xtacacsd Feature List
This page describes the features available in the version of
xtacacsd maintained by
Vikas Aggarwal at this Web
These features are NOT the same as in the Cisco xtacacsd daemon
- DBM Password files
- Can create and use DBM format database files for extracting
user entries from the Unix password files (use Getpw -c).
- QI/PH Name server support
- Support for the QI/PH name server database from
- DEC SIA Authentication
- Support for DEC SIA routines and Solaris shadow passwords
- ASCII Wtmp file
As of v4.1, the binary wtmp file has been replaced with an ascii
wtmp file (wtmp.ascii) and taclast suitably updated to
handle these ascii files.
- Special Password Keywords
- support for calling an external password verification program
if the password entry for a user matches a special keyword.
This allows support for TokenCard software such as the
Enigma Logic SafeWord system,
Security Dynamics SecurID card, etc.
- External authorization Program
- allows calling an external program AFTER the password
verification to allow finer control over permitting or
denying a user.
The program is run with the username, terminal server and line
number as arguments (can be used to deny access to certain users
dialing in on restricted ports at certain times, etc.)
- Case Insensitive username matches
- Almost necessary for SLIP/PPP username matching since the Cisco
converts the username in PPP queries into all uppercase.
- Separate UTMP and WTMP files
- updates and maintain its UTMP file (as well as its WTMP
file). The UTMP file indicates which users are
currently logged into all network devices on your network.
- Configuration file
- optionally reads a configuration file on startup containing
commands to allow extensive control of responses based on the
username, group-id or geco string matches. Allows permitting or
denying a request based on its type, originating host and line
numbers, and setting access control lists.
- Run external program on login
- Execute a program on the Unix server (not on the
client) on getting a request from a specified user &
host (can be used to initiate dialback)
- Inactivity timer under inetd
- When run under inetd, it has an inactivity timer of 15
minutes before exiting. This provides the speed of a standalone
process while preserving system resources when idle.
- SLIP ACL's
- Can send back a SLIP ACL in/out list in tacacs response
(need cisco software v9.21(5.2) or higher).
- Separate WTMP file per host
- Can update a separate WTMP file for each host sending
the TACACS query- this is needed so that the system's last
program can parse the WTMP sensibly (its back on `popular'
request). Note however, that this is not required anymore since
xtacacsd comes with its own taclast utility.
Other `standard' tacacs features are:
- Multiple password files
- can process multiple password files (upto 5 files).
- Inetd or standalone
- Can run under inetd or in standalone mode as a daemon.
- Backward compatible
- can process either the old tacacs queries or the new
extended tacacs format queries.
- Disable Nameservers
- optionally disable the use of nameservers for faster
response times or avoid depending on the nameservers.
- Quiet Mode
- optionally not send DENY type responses so that the
client can query multiple tacacs servers.
Old features deleted in this version are:
- GID Usage
- Does not use the gid as the access list number. Now
specify the access-list using the config file. Also does
not use the group gid to permit/deny access.
Copyright © 1994-1997