{"id":699,"date":"2021-11-04T23:19:43","date_gmt":"2021-11-04T14:19:43","guid":{"rendered":"https:\/\/wp.zassoul.com\/?p=699"},"modified":"2021-11-04T23:21:28","modified_gmt":"2021-11-04T14:21:28","slug":"tacacs%e3%82%b5%e3%83%bc%e3%83%90%e6%a7%8b%e7%af%89","status":"publish","type":"post","link":"https:\/\/wp.zassoul.com\/?p=699","title":{"rendered":"TACACS+\u30b5\u30fc\u30d0\u69cb\u7bc9"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u6982\u8981<\/h2>\n\n\n\n<p>\u5b85\u5185\u74b0\u5883\u306e\u8a8d\u8a3c\u3092TACACS\u5316\u3057\u3088\u3046\u3068\uff0c\u307e\u305a\u306fTACACS+\u30b5\u30fc\u30d0\u30922\u53f0\u7acb\u3066\u308b\u3002\u69cb\u6210\u306f\u6b21\u306e\u901a\u308a\u3002\u5404\u6a5f\u5668\u306e\u7ba1\u7406IF\u3068\u540c\u3058\u30bb\u30b0\u30e1\u30f3\u30c8\u306bTACACS\u30b5\u30fc\u30d0\u30922\u53f0\u5efa\u3066\u308b\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"572\" height=\"261\" src=\"https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/11\/image-1.png\" alt=\"\" class=\"wp-image-704\" srcset=\"https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/11\/image-1.png 572w, https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/11\/image-1-300x137.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/figure>\n\n\n\n<p>OpenStack\u4e0a\u306bDebian\u30a4\u30e1\u30fc\u30b8\u3067\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u30921\u3064\u3002\u5197\u9577\u5316\u306e\u305f\u3081ESXi\u4e0a\u306bUbuntu\u306eVM\u3092\u305f\u3066\u30662\u53f7\u6a5f\u3068\u3059\u308b\u3002(\u306a\u305cOS\u304c\u9055\u3046\u304b\u3068\u3044\u3046\u3068\uff0cESXi\u4e0a\u306bDebian10\u306e\u30a4\u30e1\u30fc\u30b8\u304c\u306a\u304b\u3063\u305f\u3060\u3051\u3067\u7279\u306b\u4ed6\u610f\u306f\u306a\u3057)<\/p>\n\n\n\n<p>TACACS+\u306ftac_plus\u3092\u5229\u7528\u3059\u308b\u3002\u5143\u306f\u3053\u308c(<a rel=\"noreferrer noopener\" href=\"https:\/\/www.shrubbery.net\/tac_plus\/\" target=\"_blank\">https:\/\/www.shrubbery.net\/tac_plus\/<\/a>)\u3060\u3068\u601d\u3046\u306e\u3060\u304c\uff0c\u516c\u958b\u304c\u7d42\u308f\u3063\u3066\u3044\u308b\u3063\u307d\u3044\u3002facebook\u304cGithub\u3067<a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/facebook\/tac_plus\" data-type=\"URL\" data-id=\"https:\/\/github.com\/facebook\/tac_plus\" target=\"_blank\">fork\u3057\u305f\u3082\u306e\u3092\u516c\u958b<\/a>\u3057\u3066\u3044\u305f\u306e\u3067\uff0cUbuntu\u5074\u3067\u306f\u3053\u3053\u304b\u3089\u30bd\u30fc\u30b9\u3092\u3082\u3063\u3066\u304d\u3066\u30b3\u30f3\u30d1\u30a4\u30eb\u3057\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u3002&#8217;Debian\u306f\u30ea\u30dd\u30b8\u30c8\u30ea\u304b\u3089\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3067\u304d\u305f\u3002)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Debian 10\u3067\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5<\/h3>\n\n\n\n<p>apt\u3067\u4e00\u767a\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># apt install tacacs+<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Debain11\u3067\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5<\/h3>\n\n\n\n<p>11\u306b\u306f\u307e\u3060\u30d1\u30c3\u30b1\u30fc\u30b8\u304c\u306a\u304b\u3063\u305f\u305f\u3081\u30bd\u30fc\u30b9\u304b\u3089\u30b3\u30f3\u30d1\u30a4\u30eb\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># apt install git build-essential flex bison libwrap0-dev\n$ git clone https:\/\/github.com\/facebook\/tac_plus.git\n$ cd tac_plus\/tacacs-F4.0.4.28\n$ .