This HTML page resume all options who may be specified or changed in the configuration file
(/etc/tac_bsd.conf by default).
All lines starting with "#" are ignored.
Don't specify any comments after keywords, like this:
"server 127.0.0.1 # my localhost"
Main index of keywords
This keyword add a server in the server list. The user has to authenticate using the form <user@group>
In this example, the login should be: "joe@cust1".
If the server list contains only one server, the realm can be removed ('@cust1'). You MUST define at least one server if passwd_care is turned off. In other case, the server will return an error like "No server defined in the configuration file".
Note about the key option: This option will encrypt *only* data during the authentication. All commands typed in the shell interpreter won't be encrypted.
The tacacs server key is specified at the end of the server definition.
This keyword is obsolete from version 1.4, and can be safely removed from the configuration file.
It's highly recommended to activate this option.
All results and errors of authentication will be send to the syslogd(8) daemon if this option is activated.
By default syslog is set to off.
This option allow you to set the facility for the syslog daemon.
You cannot choose one of all options presents in syslog(3). Only "local0" to "local7" are available.
By default syslog_facility is set to level7.
This option allow you to set the level for the syslog daemon.
All options presents in syslog(3) are available.
By default syslog_level is set to info.
shell as server, is not required if the keyword passwd_care is turned on.
This variable may points to the command line interpreter who will be loaded after a successfull authentication.
By default shell is set to NULL.
If this keyword is present and the file specified in parameter is available for reading, the content of the file will be displayed _before_ the login prompt. The file has no size limit. If this option is not set, nothing will be displayed.
There is no premotd file by default.
Same as premotd but the content of the file is displayed _after_ a successfull authentication.
There is no motdpass file by default.
Same as premotd but the content of the file is displayed _after_ any bad authentication.
There is no motdfail file by default.
maxtry represents the maximum authentication attempts the user can proceed. If this number is reached, the content of motdfail is displayed (if set) and the connection is immediatly closed.
By default maxtry is set to 3.
passwd_care is used in order to verify if the user is present in the local password database. This option is required if there are no server defined in the configuration file.
By default passwd_care is set to "off".
permit_uid0 allows a user to open a login session from a local authentication to log into the system even if his user ID is equal to 0 (usually the super user). passwd_care MUST be turned on if permit_uid0 is set to "on".
The file specified in parameter contains all username who are not allowed to open a login session.
This option is used only for users who are remotely authenticated (i.e.: by the tacacs server). If passwd_care is turned on, and the user is authentified localy, the directory will be his own home directory. The environment variable "HOME" is automatically set.
There is no default directory.
You MUST set this option. It's necessary to know the user ID when a login session occured. This option will be ignored if passwd_care is turned on and the authentication is successfully done from the local password database.
There is no user ID by default.
As uid, this options is required. It allows the remote user to belong to the group to which gid owns. This option will be ignored if passwd_care is turned on and the authentication is successfully done from the local password database.
There is no group ID by default.