- Uniformly use .In for header file references.
[dragonfly.git] / lib / libtacplus / libtacplus.3
CommitLineData
984263bc
MD
1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\" notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\" notice, this list of conditions and the following disclaimer in the
11.\" documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD: src/lib/libtacplus/libtacplus.3,v 1.3.2.7 2002/10/09 08:50:42 pst Exp $
44cb301e 26.\" $DragonFly: src/lib/libtacplus/libtacplus.3,v 1.4 2006/05/26 19:39:38 swildner Exp $
984263bc
MD
27.\"
28.Dd September 2, 1998
29.Dt LIBTACPLUS 3
30.Os
31.Sh NAME
32.Nm libtacplus
33.Nd TACACS+ client library
34.Sh SYNOPSIS
35.In taclib.h
36.Ft int
37.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
38.Ft void
39.Fn tac_clear_avs "struct tac_handle *h"
40.Ft void
41.Fn tac_close "struct tac_handle *h"
42.Ft int
43.Fn tac_config "struct tac_handle *h" "const char *path"
44.Ft int
45.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
46.Ft int
47.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
48.Ft char *
49.Fn tac_get_av "struct tac_handle *h" "u_int index"
50.Ft char *
51.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
52.Ft void *
53.Fn tac_get_data "struct tac_handle *h" "size_t *len"
54.Ft char *
55.Fn tac_get_msg "struct tac_handle *h"
56.Ft struct tac_handle *
57.Fn tac_open "void"
58.Ft int
59.Fn tac_send_authen "struct tac_handle *h"
60.Ft int
61.Fn tac_send_author "struct tac_handle *h"
62.Ft int
63.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
64.Ft int
65.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
66.Ft int
67.Fn tac_set_msg "struct tac_handle *h" "const char *msg"
68.Ft int
69.Fn tac_set_port "struct tac_handle *h" "const char *port"
70.Ft int
71.Fn tac_set_priv "struct tac_handle *h" "int priv"
72.Ft int
73.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
74.Ft int
75.Fn tac_set_user "struct tac_handle *h" "const char *user"
76.Ft const char *
77.Fn tac_strerror "struct tac_handle *h"
78.Sh DESCRIPTION
79The
80.Nm
81library implements the client side of the TACACS+ network access
82control protocol. TACACS+ allows clients to perform authentication,
83authorization, and accounting by means of network requests to remote
84servers. This library currently supports only the authentication
85and authorization portion of the protocol.
86.Sh INITIALIZATION
87To use the library, an application must first call
88.Fn tac_open
89to obtain a
90.Va struct tac_handle * ,
91which provides context for subsequent operations.
92Calls to
93.Fn tac_open
94always succeed unless insufficient virtual memory is available. If
95the necessary memory cannot be allocated,
96.Fn tac_open
97returns
98.Dv NULL .
99.Pp
100Before issuing any TACACS+ requests, the library must be made aware
101of the servers it can contact. The easiest way to configure the
102library is to call
103.Fn tac_config .
104.Fn tac_config
105causes the library to read a configuration file whose format is
106described in
107.Xr tacplus.conf 5 .
108The pathname of the configuration file is passed as the
109.Va file
110argument to
111.Fn tac_config .
112This argument may also be given as
113.Dv NULL ,
114in which case the standard configuration file
115.Pa /etc/tacplus.conf
116is used.
117.Fn tac_config
118returns 0 on success, or -1 if an error occurs.
119.Pp
120The library can also be configured programmatically by calls to
121.Fn tac_add_server .
122The
123.Va host
124parameter specifies the server host, either as a fully qualified
125domain name or as a dotted-quad IP address in text form.
126The
127.Va port
128parameter specifies the TCP port to contact on the server. If
129.Va port
130is given as 0, the library uses port 49, the standard TACACS+ port.
131The shared secret for the server host is passed to the
132.Va secret
133parameter. It may be any null-terminated string of bytes.
134The timeout for receiving replies from the server is passed to the
135.Va timeout
136parameter, in units of seconds.
137The
138.Va flags
139parameter is a bit mask of flags to specify various characteristics of
140the server. It may contain:
141.Pp
142.Bl -tag -width Fl
143.It Dv TAC_SRVR_SINGLE_CONNECT
144Causes the library to attempt to negotiate single connection mode
145when communicating with the server. In single connection mode, the
146original TCP connection is held open for multiple TACACS+ sessions.
147Older servers do not support this mode, and some of them become
148confused if the client attempts to negotiate it.
149.El
150.Pp
151.Fn tac_add_server
152returns 0 on success, or -1 if an error occurs.
153.Pp
154.Fn tac_add_server
155may be called multiple times, and it may be used together with
156.Fn tac_config .
157At most 10 servers may be specified.
158When multiple servers are given, they are tried in round-robin
159fashion until a working, accessible server is found. Once the
160library finds such a server, it continues to use it as long as it
161works.
162.Sh CREATING A TACACS+ AUTHENTICATION REQUEST
163To begin constructing a new authentication request, call
164.Fn tac_create_authen .
