1 .TH tac_plus 8 "10 February 1995"
3 tac_plus \- tacacs plus daemon
25 tac_plus listens on tcp port
28 and provides Cisco systems routers and access servers with
29 authentication, authorisation and accounting services.
31 A configuration file controls the details of authentication,
32 authorisation and accounting.
34 On startup, tac_plus creates the file
35 .B /var/run/tac_plus.pid ,
36 if possible, containing its process id.
38 .SH ARGUMENTS and OPTIONS
42 Specify the configuration file name. A configuration file is
47 Just parse the configuration file, echoing it to standard output while
48 parsing, and then exit. Used for debugging configuration file syntax.
51 Log all informational, debugging or error messages to
54 in addition to logging to syslogd. Useful for debugging.
58 messages at priority LOG_DEBUG are never logged to syslog, Use the
61 flags to see all messages produced by tac_plus. These flags
62 should not be used in normal service.
65 Go into single threaded mode, only accepting and servicing a single
66 connection at a time without forking and without closing file
67 descriptors. Print all messages to standard output. For debugging
68 only. Don't ever try to deliver normal service this way.
71 Print the current version of tac_plus to stdout and then exit.
74 Lookup the hostname of the client sending requests and use if for
75 logging, instead of just using its ip address.
78 Use the specified port number instead of the default port
81 for incoming tcp connections. Note that this changes the name of the
82 pid file created by the daemon, which will append the port number to
83 the file name if the port is not the default one.
86 Switch on debugging and write debug output into
88 /var/log/tac_plus.log.
90 See the definitions of debugging flags at the bottom of tac_plus.h for
91 available flags and their meanings. Most flags cause extra messages
104 flag will cause these messages to also appear on stdout. The
107 flag will cause these messages to also be written to /dev/console.
109 The values represent bits, so they can be added together. Currently
110 the following values are recognised:
114 2 config file parsing debugging
115 4 process forking debugging
116 8 authorisation debugging
117 16 authentication debugging
118 32 password file processing debugging
119 64 accounting debugging
120 128 config file parsing & lookup
121 256 packet transmission/reception
122 512 encryption/decryption
123 1024 MD5 hash algorithm debugging
124 2048 very low level encryption/decryption
125 4096 config file memory allocation freeing
126 8192 pre/post authorization program arguments substitutions
127 16384 config file expressions with entity tracing
128 32768 maxsess (concurrent logins) debugging
129 65536 file locking progress reporting
134 Run under inetd instead of running standalone. Under inetd, the config
135 file is parsed every time tac_plus starts up, so this is very
136 inefficient if the config file is large or there are many incoming
137 connections. The standalone version only reads the config file once at
140 If the config file is small, and you don't have very frequent incoming
141 connections, and authentication is being done via passwd(5) files or
142 SKEY (which are not cached), running under inetd should be tolerable,
143 but still isn't recommended.
147 The \-s flag will cause the daemon to always reject authentication
148 requests which contain a minor version number of zero (SENDPASS). You
149 can do this only if all your NASes are running an IOS version of 11.2
152 This enhances security in the event that someone discovers your
153 encryption key. SENDPASS requests permits requestors to obtain chap,
154 pap and arap passwords from your daemon, if (and only if) they know
157 .SH INVOKING TAC_PLUS
159 Tac_plus is normally invoked by root, as follows:
162 # tac_plus -C <configfile>
165 where <configfile> is a full path to the configuration file. Tac_plus
166 will background itself and start listening on port 49 for incoming tcp
169 Tac_plus must be invoked as root to obtain privileged network socket
170 49 and to read the protected configuration file which may contain
171 confidential information such as encryption keys and cleartext
174 After the port is acquired and the config file is read, root
175 privileges are no longer required. You can arrange that tac_plus will
176 change its user and groupid to more innocuous user and group (see the
177 Makefile for instructions on how to do compile this) when
182 The new user and group still needs permission to read any
183 passwd(5) files and S/KEY database if these are being used.
184 .SH CONFIGURATION FILE PERMISSIONS
186 It goes without saying (though I say it here) that the configuration
187 file should be unreadable and unwriteable by anyone except root, as it
188 contains passwords and keys.
189 .SH UPDATING THE CONFIGURATION FILE
191 If the daemon is sent a SIGUSR1, it will reinitialize itself,
192 re-reading its config file from scratch. Note that if there is an
193 error in the CONFIG file, the daemon will die.
197 tac_plus logs error messages to syslog, and informational messages to
198 facility LOG_LOCAL6. Debug messages are never sent to syslog.
200 You may wish to add a line similar to the following to your
201 syslog.conf file to see the informational messages logged using this
205 local6.info /var/adm/messages
209 Note that in some versions of syslogd e.g. SunOS, this line must
210 contain only tabs, not spaces, and that syslogd gives very little in
211 the way of diagnostics when it encounters errors in the syslog.conf
216 The tac_plus User's Guide.
219 .B /var/log/tac_plus.log
220 Contains debugging output when -d is in effect.
222 .B /var/run/tac_plus.pid or /var/run/tac_plus.pid.port
223 contains the process id of the currently running daemon. The port
224 number is appended to the filename only if the port being used is not
225 the default one of 49.
227 The configuration file syntax is too complex.