# /usr/local/etc/tac_plus.conf user=fred { name = "Fred Flintstone" login = des mEX027bHtzTlQ # Remember that authorization is also recursive over groups, in # the same way that password lookups are recursive. Thus, if you # place a user in a group, the daemon will look in the group for # authorization parameters if it cannot find them in the user # declaration. member = admin expires = "May 23 2005" service = exec { # When Fred starts an exec, his connection access list is 5 acl = 5 # We require this autocmd to be done at startup autocmd = "telnet foo" } # All commands except telnet 131.108.13.* are denied for Fred cmd = telnet { # Fred can run the following telnet command permit 131\.108\.13\.[0-9]+ deny .* } service = ppp protocol = ip { # Fred can run ip over ppp only if he uses one # of the following mandatory addresses If he supplies no # address, the first one here will be mandated addr=131.108.12.11 addr=131.108.12.12 addr=131.108.12.13 addr=131.108.12.14 # Fred's mandatory input access list number is 101 inacl=101 # We will suggest an output access list of 102, but Fred may # choose to ignore or override it optional outacl=102 } service = slip { # Fred can run slip. When he does, he will have to use # these mandatory access lists inacl=101 outacl=102 } # set a timeout in the lcp layer of ppp service = ppp protocol = lcp { timeout = 10 } } user = wilma { # Wilma has no password of her own, but she's a group member so # she'll use the group password if there is one. Same for her # password expiry date member = admin } group = admin { # group members who don't have their own password will be looked # up in /etc/passwd login = file /etc/passwd # group members who have no expiry date set will use this one expires = "Jan 1 1998" }