/ 
Net-TacacsPlus-1.04
River stage one • 1 direct dependent • 2 total dependents
/ Net::TacacsPlus::Packet

NAME

Net::TacacsPlus::Packet - Tacacs+ packet object

SYNOPSIS

# construct authentication START packet

$pkt = Net::TacacsPlus::Packet->new(
	#header
	'type' => TAC_PLUS_AUTHEN,
	'seq_no' => 1,
	'flags' => 0,
	'session_id' => $session_id,
	#start
	'action' => TAC_PLUS_AUTHEN_LOGIN,
	'authen_type' => TAC_PLUS_AUTHEN_TYPE_(ASCII|PAP),
	'key' => $secret,
	);


# construct authentication CONTINUE packet

$pkt = Net::TacacsPlus::Packet->new(
	#header
	'type' => TAC_PLUS_AUTHEN,
	'seq_no' => 3,
	'session_id' => $session_id,
	#continue
	'user_msg' => $username,
	'data' => '',
	'key' => $secret,
	);

# construct authentication REPLY packet from received raw packet

$reply = Net::TacacsPlus::Packet->new(
		'type' => TAC_PLUS_AUTHEN,
		'raw' => $raw_reply,
		'key' => $secret,
		);

# construct authorization REQUEST packet

$pkt = Net::TacacsPlus::Packet->new(
	#header
	'type' => TAC_PLUS_AUTHOR,
	'seq_no' => 1,
	'session_id' => $session_id,
	#request
	'user' => $username,
	'args' => $args, # arrayref
	'key' => $secret,
	);

# construct authorization RESPONSE packet from received raw packet

$response = Net::TacacsPlus::Packet->new(
		'type' => TAC_PLUS_AUTHOR,
		'raw' => $raw_reply,
		'key' => $secret,
		);

# construct accounting REQUEST packet

$pkt = Net::TacacsPlus::Packet->new(
	#header
	'type' => TAC_PLUS_ACCT,
	'seq_no' => 1,
	'session_id' => $session_id,
	#request
	'acct_flags' => TAC_PLUS_ACCT_FLAG_*,
	'user' => $username,
	'args' => $args, # arrayref
	'key' => $secret,
	);

# construct accounting REPLY packet from received raw packet

$reply = Net::TacacsPlus::Packet->new(
		'type' => TAC_PLUS_ACCT,
		'raw' => $raw_reply,
		'key' => $secret,
		);

DESCRIPTION

Library to create and manipulate Tacacs+ packets. Object can be build from parameters or from raw received packet.

AUTHOR

Jozef Kutej <jozef@kutej.net>

Authorization and Accounting contributed by Rubio Vaughan <lt>rubio@passim.net<gt>

VERSION

1.03

SEE ALSO

tac-rfc.1.78.txt, Net::TacacsPlus::Client

METHODS

new( somekey => somevalue )

1. if constructing from parameters need this parameters:

for header:

'type': TAC_PLUS_(AUTHEN|AUTHOR|ACCT) 
'seq_no': sequencenumber
'flags': TAC_PLUS_(UNENCRYPTED_FLAG|SINGLE_CONNECT_FLAG)
'session_id': session id

for authentication START body:

'action' => TAC_PLUS_AUTHEN_(LOGIN|CHPASS|SENDPASS|SENDAUTH)
'authen_type' => TAC_PLUS_AUTHEN_TYPE_(ASCII|PAP)
'key': encryption key

for authentication CONTINUE body: 'user_msg': msg required by server 'data' => data required by server 'key': encryption key

for authorization REQUEST body: 'user': username 'args': authorization arguments 'key': encryption key

for accounting REQUEST body: 'acct_flags': TAC_PLUS_ACCT_FLAG_(MORE|START|STOP|WATCHDOG) 'user': username 'args': authorization arguments 'key': encryption key

2. if constructing from received raw packet

for AUTHEN reply, AUTHOR response and ACCT reply:

'type': TAC_PLUS_(AUTHEN|AUTHOR|ACCT)
'raw': raw packet
'key': encryption key
check_reply($snd, $rcv)

compare send and reply packet for errors

$snd - packet object that was send $rcv - packet object that was received afterwards

checks sequence number, session id, version and flags

decode_reply($raw_pkt)

From raw packet received create reply object: Net::TacacsPlus::PacketAuthenReplyBody or Net::TacacsPlus::PacketAuthorResponseBody or Net::TacacsPlus::PacketAccountReplyBody

raw( )

return binary representation of whole packet.

raw_xor_body($data)

XOR $data by pseudo pas.

compute_pseudo_pad( $sess_id,$key,$version,$seq_no,$length )

compute md5 hash from parameters truncated to $length

pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data)

The first MD5 hash is generated by concatenating the session_id, the secret key, the version number and the sequence number and then running MD5 over that stream. All of those input values are available in the packet header, except for the secret key which is a shared secret between the TACACS+ client and daemon.

server_msg( )

returns last server msg

seq_no()

Return packet sequence number.

session_id()

Return packet session id.

version()

Return version from packet header

flags()

Return flags from packet header.

args()

