search

MarcJHuber / event-driven-servers

A collection of event-driven servers (currently: tac_plus, tac_plus-ng, ftpd, tcprelay)
https://www.pro-bono-publico.de/projects
Other
98 stars 25 forks source link

shell login denied by ACL #101

Closed zhongpingqian closed 3 months ago

zhongpingqian commented 3 months ago

my disposition

!../../../sbin/tac_plus-ng

id = spawnd { background = no listen { port = 49 } spawn { instances min = 1 instances max = 32 } }

id = tac_plus-ng { log mysyslog { destination = /var/log/tac_log/access.log } log accesslog { destination = /var/log/tac_log/account.log } log authorlog { destination = /var/log/tac_log/author.log }

access log = mysyslog
authorization log = authorlog
accounting log = accesslog

# Sample scripts to enforce a password policy:
mavis module passwordpolicy = null {
    script in {
        if (defined $PASSWORD
         && ($PASSWORD !~ /^........+$/ # minimum length
          || $PASSWORD !~ /\d/      # digit
          || $PASSWORD !~ /[a-z]+/  # lower case
          || $PASSWORD !~ /[A-Z]+/  # upper case
           )) {
                set $USER_RESPONSE = "Password is too weak."
                set $RESULT = "NAK"
                return
        }
        if (defined $PASSWDNEW
         && ($PASSWDNEW !~ /^........+$/
          || $PASSWDNEW !~ /\d/
          || $PASSWDNEW !~ /[a-z]+/
          || $PASSWDNEW !~ /[A-Z]+/
           )) {
                set $USER_RESPONSE = "New password is too weak."
                set $RESULT = "NAK"
                return
        }
    }
}
    acl password-compliance {
            permit 
    }
    password acl = password-compliance

device ALL {
    address = ::/0

    device world {
        address = 0.0.0.0/0
        welcome banner = "Welcome\n"
        enable 15 = clear secret
        key = "linshikey"
    }
}

device JL-TEST-CR {
    address = *.*.*.*
            enable 15 = clear secret
    key = "linshikey"
            parent = world
    welcome banner = "Welcome home\n"
}

profile JL {
    script {
        if (service == shell) {
            if (device == JL-TEST-CR) {
            set priv-lvl = 2
            permit
            }
            permit
        }
    }
}

    group test {
            group JL
   }

user test {
    password login = clear Opengoss2025
    member = test
}

}

zhongpingqian commented 3 months ago

use the disposition for tac_plus-ng ,login NAS "shell login denied by ACL", please answer.

MarcJHuber commented 3 months ago

Hi,

your configuration lacks any "ruleset" statements, so it's no surprise that doesn't work. Please have a closer look at the -ng sample configurations. Rule sets are not optional, but mandatory.

Cheers,

Marc