1 .TH tac_plus 8 "10 February 1995"
3 tac_plus \- tacacs plus daemon
25 tac_plus listens on tcp port
28 and provides Cisco systems routers and access servers with
29 authentication, authorisation and accounting services.
31 A configuration file controls the details of authentication,
32 authorisation and accounting.
34 On startup, tac_plus creates the file
35 .B /var/run/tac_plus.pid ,
36 if possible, containing its process id.
38 .SH ARGUMENTS and OPTIONS
42 Specify the configuration file name. A configuration file is
47 Just parse the configuration file, echoing it to standard output while
48 parsing, and then exit. Used for debugging configuration file syntax.
51 Log all informational, debugging or error messages to
54 in addition to logging to syslogd. Useful for debugging.
58 messages at priority LOG_DEBUG are never logged to syslog, Use the
61 flags to see all messages produced by tac_plus. These flags
62 should not be used in normal service.
65 Go into single threaded mode, only accepting and servicing a single
66 connection at a time without forking and without closing file
67 descriptors. Print all messages to standard output. For debugging
68 only. Don't ever try to deliver normal service this way.
71 Print the current version of tac_plus to stdout and then exit.
74 Lookup the hostname of the client sending requests and use if for
75 logging, instead of just using its ip address.
78 Use the specified port number instead of the default port
81 for incoming tcp connections. Note that this changes the name of the
82 pid file created by the daemon, which will append the port number to
83 the file name if the port is not the default one.
86 Switch on debugging and write debug output into
88 /var/log/tac_plus.log.
90 See the definitions of debugging flags at the bottom of tac_plus.h for
91 available flags and their meanings. Most flags cause extra messages
104 flag will cause these messages to also appear on stdout. The
107 flag will cause these messages to also be written to /dev/console.
109 The values represent bits, so they can be added together. Currently
110 the following values are recognised:
114 8 authorisation debugging
115 16 authentication debugging
116 32 password file processing debugging
117 64 accounting debugging
118 128 config file parsing & lookup
119 256 packet transmission/reception
120 512 encryption/decryption
121 1024 MD5 hash algorithm debugging
122 2048 very low level encryption/decryption
127 Run under inetd instead of running standalone. Under inetd, the config
128 file is parsed every time tac_plus starts up, so this is very
129 inefficient if the config file is large or there are many incoming
130 connections. The standalone version only reads the config file once at
133 If the config file is small, and you don't have very frequent incoming
134 connections, and authentication is being done via passwd(5) files or
135 SKEY (which are not cached), running under inetd should be tolerable,
136 but still isn't recommended.
140 The \-s flag will cause the daemon to always reject authentication
141 requests which contain a minor version number of zero (SENDPASS). You
142 can do this only if all your NASes are running an IOS version of 11.2
145 This enhances security in the event that someone discovers your
146 encryption key. SENDPASS requests permits requestors to obtain chap,
147 pap and arap passwords from your daemon, if (and only if) they know
150 .SH INVOKING TAC_PLUS
152 Tac_plus is normally invoked by root, as follows:
155 # tac_plus -C <configfile>
158 where <configfile> is a full path to the configuration file. Tac_plus
159 will background itself and start listening on port 49 for incoming tcp
162 Tac_plus must be invoked as root to obtain privileged network socket
163 49 and to read the protected configuration file which may contain
164 confidential information such as encryption keys and cleartext
167 After the port is acquired and the config file is read, root
168 privileges are no longer required. You can arrange that tac_plus will
169 change its user and groupid to more innocuous user and group (see the
170 Makefile for instructions on how to do compile this) when
175 The new user and group still needs permission to read any
176 passwd(5) files and S/KEY database if these are being used.
177 .SH CONFIGURATION FILE PERMISSIONS
179 It goes without saying (though I say it here) that the configuration
180 file should be unreadable and unwriteable by anyone except root, as it
181 contains passwords and keys.
182 .SH UPDATING THE CONFIGURATION FILE
184 If the daemon is sent a SIGUSR1, it will reinitialize itself,
185 re-reading its config file from scratch. Note that if there is an
186 error in the CONFIG file, the daemon will die.
190 tac_plus logs error messages to syslog, and informational messages to
191 facility LOG_LOCAL6. Debug messages are never sent to syslog.
193 You may wish to add a line similar to the following to your
194 syslog.conf file to see the informational messages logged using this
198 local6.info /var/adm/messages
202 Note that in some versions of syslogd e.g. SunOS, this line must
203 contain only tabs, not spaces, and that syslogd gives very little in
204 the way of diagnostics when it encounters errors in the syslog.conf
209 The tac_plus User's Guide.
212 .B /var/log/tac_plus.log
213 Contains debugging output when -d is in effect.
215 .B /var/run/tac_plus.pid or /var/run/tac_plus.pid.port
216 contains the process id of the currently running daemon. The port
217 number is appended to the filename only if the port being used is not
218 the default one of 49.
220 The configuration file syntax is too complex.