165The
166.Va action ,
167.Va type ,
168and
169.Va service
170arguments must be set to appropriate values as defined in the
171TACACS+ protocol specification. The
44cb301e 172.In taclib.h
984263bc
MD
173header file contains symbolic constants for these values.
174.Sh CREATING A TACACS+ AUTHORIZATION REQUEST
175To begin constructing a new authorization request, call
176.Fn tac_create_author .
177The
178.Va method ,
179.Va type ,
180and
181.Va service
182arguments must be set to appropriate values as defined in the
183TACACS+ protocol specification. The
44cb301e 184.In taclib.h
984263bc
MD
185header file contains symbolic constants for these values.
186.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
187After creating a request,
188various optional parameters may be attached to it through calls to
189.Fn tac_set_av ,
190.Fn tac_set_data ,
191.Fn tac_set_port ,
192.Fn tac_set_priv ,
193.Fn tac_set_rem_addr ,
194and
195.Fn tac_set_user .
196The library creates its own copies of any strings provided to these
197functions, so that it is not necessary for the caller to preserve
198them. By default, each of these parameters is empty except for the
199privilege level, which defaults to
200.Ql USER
201privilege.
202.Pp
1bf4b486 203.Fn tac_set_av
984263bc
MD
204only applies to the context of an authorization request. The format
205for an attribute value pair is defined in the TACACS+ protocol
206specification. The index specified can be any value between 0 and
207255 inclusive and indicates the position in the list to place the
1bf4b486
SW
208attribute value pair. Calling
209.Fn tac_set_av
984263bc
MD
210with same index twice effectively replaces the value at that position.
211Use
212.Fn tac_clear_avs
213to clear all attribute value pairs that may have been set.
214.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
215After the TACACS+ authentication request has been constructed, it is
216sent by means of
217.Fn tac_send_authen .
218This function connects to a server if not already connected, sends
219the request, and waits for a reply. On failure,
220.Fn tac_send_authen
221returns -1. Otherwise, it returns the TACACS+ status code and flags,
222packed into an integer value. The status can be extracted using the
223macro
224.Fn TAC_AUTHEN_STATUS .
225Possible status codes, defined in
44cb301e 226.In taclib.h ,
984263bc
MD
227include:
228.Pp
229.Bl -item -compact -offset indent
230.It
231.Dv TAC_AUTHEN_STATUS_PASS
232.It
233.Dv TAC_AUTHEN_STATUS_FAIL
234.It
235.Dv TAC_AUTHEN_STATUS_GETDATA
236.It
237.Dv TAC_AUTHEN_STATUS_GETUSER
238.It
239.Dv TAC_AUTHEN_STATUS_GETPASS
240.It
241.Dv TAC_AUTHEN_STATUS_RESTART
242.It
243.Dv TAC_AUTHEN_STATUS_ERROR
244.It
245.Dv TAC_AUTHEN_STATUS_FOLLOW
246.El
247.Pp
248The only flag is the no-echo flag, which can be tested using the
249macro
250.Fn TAC_AUTHEN_NOECHO .
251.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
252An authentication response packet from the server may contain a
253server message, a data string, or both. After a successful call to
254.Fn tac_send_authen ,
255this information may be retrieved from the response by calling
256.Fn tac_get_msg
257and
258.Fn tac_get_data .
259These functions return dynamically-allocated copies of the
260information from the packet. The caller is responsible for freeing
261the copies when it no longer needs them. The data returned from
262these functions is guaranteed to be terminated by a null byte.
263.Pp
264In the case of
265.Fn tac_get_data ,
266the
267.Va len
268argument points to a location into which the library will store the
269actual length of the received data, not including the null
270terminator. This argument may be given as
271.Dv NULL
272if the caller is not interested in the length.
273.Sh SENDING AUTHENTICATION CONTINUE PACKETS
274If
275.Fn tac_send_authen
276returns a value containing one of the status codes
277.Dv TAC_AUTHEN_STATUS_GETDATA ,
278.Dv TAC_AUTHEN_STATUS_GETUSER ,
279or
280.Dv TAC_AUTHEN_STATUS_GETPASS ,
281then the client must provide additional information to the server by
282means of a TACACS+ CONTINUE packet. To do so, the application must
283first set the packet's user message and/or data fields using
284.Fn tac_set_msg
285and
286.Fn tac_set_data .
287The client then sends the CONTINUE packet with
288.Fn tac_send_authen .
289N.B.,
290.Fn tac_create_authen
291should
292.Em not
293be called to construct a CONTINUE packet; it is used only for the
294initial authentication request.
295.Pp
296When it receives the CONTINUE packet, the server may again request
297more information by returning
1bf4b486 298.Dv TAC_AUTHEN_STATUS_GETDATA ,
984263bc
MD
299.Dv TAC_AUTHEN_STATUS_GETUSER ,
300or
301.Dv TAC_AUTHEN_STATUS_GETPASS .
