tac_handle *h" "const char *user"
76 .Fn tac_strerror "struct tac_handle *h"
80 library implements the client side of the TACACS+ network access
82 TACACS+ allows clients to perform authentication,
83 authorization, and accounting by means of network requests to remote
85 This library currently supports only the authentication
86 and authorization portion of the protocol.
88 To use the library, an application must first call
91 .Va struct tac_handle * ,
92 which provides context for subsequent operations.
95 always succeed unless insufficient virtual memory is available.
97 the necessary memory cannot be allocated,
102 Before issuing any TACACS+ requests, the library must be made aware
103 of the servers it can contact.
104 The easiest way to configure the
108 causes the library to read a configuration file whose format is
111 The pathname of the configuration file is passed as the
115 This argument may also be given as
117 in which case the standard configuration file
118 .Pa /etc/tacplus.conf
121 returns 0 on success, or \-1 if an error occurs.
123 The library can also be configured programmatically by calls to
127 parameter specifies the server host, either as a fully qualified
128 domain name or as a dotted-quad IP address in text form.
131 parameter specifies the TCP port to contact on the server.
134 is given as 0, the library uses port 49, the standard TACACS+ port.
135 The shared secret for the server host is passed to the
138 It may be any null-terminated string of bytes.
139 The timeout for receiving replies from the server is passed to the
141 parameter, in units of seconds.
144 parameter is a bit mask of flags to specify various characteristics of
149 .It Dv TAC_SRVR_SINGLE_CONNECT
150 Causes the library to attempt to negotiate single connection mode
151 when communicating with the server.
152 In single connection mode, the
153 original TCP connection is held open for multiple TACACS+ sessions.
154 Older servers do not support this mode, and some of them become
155 confused if the client attempts to negotiate it.
159 returns 0 on success, or \-1 if an error occurs.
162 may be called multiple times, and it may be used together with
164 At most 10 servers may be specified.
165 When multiple servers are given, they are tried in round-robin
166 fashion until a working, accessible server is found.
168 library finds such a server, it continues to use it as long as it
170 .Sh CREATING A TACACS+ AUTHENTICATION REQUEST
171 To begin constructing a new authentication request, call
172 .Fn tac_create_authen .
178 arguments must be set to appropriate values as defined in the
179 TACACS+ protocol specification.
182 header file contains symbolic constants for these values.
183 .Sh CREATING A TACACS+ AUTHORIZATION REQUEST
184 To begin constructing a new authorization request, call
185 .Fn tac_create_author .
191 arguments must be set to appropriate values as defined in the
192 TACACS+ protocol specification.
195 header file contains symbolic constants for these values.
196 .Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
197 After creating a request,
198 various optional parameters may be attached to it through calls to
203 .Fn tac_set_rem_addr ,
206 The library creates its own copies of any strings provided to these
207 functions, so that it is not necessary for the caller to preserve
209 By default, each of these parameters is empty except for the
210 privilege level, which defaults to
215 only applies to the context of an authorization request.
217 for an attribute value pair is defined in the TACACS+ protocol
219 The index specified can be any value between 0 and
220 255 inclusive and indicates the position in the list to place the
221 attribute value pair.
224 with same index twice effectively replaces the value at that position.
227 to clear all attribute value pairs that may have been set.
228 .Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
229 After the TACACS+ authentication request has been constructed, it is
231 .Fn tac_send_authen .
232 This function connects to a server if not already connected, sends
233 the request, and waits for a reply.
237 Otherwise, it returns the TACACS+ status code and flags,
238 packed into an integer value.
239 The status can be extracted using the
241 .Fn TAC_AUTHEN_STATUS .
242 Possible status codes, defined in
246 .Bl -item -compact -offset indent
248 .Dv TAC_AUTHEN_STATUS_PASS
250 .Dv TAC_AUTHEN_STATUS_FAIL
252 .Dv TAC_AUTHEN_STATUS_GETDATA
254 .Dv TAC_AUTHEN_STATUS_GETUSER
256 .Dv TAC_AUTHEN_STATUS_GETPASS
258 .Dv TAC_AUTHEN_STATUS_RESTART
260 .Dv TAC_AUTHEN_STATUS_ERROR
262 .Dv TAC_AUTHEN_STATUS_FOLLOW
265 The only flag is the no-echo flag, which can be tested using the
267 .Fn TAC_AUTHEN_NOECHO .
268 .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
269 An authentication response packet from the server may contain a
270 server message, a data string, or both.