Return arguments returned by server in authorization response packet.

status( )

returns status of packet. it is used in REPLY packets received from server.

status is one of:

TAC_PLUS_AUTHEN_STATUS_PASS        => 0x01,
TAC_PLUS_AUTHEN_STATUS_FAIL        => 0x02,
TAC_PLUS_AUTHEN_STATUS_GETDATA     => 0x03,
TAC_PLUS_AUTHEN_STATUS_GETUSER     => 0x04,
TAC_PLUS_AUTHEN_STATUS_GETPASS     => 0x05,
TAC_PLUS_AUTHEN_STATUS_RESTART     => 0x06,
TAC_PLUS_AUTHEN_STATUS_ERROR       => 0x07,
TAC_PLUS_AUTHEN_STATUS_FOLLOW      => 0x21,
TAC_PLUS_AUTHOR_STATUS_PASS_ADD    => 0x01,
TAC_PLUS_AUTHOR_STATUS_PASS_REPL   => 0x02,
TAC_PLUS_AUTHOR_STATUS_FAIL        => 0x10,
TAC_PLUS_AUTHOR_STATUS_ERROR       => 0x11,
TAC_PLUS_AUTHOR_STATUS_FOLLOW      => 0x21,
TAC_PLUS_ACCT_STATUS_SUCCESS       => 0x01,
TAC_PLUS_ACCT_STATUS_ERROR         => 0x02,
TAC_PLUS_ACCT_STATUS_FOLLOW        => 0x21,
send()

Send out packet.

NAME

Net::TacacsPlus::PacketHeader

DESCRIPTION

3. The TACACS+ packet header

All TACACS+ packets always begin with the following 12 byte header. The header is always cleartext and describes the remainder of the packet:

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

+----------------+----------------+----------------+----------------+
|major  | minor  |                |                |                |
|version| version|      type      |     seq_no     |   flags        |
+----------------+----------------+----------------+----------------+
|                                                                   |
|                            session_id                             |
+----------------+----------------+----------------+----------------+
|                                                                   |
|                              length                               |
+----------------+----------------+----------------+----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ packet header object

1. if constructing from parameters:

'version': protocol version
'type': TAC_PLUS_(AUTHEN|AUTHOR|ACCT) 
'seq_no': sequencenumber
'flags': TAC_PLUS_(UNENCRYPTED_FLAG|SINGLE_CONNECT_FLAG)
'session_id': session id

2. if constructing from raw packet

'raw_header': raw packet
decode($raw_data)

Decode $raw_data to version, type, seq_no, flags, session_id, length

raw()

returns raw binary representation of header.

NOTE For complete binary header, length of body must be added.

seq_no()

Return header sequence number.

session_id()

Return packet session_id.

version()

Return packet version.

flags()

Return packet flags.

type()

Return packet type.

NAME

Net::TacacsPlus::PacketAuthenReplyBody;

DESCRIPTION

7. The authentication REPLY packet body

The TACACS+ daemon sends only one type of authentication packet (a REPLY packet) to the client. The REPLY packet body looks as follows:

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

+----------------+----------------+----------------+----------------+
|     status     |      flags     |        server_msg len           |
+----------------+----------------+----------------+----------------+
|           data len              |        server_msg ...
+----------------+----------------+----------------+----------------+
|           data ...
+----------------+----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ authentication packet body object

Parameters:

'raw_body': raw body
decode($raw_data)

Extract $server_msg and data from raw packet.

server_msg()

Return server message.

status()

Return status.

NAME

Net::TacacsPlus::PacketAuthenStartBody;

DESCRIPTION

The authentication START packet body

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

+----------------+----------------+----------------+----------------+
|    action      |    priv_lvl    |  authen_type   |     service    |
+----------------+----------------+----------------+----------------+
|    user len    |    port len    |  rem_addr len  |    data len    |
+----------------+----------------+----------------+----------------+
|    user ...
+----------------+----------------+----------------+----------------+
|    port ...
+----------------+----------------+----------------+----------------+
|    rem_addr ...
+----------------+----------------+----------------+----------------+
|    data...
+----------------+----------------+----------------+----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ authentication START packet body object

Parameters:

action: TAC_PLUS_AUTHEN_[^_]+$
priv_lvl: TAC_PLUS_PRIV_LVL_*
authen_type: TAC_PLUS_AUTHEN_TYPE_*
service: TAC_PLUS_AUTHEN_SVC_*
user: username
password: password
port: port dft. 'Virtual00'
rem_addr: our ip address
raw()

Return binary data of packet body.

NAME

Net::TacacsPlus::PacketAuthenContinueBody;

DESCRIPTION

8.  The authentication CONTINUE packet body

This packet is sent from the NAS to the daemon following the  receipt
of a REPLY packet.


      1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

     +----------------+----------------+----------------+----------------+
     |          user_msg len           |            data len             |
     +----------------+----------------+----------------+----------------+
     |     flags      |  user_msg ...
     +----------------+----------------+----------------+----------------+
     |    data ...
     +----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ authentication CONTINUE packet body object

Parameters:

'user_msg': user message requested by server
'data': data requested by server
'flags': TAC_PLUS_CONTINUE_FLAG_ABORT
raw()

Return binary data of packet body.

