Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
TACPLUS.CONF(5)		    BSD	File Formats Manual	       TACPLUS.CONF(5)

     tacplus.conf -- TACACS+ client configuration file


     tacplus.conf contains the information necessary to	configure the TACACS+
     client library.  It is parsed by tac_config() (see	libtacplus(3)).	 The
     file contains one or more lines of	text, each describing a	single TACACS+
     server which is to	be used	by the library.	 Leading white space is	ig-
     nored, as are empty lines and lines containing only comments.

     A TACACS+ server is described by two to four fields on a line.  The
     fields are	separated by white space.  The `#' character at	the beginning
     of	a field	begins a comment, which	extends	to the end of the line.	 A
     field may be enclosed in double quotes, in	which case it may contain
     white space and/or	begin with the `#' character.  Within a	quoted string,
     the double	quote character	can be represented by `\"', and	the backslash
     can be represented	by `\\'.  No other escape sequences are	supported.

     The first field specifies the server host,	either as a fully qualified
     domain name or as a dotted-quad IP	address.  The host may optionally be
     followed by a `:' and a numeric port number, without intervening white
     space.  If	the port specification is omitted, it defaults to 49, the
     standard TACACS+ port.

     The second	field contains the shared secret, which	should be known	only
     to	the client and server hosts.  It is an arbitrary string	of characters,
     though it must be enclosed	in double quotes if it contains	white space or
     is	empty.	An empty secret	disables the normal encryption mechanism,
     causing all data to cross the network in cleartext.

     The third field contains a	decimal	integer	specifying the timeout in sec-
     onds for communicating with the server.  The timeout applies separately
     to	each connect, write, and read operation.  If this field	is omitted, it
     defaults to 3 seconds.

     The optional fourth field may contain the string `single-connection'.  If
     this option is included, the library will attempt to negotiate with the
     server to keep the	TCP connection open for	multiple sessions.  Some older
     TACACS+ servers become confused if	this option is specified.

     Up	to 10 TACACS+ servers may be specified.	 The servers are tried in or-
     der, until	a valid	response is received or	the list is exhausted.

     The standard location for this file is /etc/tacplus.conf.	An alternate
     pathname may be specified in the call to tac_config() (see
     libtacplus(3)).  Since the	file contains sensitive	information in the
     form of the shared	secrets, it should not be readable except by root.


     # A simple	entry using all	the defaults:    OurLittleSecret

     # A server	using a	non-standard port, with	an increased timeout and
     # the "single-connection" option.    "Don't tell!!"  15	     single-connection

     # A server	specified by its IP address:	     $X*#..38947ax-+=


     This documentation	was written by John Polstra, and donated to the
     FreeBSD project by	Juniper	Networks, Inc.

BSD				 July 29, 1998				   BSD


Want to link to this manual page? Use this URL:

home | help