\/configure\n$ make\n# make install\n<\/code><\/pre>\n\n\n\n<p>\u7d9a\u3044\u3066\u5fc5\u8981\u306a\u30d5\u30a1\u30a4\u30eb\u306e\u6e96\u5099\u3002<\/p>\n\n\n\n<p>\u30b5\u30fc\u30d3\u30b9\u8d77\u52d5\u30d5\u30a1\u30a4\u30eb \/etc\/init.d\/tacacs_plus<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/sh\n### BEGIN INIT INFO\n# Provides:          tacacs+\n# Required-Start:    $network $local_fs $syslog $remote_fs\n# Required-Stop:     $network $local_fs $remote_fs\n# Should-Start:      $named\n# Default-Start:     2 3 4 5\n# Default-Stop:      0 1 6\n# Short-Description: TACACS+ authentication daemon\n### END INIT INFO\n\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\nDAEMON=\/usr\/local\/sbin\/tac_plus\nNAME=\"tacacs+\"\nDESC=\"TACACS+ authentication daemon\"\nLOGDIR=\/var\/log\/\nSTARTTIME=1\n\nPIDFILE=\/var\/run\/tac_plus.pid\n\ntest -x $DAEMON || exit 0\n\n. \/lib\/lsb\/init-functions\n\n# Default options, these can be overriden by the information\n# at \/etc\/default\/$NAME\nDAEMON_OPTS=\"-C \/etc\/tacacs+\/tac_plus.conf\"          # Additional options given to the server\n\n\nLOGFILE=$LOGDIR\/tac_plus.log  # Server logfile\n\n# Include defaults if available\nif &#91; -f \/etc\/default\/$NAME ] ; then\n        . \/etc\/default\/$NAME\nfi\n\n# Check that the user exists (if we set a user)\n# Does the user exist?\nif &#91; -n \"$DAEMONUSER\" ] ; then\n    if getent passwd | grep -q \"^$DAEMONUSER:\"; then\n        # Obtain the uid and gid\n        DAEMONUID=`getent passwd |grep \"^$DAEMONUSER:\" | awk -F : '{print $3}'`\n        DAEMONGID=`getent passwd |grep \"^$DAEMONUSER:\" | awk -F : '{print $4}'`\n    else\n        log_failure_msg \"The user $DAEMONUSER, required to run $NAME does not exist.\"\n        exit 1\n    fi\nfi\n\n\nset -e\n\nrunning_pid() {\n# Check if a given process pid's cmdline matches a given name\n    pid=$1\n    name=$2\n    &#91; -z \"$pid\" ] &amp;&amp; return 1\n    &#91; ! -d \/proc\/$pid ] &amp;&amp;  return 1\n    cmd=`cat \/proc\/$pid\/cmdline | tr \"\\000\" \"\\n\"|head -n 1 |cut -d : -f 1`\n    # Is this the expected server\n    &#91; \"$cmd\" != \"$name\" ] &amp;&amp;  return 1\n    return 0\n}\n\nrunning() {\n# Check if the process is running looking at \/proc\n# (works for all users)\n\n    # No pidfile, probably no daemon present\n    &#91; ! -f \"$PIDFILE\" ] &amp;&amp; return 1\n    pid=`cat $PIDFILE`\n    running_pid $pid $DAEMON || return 1\n    return 0\n}\n\nstart_server() {\n# Start the process using the wrapper\n    if check_config_quiet ; then\n         start-stop-daemon --start --quiet --pidfile $PIDFILE \\\n                --exec $DAEMON -- $DAEMON_OPTS\n         errcode=$?\n         return $errcode\n    else\n         return $?\n    fi\n\n}\n\nstop_server() {\n    killproc -p $PIDFILE $DAEMON\n    return $?\n}\n\nreload_server() {\n    if check_config_quiet ; then\n         &#91; ! -f \"$PIDFILE\" ] &amp;&amp; return 1\n         pid=`cat $PIDFILE` # This is the daemon's pid\n         # Send a SIGHUP\n         kill -1 $pid\n         return $?\n    else\n         return $?\n    fi\n}\n\ncheck_config() {\n        $DAEMON -P $DAEMON_OPTS\n        return $?\n}\n\ncheck_config_quiet() {\n        $DAEMON -P $DAEMON_OPTS &gt;\/dev\/null 2&gt;&amp;1\n        return $?\n}\n\nforce_stop() {\n# Force the process to die killing it manually\n        &#91; ! -e \"$PIDFILE\" ] &amp;&amp; return\n        if running ; then\n                kill -15 $pid\n        # Is it really dead?\n                sleep \"$DIETIME\"s\n                if running ; then\n                        kill -9 $pid\n                        sleep \"$DIETIME\"s\n                        if running ; then\n                                echo \"Cannot kill $NAME (pid=$pid)!