libtacplus(3)

NAME

libtacplus - TACACS+ client library

SYNOPSIS

#include <taclib.h>
int
tac_add_server(struct tac_handle *h, const char  *host,  int
port,
        const char *secret, int timeout, int flags);
void
tac_clear_avs(struct tac_handle *h);
void
tac_close(struct tac_handle *h);
int
tac_config(struct tac_handle *h, const char *path);
int
tac_create_authen(struct  tac_handle  *h,  int  action,  int
type,
        int service);
int
tac_create_author(struct  tac_handle  *h,  int  method,  int
type,
        int service);
char *
tac_get_av(struct tac_handle *h, u_int index);
char *
tac_get_av_value(struct    tac_handle    *h,    const   char
*attribute);
void *
tac_get_data(struct tac_handle *h, size_t *len);
char *
tac_get_msg(struct tac_handle *h);
struct tac_handle *
tac_open(void);
int
tac_send_authen(struct tac_handle *h);
int
tac_send_author(struct tac_handle *h);
int
tac_set_av(struct tac_handle *h,  u_int  index,  const  char
*av_pair);
int
tac_set_data(struct  tac_handle *h, const void *data, size_t
data_len);
int
tac_set_msg(struct tac_handle *h, const char *msg);
int
tac_set_port(struct tac_handle *h, const char *port);
int
tac_set_priv(struct tac_handle *h, int priv);
int
tac_set_rem_addr(struct tac_handle *h, const char *addr);
int
tac_set_user(struct tac_handle *h, const char *user);
const char *
tac_strerror(struct tac_handle *h);

DESCRIPTION

The libtacplus library implements the client side of the

TACACS+ network
access control protocol. TACACS+ allows clients to perform

authentication, authorization, and accounting by means of network re

quests to
remote servers. This library currently supports only the

authentication
and authorization portion of the protocol.

INITIALIZATION

To use the library, an application must first call

tac_open() to obtain a
struct tac_handle *, which provides context for subsequent

operations.
Calls to tac_open() always succeed unless insufficient vir

tual memory is
available. If the necessary memory cannot be allocated,

tac_open()
returns NULL.

Before issuing any TACACS+ requests, the library must be

made aware of
the servers it can contact. The easiest way to configure

the library is
to call tac_config(). tac_config() causes the library to

read a configuration file whose format is described in tacplus.conf(5).

The pathname
of the configuration file is passed as the file argument to

tac_config().
This argument may also be given as NULL, in which case the

standard configuration file /etc/tacplus.conf is used. tac_config() re

turns 0 on
success, or -1 if an error occurs.

The library can also be configured programmatically by calls

to
tac_add_server(). The host parameter specifies the server

host, either
as a fully qualified domain name or as a dotted-quad IP ad

dress in text
form. The port parameter specifies the TCP port to contact

on the
server. If port is given as 0, the library uses port 49,

the standard
TACACS+ port. The shared secret for the server host is

passed to the
secret parameter. It may be any null-terminated string of

bytes. The
timeout for receiving replies from the server is passed to

the timeout
parameter, in units of seconds. The flags parameter is a

bit mask of
flags to specify various characteristics of the server. It

may contain:

TAC_SRVR_SINGLE_CONNECT

Causes the library to attempt to negotiate sin

gle connection
mode when communicating with the server. In

single connection mode, the original TCP connection is held

open for multiple TACACS+ sessions. Older servers do not

support this
mode, and some of them become confused if the

client attempts
to negotiate it.

tac_add_server() returns 0 on success, or -1 if an error oc

curs.

tac_add_server() may be called multiple times, and it may be

used
together with tac_config(). At most 10 servers may be spec

ified. When
multiple servers are given, they are tried in round-robin

fashion until a
working, accessible server is found. Once the library finds

such a
server, it continues to use it as long as it works.

CREATING A TACACS+ AUTHENTICATION REQUEST

To begin constructing a new authentication request, call
tac_create_authen(). The action, type, and service argu

ments must be set
to appropriate values as defined in the TACACS+ protocol

specification.
The #include <taclib.h>
header file contains symbolic constants for these values.

CREATING A TACACS+ AUTHORIZATION REQUEST

To begin constructing a new authorization request, call
tac_create_author(). The method, type, and service argu

ments must be set
to appropriate values as defined in the TACACS+ protocol

specification.
The #include <taclib.h>
header file contains symbolic constants for these values.

SETTING OPTIONAL PARAMETERS ON A REQUEST

After creating a request, various optional parameters may be

attached to
it through calls to tac_set_av(), tac_set_data(),

tac_set_port(),
tac_set_priv(), tac_set_rem_addr(), and tac_set_user(). The

library creates its own copies of any strings provided to these func

tions, so that
it is not necessary for the caller to preserve them. By de

fault, each of
these parameters is empty except for the privilege level,

which defaults
to `USER' privilege.

tac_set_av() only applies to the context of an authorization

request.
The format for an attribute value pair is defined in the

TACACS+ protocol
specification. The index specified can be any value between

0 and 255
inclusive and indicates the position in the list to place

the attribute
value pair. Calling tac_set_av() with same index twice ef

fectively
replaces the value at that position. Use tac_clear_avs() to

clear all
attribute value pairs that may have been set.

SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE

After the TACACS+ authentication request has been construct

ed, it is sent
by means of tac_send_authen(). This function connects to a

server if not
already connected, sends the request, and waits for a reply.