302The application should send further CONTINUEs until some other
303status is received from the server.
304.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
305After the TACACS+ authorization request has been constructed, it
306is sent by means of
307.Fn tac_send_author .
308This function connects to a server if not already connected, sends
309the request, and waits for a reply. On failure,
310.Fn tac_send_author
1bf4b486
SW
311returns -1. Otherwise, it returns the TACACS+ status code and
312number of attribute value (AV) pairs received packed into an
984263bc
MD
313integer value. The status can be extracted using the macro
314.Fn TAC_AUTHOR_STATUS .
315Possible status codes, defined in
44cb301e 316.In taclib.h ,
984263bc
MD
317include:
318.Pp
319.Bl -item -compact -offset indent
320.It
321.Dv TAC_AUTHOR_STATUS_PASS_ADD
322.It
323.Dv TAC_AUTHOR_STATUS_PASS_REPL
324.It
325.Dv TAC_AUTHOR_STATUS_FAIL
326.It
327.Dv TAC_AUTHOR_STATUS_ERROR
328.El
329.Pp
1bf4b486 330The number of AV pairs received is obtained using
984263bc
MD
331.Fn TAC_AUTHEN_AV_COUNT .
332.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
1bf4b486 333Like an authentication response packet, an authorization
984263bc
MD
334response packet from the
335server may contain a server message, a data string, or both. Refer
336to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
337for instruction on extraction of those values.
338.Pp
339An authorization response packet from the server may also contain
340attribute value (AV) pairs. To extract these, use
341.Fn tac_get_av
342or
343.Fn tac_get_av_value .
344.Fn tac_get_av
1bf4b486
SW
345takes the index of the AV pair as it is positioned in the list.
346The indexes start at 0 (use
984263bc 347.Fn TAC_AUTHEN_AV_COUNT
1bf4b486
SW
348on the return value of
349.Fn tac_send_author
984263bc 350to get the total number of items in this list).
1bf4b486
SW
351Alternatively,
352.Fn tac_get_av_value
353can be used.
354.Fn tac_get_av_value
984263bc
MD
355takes the attribute name and returns the
356corresponding value only, not the AV pair. These functions return
357dynamically-allocated copies of the information from the packet.
358The caller is responsible for freeing the copies when it no longer
359needs them. The data returned from these functions is guaranteed
360to be terminated by a null byte.
361.Sh OBTAINING ERROR MESSAGES
362Those functions which accept a
363.Va struct tac_handle *
364argument record an error message if they fail. The error message
365can be retrieved by calling
366.Fn tac_strerror .
367The message text is overwritten on each new error for the given
368.Va struct tac_handle * .
1bf4b486 369Thus the message must be copied if it is to be preserved through
984263bc
MD
370subsequent library calls using the same handle.
371.Sh CLEANUP
372To free the resources used by the TACACS+ library, call
373.Fn tac_close .
374.Sh RETURN VALUES
375The following functions return a non-negative value on success. If
376they detect an error, they return -1 and record an error message
377which can be retrieved using
378.Fn tac_strerror .
379.Pp
1bf4b486 380.Bl -item -offset indent -compact
984263bc
MD
381.It
382.Fn tac_add_server
383.It
384.Fn tac_config
385.It
386.Fn tac_create_authen
387.It
388.Fn tac_create_author
389.It
390.Fn tac_send_authen
391.It
392.Fn tac_send_author
393.It
394.Fn tac_set_av
395.It
396.Fn tac_set_data
397.It
398.Fn tac_set_msg
399.It
400.Fn tac_set_port
401.It
402.Fn tac_set_priv
403.It
404.Fn tac_set_rem_addr
405.It
406.Fn tac_set_user
407.El
408.Pp
409The following functions return a
410.No non- Ns Dv NULL
411pointer on success. If they are unable to allocate sufficient
412virtual memory, they return
413.Dv NULL
414and record an error message which can be retrieved using
415.Fn tac_strerror .
416.Pp
417.Bl -item -offset indent -compact
418.It
419.Fn tac_get_av
420.It
421.Fn tac_get_av_pair
422.It
423.Fn tac_get_data
424.It
425.Fn tac_get_msg
426.El
427.Pp
428The following functions return a
429.No non- Ns Dv NULL
430pointer on success. If they are unable to allocate sufficient
431virtual memory, they return
432.Dv NULL ,
433without recording an error message.
434.Pp
435.Bl -item -offset indent -compact
436.It
437.Fn tac_open
438.El
439.Sh FILES
440.Pa /etc/tacplus.conf
441.Sh SEE ALSO
442.Xr tacplus.conf 5
443.Rs
444.%A D. Carrel
445.%A Lol Grant
446.%T The TACACS+ Protocol, Version 1.78
447.%O draft-grant-tacacs-02.txt (Internet Draft)
448.Re
449.Sh AUTHORS
450This software was written by
451.An John Polstra ,
452and
453.An Paul Fraley ,
454and donated to the
455.Fx
456project by Juniper Networks, Inc.