\"\n                                exit 1\n                        fi\n                fi\n        fi\n        rm -f $PIDFILE\n}\n\n\ncase \"$1\" in\n  start)\n        log_daemon_msg \"Starting $DESC \" \"$NAME\"\n        # Check if it's running first\n        if running ;  then\n            log_progress_msg \"apparently already running\"\n            log_end_msg 0\n            exit 0\n        fi\n        if start_server ; then\n            # NOTE: Some servers might die some time after they start,\n            # this code will detect this issue if STARTTIME is set\n            # to a reasonable value\n            &#91; -n \"$STARTTIME\" ] &amp;&amp; sleep $STARTTIME # Wait some time\n            if  running ;  then\n                # It's ok, the server started and is running\n                log_end_msg 0\n            else\n                # It is not running after we did start\n                log_end_msg 1\n            fi\n        else\n            # Either we could not start it\n            log_end_msg 1\n        fi\n        ;;\n  stop)\n        log_daemon_msg \"Stopping $DESC\" \"$NAME\"\n        if running ; then\n            # Only stop the server if we see it running\n                        errcode=0\n            stop_server || errcode=$?\n            log_end_msg $errcode\n        else\n            # If it's not running don't do anything\n            log_progress_msg \"apparently not running\"\n            log_end_msg 0\n            exit 0\n        fi\n        ;;\n  force-stop)\n        # First try to stop gracefully the program\n        $0 stop\n        if running; then\n            # If it's still running try to kill it more forcefully\n            log_daemon_msg \"Stopping (force) $DESC\" \"$NAME\"\n                        errcode=0\n            force_stop || errcode=$?\n            log_end_msg $errcode\n        fi\n        ;;\n  restart|force-reload)\n        log_daemon_msg \"Restarting $DESC\" \"$NAME\"\n                errcode=0\n        stop_server || errcode=$?\n        # Wait some sensible amount, some server need this\n        &#91; -n \"$DIETIME\" ] &amp;&amp; sleep $DIETIME\n        start_server || errcode=$?\n        &#91; -n \"$STARTTIME\" ] &amp;&amp; sleep $STARTTIME\n        running || errcode=$?\n        log_end_msg $errcode\n        ;;\n  status)\n\n        log_daemon_msg \"Checking status of $DESC\" \"$NAME\"\n        if running ;  then\n            log_progress_msg \"running\"\n            log_end_msg 0\n        else\n            log_progress_msg \"apparently not running\"\n            log_end_msg 1\n            exit 1\n        fi\n        ;;\n  # Use this if the daemon cannot reload\n  reload)\n        log_daemon_msg \"Reloading $DESC configuration files\" \"$NAME\"\n        if reload_server ; then\n                if running ; then\n                        log_end_msg 0\n                else\n                        log_progress_msg \"$NAME not running\"\n                        log_end_msg 1\n                fi\n        else\n                log_progress_msg \"Reload failled\"\n                log_end_msg 1\n        fi\n        ;;\n  check)\n        check_config\n        if &#91; X$? = \"X0\" ]\n        then\n                log_daemon_msg \"Checking $DESC configuration files successful\" \"$NAME\"\n        else\n                log_daemon_msg \"Checking $DESC configuration files failed\"\n                exit 1\n        fi\n        ;;\n  *)\n        N=\/etc\/init.d\/tacacs_plus\n        echo \"Usage: $N {start|stop|force-stop|restart|reload|force-reload|status|check}\" &gt;&amp;2\n        exit 1\n        ;;\nesac\n\nexit 0<\/code><\/pre>\n\n\n\n<p>\u30a2\u30ab\u30a6\u30f3\u30c6\u30a3\u30f3\u30b0\u30ed\u30b0\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># touch \/var\/log\/tac_plus.acct<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">tacacs+\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6(2\u53f0\u5171\u901a)<\/h3>\n\n\n\n<p> \/etc\/tacacs+\/tac_plus <\/p>\n\n\n\n<p>\u4ee5\u4e0b\u8a2d\u5b9a\u4f8b\u3002\u4eca\u56de\u306f\u3068\u308a\u3042\u3048\u305a\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u4e2d\u306b\u30e6\u30fc\u30b6\u3092\u8a18\u8ff0\u3059\u308b\u8a2d\u5b9a\u65b9\u5f0f\u3092\u3068\u3063\u305f\u304c\uff0c\u4ed5\u4e8b\u3067\u306f\u3084\u3089\u306a\u3044\u3088\u3046\u306b\u6ce8\u610f\u3002\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30cf\u30c3\u30b7\u30e5\u5316\u306f \u300copenssl passwd &#8211; 5\u300d (SHA256)\u3067\u751f\u6210\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u30a2\u30ab\u30a6\u30f3\u30c6\u30a3\u30f3\u30b0\u7528\u30ed\u30b0\u30d5\u30a1\u30a4\u30eb\u6307\u5b9a\naccounting file = \/var\/log\/tac_plus.acct\n\n\n# &lt;\u30b5\u30fc\u30d0\u3068\u901a\u4fe1\u3059\u308b\u305f\u3081\u306e\u9375\u3092\u8a18\u8ff0&gt;\nkey = tacacs_key\n\nuser = networkmanager {\n        name = \"Network Manager\"\n        member = admin\n        login = des &lt;\u30cf\u30c3\u30b7\u30e5\u5316\u30d1\u30b9\u30ef\u30fc\u30c9&gt;\n        enable = des &lt;\u30cf\u30c3\u30b7\u30e5\u5316enable&gt;\n}\n\nuser = networkoperator {\n        name = \"Read only user\"\n        member = operator\n        login = des &lt;\u30cf\u30c3\u30b7\u30e5\u5316\u30d1\u30b9\u30ef\u30fc\u30c9&gt;\n        enable = des &lt;\u30cf\u30c3\u30b7\u30e5\u5316enable&gt;\n}\n\n# \u7ba1\u7406\u8005\u7528\u30b0\u30eb\u30fc\u30d7\u3002Privilage15\u3002\ngroup = admin {\n        default service = permit\n        service = exec {\n                priv-lvl = 15\n        }\n\n# \u30aa\u30da\u30ec\u30fc\u30bf\u7528\u30b0\u30eb\u30fc\u30d7\u3002show\u30b3\u30de\u30f3\u30c9\u306e\u307f\u5229\u7528\u53ef\u80fd\ngroup = operator {\n        default service = deny\n        service = exec {\n                priv-lvl = 15\n        }\n        cmd = show {\n                permit .*\n        }\n        cmd = exit {\n                permit .*\n        }\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">TACACS+\u8d77\u52d5<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># service tacacs_plus start<\/code><\/pre>\n\n\n\n<p>\u4ee5\u4e0a\u3002<\/p>\n\n\n\n<p>\u6b21\u306fNW\u6a5f\u5668\u5074\u306e\u8a2d\u5b9a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 \u5b85\u5185\u74b0\u5883\u306e\u8a8d\u8a3c\u3092TACACS\u5316\u3057\u3088\u3046\u3068\uff0c\u307e\u305a\u306fTACACS+\u30b5\u30fc\u30d0\u30922\u53f0\u7acb\u3066\u308b\u3002\u69cb\u6210\u306f\u6b21\u306e\u901a\u308a\u3002\u5404\u6a5f\u5668\u306e\u7ba1\u7406IF\u3068\u540c\u3058\u30bb\u30b0\u30e1\u30f3\u30c8\u306bTACACS\u30b5\u30fc\u30d0\u30922\u53f0\u5efa\u3066\u308b\u3002 OpenStack\u4e0a\u306bDebian\u30a4\u30e1\u30fc\u30b8\u3067\u30a4\u30f3\u30b9\u2026 <span class=\"read-more\"><a href=\"https:\/\/wp.zassoul.com\/?p=699\">\u7d9a\u304d\u3092\u8aad\u3080 &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,15,48],"tags":[74,87,86],"class_list":["post-699","post","type-post","status-publish","format-standard","hentry","category-cisco","category-network","category-security","tag-cisco","tag-security","tag-tacacs"],"_links":{"self":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=699"}],"version-history":[{"count":6,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/699\/revisions"}],"predecessor-version":[{"id":708,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/699\/revisions\/708"}],"wp:attachment":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}