#!/bin/sh # Version 13.1 # Administrator Set Variables # The default password dpas=apassw22 # The default group (set to default, by default) dgroup="default" # The host systems password file (where the DES passwords are stored) pwfile=/etc/shadow # The location and name of the tac_plus configuration file conf="/etc/tacacs.conf" # The user shell, /usr/bin/passwd is set as a default. This enables # The user to change their password without actual shell access to # the TACACS+ server. To use this option add /usr/bin/passwd to the # host systems /etc/shells file. If you wish users to have actual # shell accounts on the system set this value to one of the shells # defined in the /etc/shells file. shel="/usr/bin/passwd" # Script Varibles (Do not Edit) user="$1" grp="$3" addu="/usr/sbin/adduser" admin_log="/var/log/tac_user.log" touch $admin_log > /dev/null 2>&1 # CLI format error checking # if [ "$user" = "" ] then echo "The user definition is missing";echo "`date +%b-%d` ERROR no user was defined" >> $admin_log;exit elif [ "$user" = "-h" ] then echo -e " This command adds users to the tac_plus configuration file $conf. It supports three supported authentication models S\Key, Cleartext, PAM, and Local DES. The cmd syntax differs slightly depending on the password method selected. The syntax for each mode is as follows: S/key Mode: Create basic user -s Create user w/group -s -g Cleartext Mode: Create basic user -c Create user w/password -c -p {pass} Create user w/group -c -g Create user w/password and group -c {pass} -g Local DES Mode: Create basic user -d Create user w/password -d -p {pass} Create user w/group -d -g Create user w/password and group -d {pass} -g PAM Mode: Create basic user -pam Create user w/password -pam -p {pass} Create user w/group -pam -g Create user w/password and group -pam {pass} -g Additional Options: -g displays the list of groups in the $conf file To delete a user use the tdeluser command: tdeluser For debuging and error control all events are reported to $admin_log " | more;exit fi if [ "$1" = "-s" ] then echo "The user definition is missing";echo "`date +%b-%d` ERROR the user definition is missing" >> $admin_log;exit fi if [ "$1" = "-c" ] then echo "The user definition is missing";echo "`date +%b-%d` ERROR the user definition is missing " >> $admin_log;exit fi if [ "$1" = "-d" ] then echo "The user definition is missing";echo "`date +%b-%d` ERROR the user definition is missing" >> $admin_log;exit fi if [ "$1" = "-pam" ] then echo "The user definition is missing";echo "`date +%b-%d` ERROR the user definition is missing " >> $admin_log;exit fi # Provide group listing if [ "$1" = "-g" ] then grep "group =" /etc/tacacs.conf >> /var/tmp/gout; cat /var/tmp/gout;rm -rf /var/tmp/gout;exit fi # Error Checking: to see if a password method has been defined if [ "$2" = "" ] then echo "A password method needs to be defined.";echo "`date +%b-%d` ERROR no password method was defined" >> $admin_log;exit fi # Error Checking: to see if the user exists grep -c "$user" /etc/tacacs.conf > /tmp/test if [ "`cat /tmp/test`" != "0" ] then echo "This user exists";echo "`date +%b-%d` ERROR the user $user exists" >> $admin_log;exit fi # Adding the user to the /etc/tacacs.conf file echo Adding the user to the TACACS+ configuration file..... echo " user = $user {" >> $conf # Local DES # Stanza 1, user = $user { # Stanza 2, login = des or expires "mmm-dd-yyyy" # Stanza 3, login = des or "#" formating place holder # Stanza 4, member = $grp # Stanza 5, Creation Date # Stanza 6, } # Local DES Rule # 1 # No Password or Group definition if [ "$2" = "-d" ] then if [ "$3" = "" ] then echo " expires = \"`date +%b` $[`date +%e`+1] `date +%Y`\"" >> $conf;echo " login = des `echo $dpas | /usr/sbin/generate_passwd | awk '{print $5}'`" >> $conf;echo " member = $dgroup" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a local DES user" >> $admin_log;exit fi fi # Local DES Rule # 2 # Username, password, no group definition if [ "$2" = "-d" ] then if [ "$3" = "-p" ] then echo " login = des `echo $4 | /usr/sbin/generate_passwd | awk '{print $5}'`" >> $conf;echo " #" >> $conf;echo " member = $dgroup" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a local DES user" >> $admin_log;exit fi fi # Local DES Rule #3 #Username, no password, w/group definition if [ "$2" = "-d" ] then if [ "$3" = "-gn" ] then echo " login = des `echo $dpas | /usr/sbin/generate_passwd | awk '{print $5}'`" >> $conf;echo " #" >> $conf;echo " member = $4" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCESS The user $user was added as a local DES user" >> $admin_log;exit elif [ "$3" = "-g" ] then echo " expires = \"`date +%b` $[`date +%e`+1] `date +%Y`\"" >> $conf;echo " login = des `echo $dpas | /usr/sbin/generate_passwd | awk '{print $5}'`" >> $conf;echo " member = $4" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a local DES user" >> $admin_log;exit fi fi # Local DES Rule #4 # Username