CD2H gitForager

ansible/tacacs_plus

Name: tacacs_plus

Owner: Ansible

Description: A Python-based TACACS+ client that supports authentication, authorization and accounting.

Created: 2017-03-24 18:50:03.0

Updated: 2017-12-19 13:33:21.0

Pushed: 2017-09-14 15:21:58.0

Homepage:

Size: 59

Language: Python

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

TACACS+ Python client

A TACACS+ client that supports authentication, authorization and accounting.

Unlike RADIUS, which was designed for similar purposes, the TACACS+ protocol offers basic packet encryption but, as with most crypto designed back then, it's not secure and definitely should not be used over untrusted networks.

This package has been successfully used with the free tac_plus TACACS+ server on a variety of operating systems.

Basic Installation and Usage

p install tacacs_plus

cacs_client -u myuser -H localhost authenticate
cacs_client -u myuser -H localhost authenticate -t pap
cacs_client -u myuser -H localhost -v authenticate -t chap
us: PASS

cacs_client -u myuser -H localhost authorize -c service=shell cmd=show cmdarg=version
cacs_client -u myuser -H localhost -v authorize -t pap -c service=shell cmd=show cmdarg=version
us: PASS

cacs_client -u myuser -H localhost -v authorize -t pap -c service=junos-exec
us: REPL
airs:
allow-commands=^acommandregex$
deny-commands=^anothercommandregex$

cacs_client -u myuser -H localhost account -f start -c service=shell cmd=show cmdarg=version
cacs_client -u myuser -H localhost account -f stop -c service=shell cmd=show cmdarg=version

cacs_client -h
e: tacacs_client [-h] -u USERNAME -H HOST [-p PORT] [-l PRIV_LVL]
                 [-t {ascii,pap,chap}] [-r REM_ADDR] [-P VIRTUAL_PORT]
                 [--timeout TIMEOUT] [-d] [-v] [-k KEY]
                 {authenticate,authorize,account} ...

    Tacacs+ client with full AAA support:

        * Authentication supports both ascii, pap and chap.
        * Authorization supports AV pairs and single commands.
        * Accounting support AV pairs and single commands.

    NOTE: shared encryption key can be set via environment variable TACACS_PLUS_KEY or via argument.
    NOTE: user password can be setup via environment variable TACACS_PLUS_PWD or via argument.


tional arguments:
uthenticate,authorize,account}
                    action to perform over the tacacs+ server
authenticate        authenticate against a tacacs+ server
authorize           authorize a command against a tacacs+ server
account             account commands with accounting flags against a tacacs+ server

onal arguments:
, --help            show this help message and exit
 USERNAME, --username USERNAME
                    user name
 HOST, --host HOST  tacacs+ server address
 PORT, --port PORT  tacacs+ server port (default 49)
 PRIV_LVL, --priv-lvl PRIV_LVL
                    user privilege level
 {ascii,pap,chap}, --authen-type {ascii,pap,chap}
                    authentication type
 REM_ADDR, --rem-addr REM_ADDR
                    remote address (logged by tacacs server)
 VIRTUAL_PORT, --virtual-port VIRTUAL_PORT
                    console port used in connection (logged by tacacs server)
timeout TIMEOUT
, --debug           enable debugging output
, --verbose         print responses
 KEY, --key KEY     tacacs+ shared encryption key

cacs_client authenticate -h
e: tacacs_client authenticate [-h] [-p PASSWORD]

onal arguments:
, --help            show this help message and exit
 PASSWORD, --password PASSWORD
                    user password

cacs_client authorize -h
e: tacacs_client authorize [-h] -c CMDS [CMDS ...]

onal arguments:
, --help            show this help message and exit
 CMDS [CMDS ...], --cmds CMDS [CMDS ...]
                    list of cmds to authorize

cacs_client account -h
e: tacacs_client account [-h] -c CMDS [CMDS ...] -f {start,stop,update}

onal arguments:
, --help            show this help message and exit
 CMDS [CMDS ...], --cmds CMDS [CMDS ...]
                    list of cmds to authorize
 {start,stop,update}, --flag {start,stop,update}
                    accounting flag

Programmatic Usage

sr/bin/env python
 tacacs_plus.client import TACACSClient
 tacacs_plus.flags import TAC_PLUS_ACCT_FLAG_START, TAC_PLUS_ACCT_FLAG_WATCHDOG, TAC_PLUS_ACCT_FLAG_STOP

= TACACSClient('host', 49, 'secret', timeout=10)

thenticate user and pass
en = cli.authenticate('username', 'password')
t "PASS!" if authen.valid else "FAIL!"

thorize user and command
or = cli.authorize('username', arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"])
t "PASS!" if author.valid else "FAIL!"

art accounting session for command
 = cli.account('username', TAC_PLUS_ACCT_FLAG_START, arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"])
t "PASS!" if acct.valid else "FAIL!"

ntinue accounting session for another command
 = cli.account('username', TAC_PLUS_ACCT_FLAG_WATCHDOG, arguments=[b"service=shell", b"cmd=debug", b"cmdargs=aaa"])
t "PASS!" if acct.valid else "FAIL!"

ose accounting session
 = cli.account('username', TAC_PLUS_ACCT_FLAG_STOP, arguments=[b"service=shell", b"cmd=exit"])
t "PASS!" if acct.valid else "FAIL!"

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.