NAME

Net::TacacsPlus::PacketAuthorRequestBody;

DESCRIPTION

The authorization REQUEST packet body

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

+----------------+----------------+----------------+----------------+
|  authen_method |    priv_lvl    |  authen_type   | authen_service |
+----------------+----------------+----------------+----------------+
|    user len    |    port len    |  rem_addr len  |    arg_cnt     |
+----------------+----------------+----------------+----------------+
|   arg 1 len    |   arg 2 len    |      ...       |   arg N len    |
+----------------+----------------+----------------+----------------+
|   user ...
+----------------+----------------+----------------+----------------+
|   port ...
+----------------+----------------+----------------+----------------+
|   rem_addr ...
+----------------+----------------+----------------+----------------+
|   arg 1 ...
+----------------+----------------+----------------+----------------+
|   arg 2 ...
+----------------+----------------+----------------+----------------+
|   ...
+----------------+----------------+----------------+----------------+
|   arg N ...
+----------------+----------------+----------------+----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ authorization REQUEST packet body object

Parameters:

authen_method: TAC_PLUS_AUTHEN_METH_*
priv_lvl: TAC_PLUS_PRIV_LVL_*
authen_type: TAC_PLUS_AUTHEN_TYPE_*
service: TAC_PLUS_AUTHEN_SVC_*
user: username
port: port dft. 'Virtual00'
rem_addr: our ip address
args: args arrayref
raw()

Return binary data of packet body.

NAME

Net::TacacsPlus::PacketAuthorResponseBody;

DESCRIPTION

The authorization RESPONSE packet body

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

+----------------+----------------+----------------+----------------+
|    status      |     arg_cnt    |         server_msg len          |
+----------------+----------------+----------------+----------------+
+            data len             |    arg 1 len   |    arg 2 len   |
+----------------+----------------+----------------+----------------+
|      ...       |   arg N len    |         server_msg ...
+----------------+----------------+----------------+----------------+
|   data ...
+----------------+----------------+----------------+----------------+
|   arg 1 ...
+----------------+----------------+----------------+----------------+
|   arg 2 ...
+----------------+----------------+----------------+----------------+
|   ...
+----------------+----------------+----------------+----------------+
|   arg N ...
+----------------+----------------+----------------+----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ authorization response body object

Parameters:

'raw_body': raw body
decode($raw_data)

Extract status, server_msg, data and arguments from raw packet.

server_msg()

Return server message.

status()

Return status.

args()

Return arguments returned by server in authorization response packet.

NAME

Net::TacacsPlus::PacketAccountRequestBody;

DESCRIPTION

The account REQUEST packet body

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

+----------------+----------------+----------------+----------------+
|      flags     |  authen_method |    priv_lvl    |  authen_type   |
+----------------+----------------+----------------+----------------+
| authen_service |    user len    |    port len    |  rem_addr len  |
+----------------+----------------+----------------+----------------+
|    arg_cnt     |   arg 1 len    |   arg 2 len    |      ...       |
+----------------+----------------+----------------+----------------+
|   arg N len    |    user ...
+----------------+----------------+----------------+----------------+
|   port ...
+----------------+----------------+----------------+----------------+
|   rem_addr ...
+----------------+----------------+----------------+----------------+
|   arg 1 ...
+----------------+----------------+----------------+----------------+
|   arg 2 ...
+----------------+----------------+----------------+----------------+
|   ...
+----------------+----------------+----------------+----------------+
|   arg N ...
+----------------+----------------+----------------+----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ accounting REQUEST packet body object

Parameters:

acct_flags: TAC_PLUS_ACCT_FLAG_*
authen_method: TAC_PLUS_AUTHEN_METH_*
priv_lvl: TAC_PLUS_PRIV_LVL_*
authen_type: TAC_PLUS_AUTHEN_TYPE_*
service: TAC_PLUS_AUTHEN_SVC_*
user: username
port: port dft. 'Virtual00'
rem_addr: our ip address
args: args arrayref
raw()

Return binary data of packet body.

NAME

Net::TacacsPlus::PacketAccountReplyBody;

DESCRIPTION

The accounting REPLY packet body

The response to an accounting message is used to  indicate  that  the
accounting   function  on  the  daemon  has  completed  and  securely
committed the record. This provides  the  client  the  best  possible
guarantee that the data is indeed logged.



      1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

     +----------------+----------------+----------------+----------------+
     |         server_msg len          |            data len             |
     +----------------+----------------+----------------+----------------+
     |     status     |         server_msg ...
     +----------------+----------------+----------------+----------------+
     |     data ...
     +----------------+

METHODS

new( somekey => somevalue)

Construct tacacs+ authorization response body object

Parameters:

'raw_body': raw body
decode($raw_data)

Extract status, server_msg and data from raw packet.

server_msg()

Return server message.

status()

Return status.

COPYRIGHT AND LICENSE

Copyright (C) 2006 by Jozef Kutej

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.4 or, at your option, any later version of Perl 5 you may have available.