271 After a successful call to
272 .Fn tac_send_authen ,
273 this information may be retrieved from the response by calling
277 These functions return dynamically-allocated copies of the
278 information from the packet.
279 The caller is responsible for freeing
280 the copies when it no longer needs them.
281 The data returned from
282 these functions is guaranteed to be terminated by a null byte.
288 argument points to a location into which the library will store the
289 actual length of the received data, not including the null
291 This argument may be given as
293 if the caller is not interested in the length.
294 .Sh SENDING AUTHENTICATION CONTINUE PACKETS
297 returns a value containing one of the status codes
298 .Dv TAC_AUTHEN_STATUS_GETDATA ,
299 .Dv TAC_AUTHEN_STATUS_GETUSER ,
301 .Dv TAC_AUTHEN_STATUS_GETPASS ,
302 then the client must provide additional information to the server by
303 means of a TACACS+ CONTINUE packet.
304 To do so, the application must
305 first set the packet's user message and/or data fields using
309 The client then sends the CONTINUE packet with
310 .Fn tac_send_authen .
312 .Fn tac_create_authen
315 be called to construct a CONTINUE packet; it is used only for the
316 initial authentication request.
318 When it receives the CONTINUE packet, the server may again request
319 more information by returning
320 .Dv TAC_AUTHEN_STATUS_GETDATA ,
321 .Dv TAC_AUTHEN_STATUS_GETUSER ,
323 .Dv TAC_AUTHEN_STATUS_GETPASS .
324 The application should send further CONTINUEs until some other
325 status is received from the server.
326 .Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
327 After the TACACS+ authorization request has been constructed, it
329 .Fn tac_send_author .
330 This function connects to a server if not already connected, sends
331 the request, and waits for a reply.
335 Otherwise, it returns the TACACS+ status code and
336 number of attribute value (AV) pairs received packed into an
338 The status can be extracted using the macro
339 .Fn TAC_AUTHOR_STATUS .
340 Possible status codes, defined in
344 .Bl -item -compact -offset indent
346 .Dv TAC_AUTHOR_STATUS_PASS_ADD
348 .Dv TAC_AUTHOR_STATUS_PASS_REPL
350 .Dv TAC_AUTHOR_STATUS_FAIL
352 .Dv TAC_AUTHOR_STATUS_ERROR
355 The number of AV pairs received is obtained using
356 .Fn TAC_AUTHEN_AV_COUNT .
357 .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
358 Like an authentication response packet, an authorization
359 response packet from the
360 server may contain a server message, a data string, or both.
362 to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
363 for instruction on extraction of those values.
365 An authorization response packet from the server may also contain
366 attribute value (AV) pairs.
367 To extract these, use
370 .Fn tac_get_av_value .
372 takes the index of the AV pair as it is positioned in the list.
373 The indexes start at 0 (use
374 .Fn TAC_AUTHEN_AV_COUNT
375 on the return value of
377 to get the total number of items in this list).
382 takes the attribute name and returns the
383 corresponding value only, not the AV pair.
384 These functions return
385 dynamically-allocated copies of the information from the packet.
386 The caller is responsible for freeing the copies when it no longer
388 The data returned from these functions is guaranteed
389 to be terminated by a null byte.
390 .Sh OBTAINING ERROR MESSAGES
391 Those functions which accept a
392 .Va struct tac_handle *
393 argument record an error message if they fail.
395 can be retrieved by calling
397 The message text is overwritten on each new error for the given
398 .Va struct tac_handle * .
399 Thus the message must be copied if it is to be preserved through
400 subsequent library calls using the same handle.
402 To free the resources used by the TACACS+ library, call
405 The following functions return a non-negative value on success.
407 they detect an error, they return \-1 and record an error message
408 which can be retrieved using
411 .Bl -item -offset indent -compact
417 .Fn tac_create_authen
419 .Fn tac_create_author
440 The following functions return a
443 If they are unable to allocate sufficient
444 virtual memory, they return
446 and record an error message which can be retrieved using
449 .Bl -item -offset indent -compact
460 The following functions return a
463 If they are unable to allocate sufficient
464 virtual memory, they return
466 without recording an error message.
468 .Bl -item -offset indent -compact
473 .Pa /etc/tacplus.conf
479 .%T The TACACS+ Protocol, Version 1.78
480 .%O draft-grant-tacacs-02.txt (Internet Draft)
484 This software was written by
490 project by Juniper Networks, Inc.