w/password & group definition if [ "$2" = "-d" ] then if [ "$4" = "-g" ] then echo " login = des `echo $dpas | /usr/sbin/generate_passwd | awk '{print $5}'`" >> $conf;echo " #" >> $conf;echo " member = $5" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a local DES user" >> $admin_log;exit fi fi # S/Key password method rules # Group Selection if [ "$2" = "-s" ] then if [ "$3" = "" ] then grp="$dgroup" fi fi # S/Key user rules # Stanza 1, user = $user { # Stanza 2, login = skey # Stanza 3, # formating place holder # Stanza 4, member = $grp # Stanza 5, Creation Date # Stanza 6, } if [ "$2" = "-s" ] then if [ "$3" = "-g" ] then echo " login = skey" >> $conf;echo " #" >> $conf;echo " member = $4" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo "" >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a S/Key user" >> $admin_log;exit fi fi if [ "$2" = "-s" ] then if [ "$3" = "" ] then echo " login = skey" >> $conf;echo " #" >> $conf;echo " member = $grp" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo "" >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a S/Key user" >> $admin_log;exit fi fi # Cleartext password method rules # Group Selection if [ "$2" = "-c" ] then if [ "$4" = "" ] then grp="$dgroup" else grp=$4 fi fi # Cleartext user rules # Stanza 1, user = $user { # Stanza 2, pass expire, or # formating place holder # Stanza 3, login = cleartext password # Stanza 4, member = $grp # Stanza 5, Creation Date # Stanza 6, } # Cleartext Rule # 1 # No Password, No group Provided - password expires in one day if [ "$2" = "-c" ] then if [ "$3" = "" ] then echo " expires = \"`date +%b` $[`date +%e`+1] `date +%Y`\"" >> $conf;echo " login = cleartext $dpas " >> $conf;echo " member = $grp" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo "" >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a cleartext user" >> $admin_log;exit fi fi # Cleartext Rule # 2 # Password, No group Provided if [ "$2" = "-c" ] then if [ "$3" = "-p" ] then echo " #" >> $conf;echo "login = cleartext $4 " >> $conf;echo " member = $dgroup" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo "" >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a cleartext user" >> $admin_log;exit fi fi # Cleartext Rule # 3 # No password, With group definition - password expires in one day if [ "$2" = "-c" ] then if [ "$3" = "-g" ] then echo " expires = `date +%b` $[`date +%e`+1] `date +%Y`" >> $conf;echo " login = cleartext $dpas " >> $conf;echo " member = $4" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a cleartext user" >> $admin_log;exit fi fi # Cleartext Rule # 4 # Password and Group definition if [ "$2" = "-c" ] then if [ "$4" = "-g" ] then echo " login = cleartext $3 " >> $conf;echo " #" >> $conf;echo " member = $5" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;echo "`date +%b-%d` SUCCESS The user $user was added as a cleartext user" >> $admin_log;exit fi fi # # DES password method rules # # Stanza 1, user = $user { # Stanza 2, login = pam login # Stanza 3, # formating place holder # Stanza 4, member = $grp # Stanza 5, Creation Date # Stanza 6, } # PAM Group Selection rules if [ "$2" = "-pam" ] then if [ "$3" = "-g" ] then grp=$4 elif [ "$3" = "-pam" ] then grp="$dgroup" fi fi if [ "$4" = "" ] then grp="$dgroup" elif [ "$4" = "-g" ] then grp=$5 fi # PAM Rule # 1 # Username, no password, no group definition if [ "$2" = "-pam" ] then if [ "$3" = "" ] then echo " login = pam login" >> $conf;echo " #" >> $conf;echo " member = $grp" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;$addu $user -s $shel; echo "$dpas" | passwd --stdin $user;echo "`date +%b-%d` SUCCESS The user $user was added as a DES user" >> $admin_log;exit fi fi # PAM Rule # 2 # Username, password, no group definition if [ "$2" = "-pam" ] then if [ "$3" = "-p" ] then echo " login = pam login" >> $conf;echo " #" >> $conf;echo " member = $dgroup" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo " }" >> $conf;echo " " >> $conf;$addu $user -s $shel; echo "$4" | passwd --stdin $user;echo "`date +%b-%d` SUCCESS The user $user was added as a DES user" >> $admin_log;exit fi fi # PAM Rule # 3 # Username, no password, group definition if [ "$2" = "-pam" ] then if [ "$3" = "-g" ] then echo " login = pam login" >> $conf;echo " #" >> $conf;echo " member = $grp" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo "}" >> $conf;echo " " >> $conf;$addu $user -s $shel; echo "$dpas" | passwd --stdin $user;echo "`date +%b-%d` SUCCESS The user $user was added as a DES user" >> $admin_log;exit fi fi # PAM Rule # 4 # Username, password and group definition if [ "$2" = "-pam" ] then if [ "$4" = "-g" ] then echo " login = pam login" >> $conf;echo " #" >> $conf;echo " member = $grp" >> $conf;echo "# created on `date +%b-%d` " >> $conf;echo "}" >> $conf;echo " " >> $conf;$addu $user -s $shel; echo "$3" | passwd --stdin $user;echo "`date +%b-%d` SUCCESS The user $user was added as a DES user" >> $admin_log;exit fi fi