xtacacsd Feature List

This page describes the features available in the version of xtacacsd maintained by Vikas Aggarwal at this Web location

These features are NOT the same as in the Cisco xtacacsd daemon

DBM Password files

Can create and use DBM format database files for extracting user entries from the Unix password files (use Getpw -c).

QI/PH Name server support

Support for the QI/PH name server database from ftp.cso.uiuc.edu

DEC SIA Authentication

Support for DEC SIA routines and Solaris shadow passwords

ASCII Wtmp file

As of v4.1, the binary wtmp file has been replaced with an ascii wtmp file (wtmp.ascii) and taclast suitably updated to handle these ascii files.

Special Password Keywords

support for calling an external password verification program if the password entry for a user matches a special keyword. This allows support for TokenCard software such as the Enigma Logic SafeWord system, Security Dynamics SecurID card, etc.

External authorization Program

allows calling an external program AFTER the password verification to allow finer control over permitting or denying a user. The program is run with the username, terminal server and line number as arguments (can be used to deny access to certain users dialing in on restricted ports at certain times, etc.)

Case Insensitive username matches

Almost necessary for SLIP/PPP username matching since the Cisco converts the username in PPP queries into all uppercase.

Separate UTMP and WTMP files

updates and maintain its UTMP file (as well as its WTMP file). The UTMP file indicates which users are currently logged into all network devices on your network.

Configuration file

optionally reads a configuration file on startup containing commands to allow extensive control of responses based on the username, group-id or geco string matches. Allows permitting or denying a request based on its type, originating host and line numbers, and setting access control lists.

Run external program on login

Execute a program on the Unix server (not on the client) on getting a request from a specified user & host (can be used to initiate dialback)

Inactivity timer under inetd

When run under inetd, it has an inactivity timer of 15 minutes before exiting. This provides the speed of a standalone process while preserving system resources when idle.

SLIP ACL's

Can send back a SLIP ACL in/out list in tacacs response (need cisco software v9.21(5.2) or higher).

Separate WTMP file per host

Can update a separate WTMP file for each host sending the TACACS query- this is needed so that the system's last program can parse the WTMP sensibly (its back on `popular' request). Note however, that this is not required anymore since xtacacsd comes with its own taclast utility.

Other `standard' tacacs features are:

Multiple password files

can process multiple password files (upto 5 files).

Inetd or standalone

Can run under inetd or in standalone mode as a daemon.

Backward compatible

can process either the old tacacs queries or the new extended tacacs format queries.

Disable Nameservers

optionally disable the use of nameservers for faster response times or avoid depending on the nameservers.

Quiet Mode

optionally not send DENY type responses so that the client can query multiple tacacs servers.

Old features deleted in this version are:

GID Usage

Does not use the gid as the access list number. Now specify the access-list using the config file. Also does not use the group gid to permit/deny access.