On failure,
tac_send_authen() returns -1. Otherwise, it returns the

TACACS+ status
code and flags, packed into an integer value. The status

can be
extracted using the macro TAC_AUTHEN_STATUS(). Possible

status codes,
defined in include:

TAC_AUTHEN_STATUS_PASS
TAC_AUTHEN_STATUS_FAIL
TAC_AUTHEN_STATUS_GETDATA
TAC_AUTHEN_STATUS_GETUSER
TAC_AUTHEN_STATUS_GETPASS
TAC_AUTHEN_STATUS_RESTART
TAC_AUTHEN_STATUS_ERROR
TAC_AUTHEN_STATUS_FOLLOW

The only flag is the no-echo flag, which can be tested using

the macro
TAC_AUTHEN_NOECHO().

EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE

An authentication response packet from the server may con

tain a server
message, a data string, or both. After a successful call to
tac_send_authen(), this information may be retrieved from

the response by
calling tac_get_msg() and tac_get_data(). These functions

return dynamically-allocated copies of the information from the packet.

The caller is
responsible for freeing the copies when it no longer needs

them. The
data returned from these functions is guaranteed to be ter

minated by a
null byte.

In the case of tac_get_data(), the len argument points to a

location into
which the library will store the actual length of the re

ceived data, not
including the null terminator. This argument may be given

as NULL if the
caller is not interested in the length.

SENDING AUTHENTICATION CONTINUE PACKETS

If tac_send_authen() returns a value containing one of the

status codes
TAC_AUTHEN_STATUS_GETDATA, TAC_AUTHEN_STATUS_GETUSER, or
TAC_AUTHEN_STATUS_GETPASS, then the client must provide ad

ditional information to the server by means of a TACACS+ CONTINUE packet.

To do so,
the application must first set the packet's user message

and/or data
fields using tac_set_msg() and tac_set_data(). The client

then sends the
CONTINUE packet with tac_send_authen(). N.B.,

tac_create_authen() should
not be called to construct a CONTINUE packet; it is used on

ly for the
initial authentication request.

When it receives the CONTINUE packet, the server may again

request more
information by returning TAC_AUTHEN_STATUS_GETDATA,
TAC_AUTHEN_STATUS_GETUSER, or TAC_AUTHEN_STATUS_GETPASS.

The application
should send further CONTINUEs until some other status is re

ceived from
the server.

SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE

After the TACACS+ authorization request has been construct

ed, it is sent
by means of tac_send_author(). This function connects to a

server if not
already connected, sends the request, and waits for a reply.

On failure,
tac_send_author() returns -1. Otherwise, it returns the

TACACS+ status
code and number of attribute value (AV) pairs received

packed into an
integer value. The status can be extracted using the macro
TAC_AUTHOR_STATUS(). Possible status codes, defined in in

clude:

TAC_AUTHOR_STATUS_PASS_ADD
TAC_AUTHOR_STATUS_PASS_REPL
TAC_AUTHOR_STATUS_FAIL
TAC_AUTHOR_STATUS_ERROR

The number of AV pairs received is obtained using

TAC_AUTHEN_AV_COUNT

EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE

Like an authentication response packet, an authorization re

sponse packet
from the server may contain a server message, a data string,

or both.
Refer to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTI

CATION RESPONSE
for instruction on extraction of those values.

An authorization response packet from the server may also

contain
attribute value (AV) pairs. To extract these, use

tac_get_av() or
tac_get_av_value(). tac_get_av() takes the index of the AV

pair as it is
positioned in the list. The indexes start at 0 (use
TAC_AUTHEN_AV_COUNT() on the return value of

tac_send_author() to get the
total number of items in this list). Alternatively,

tac_get_av_value()
can be used. tac_get_av_value() takes the attribute name

and returns the
corresponding value only, not the AV pair. These functions

return dynamically-allocated copies of the information from the packet.

The caller
is responsible for freeing the copies when it no longer

needs them. The
data returned from these functions is guaranteed to be ter

minated by a
null byte.

OBTAINING ERROR MESSAGES

Those functions which accept a struct tac_handle * argument

record an
error message if they fail. The error message can be re

trieved by calling tac_strerror(). The message text is overwritten on each

new error
for the given struct tac_handle *. Thus the message must be

copied if it
is to be preserved through subsequent library calls using

the same handle.

CLEANUP

To free the resources used by the TACACS+ library, call

tac_close().

RETURN VALUES

The following functions return a non-negative value on suc

cess. If they
detect an error, they return -1 and record an error message

which can be
retrieved using tac_strerror().

tac_add_server()
tac_config()
tac_create_authen()
tac_create_author()
tac_send_authen()
tac_send_author()
tac_set_av()
tac_set_data()
tac_set_msg()
tac_set_port()
tac_set_priv()
tac_set_rem_addr()
tac_set_user()

The following functions return a non-NULL pointer on suc

cess. If they
are unable to allocate sufficient virtual memory, they re

turn NULL and
record an error message which can be retrieved using

tac_strerror().

tac_get_av()
tac_get_av_pair()
tac_get_data()
tac_get_msg()

The following functions return a non-NULL pointer on suc

cess. If they
are unable to allocate sufficient virtual memory, they re

turn NULL, without recording an error message.

tac_open()

FILES

/etc/tacplus.conf

SEE ALSO

tacplus.conf(5)

D. Carrel and Lol Grant, The TACACS+ Protocol, Version 1.78,

draft-granttacacs-02.txt (Internet Draft).

AUTHORS

This software was written by John Polstra and Paul Fraley,

and donated to
the FreeBSD project by Juniper Networks, Inc.

BSD September 2, 1998

BSD