in.tacacsd is a server which authenticates users logging onto a terminal server (or any host which cares to query the server). It uses the standard password file ( /etc/passwd ) by default or the list of specified filenames on the command line - however, it expects these files to be in the same format as the passwd file so that the getpwent() Unix routines can access the entries.
The program expects a username and password to be supplied in the query packet recieved from the terminal server, and it searches all the access files for a match for the query. Only after it cannot find a match in all the supplied access files, will it return a 'authentication failure' reply to the query.
This program can be used to authenticate users when they try to access a terminal server ( cisco terminal servers support this option). The server can log information about all queries coming to the server using syslog. It is meant to be invoked by inetd but can be run from a terminal in standalone mode if desired. Note that if running from a terminal, the standalone option has to be specified since otherwise it expects data is to be read on the TACACS port (port 49).
The program can be compiled with the DEBUG option so that it logs extensive debugging information (however, this option also displays the user's password so it can be a security problem if the log file is publicly accessible). This information is displayed only if the program is compiled with the -DDEBUG option.
The server always returns an authentication failure for any queries that have a uid of 0 ( root uid ) or for any users that do not have a password in the password files. It also verifies that the account is current and not expired if the last password field ( pw_shell ) supports this feature.
Since there is no provision for sending a reply back which says no such user and if there are two sets of TACACS servers with differant access files, then if one responds with a DENIED packet, the client host might never query the second server.Thus, a quiet mode is avaliable in which the server will never send a negative reply back to a query.
If the UPPER_GID and LOWER_GID are defined while compiling, then the users group-id in the passwd file is used a a measure of allowed logins. The last 7 bits of the GID are used and the /etc/utmp file is searched for the present number of logins. (Note that this assumes that all users connecting to the server log into the system). If the number of current logins exceeds the number of allowable logins (from the GID), then a negative response is sent.
Since in the "SLIP" mode, the query is all uppercase, this requires that two users be created for SLIP users on unix systems (case sensitive). To prevent this, if the program is compiled with TOLOWER defined, then all usernames are converted to lowercase.
TACACS User Identification Telnet Option Brian A. Anderson, RFC 927
This program is a modified version of the version originally written by Greg Satz (satz@cisco.com) for cisco routers. The main changes were the searching of multiple password files and security features like denying access for any user query with a uid of 0 (else one can try guessing the root password and bypass security options on the primary host).
Rewritten by Vikas Aggarwal (vikas@jvnc.net).
Exit status is normally 0.