Release notes/quasi-documentation for tacshell-0.9 (29 October 2003)

Copyright 2002,2003 Christopher SEKIYA <wileyc@rezrov.net>
portions copyright 1997-2000 by Pawel Krawczyk <kravietz@ceti.pl>
TACACS+ definitions are Copyright (c) 1995-1998 by Cisco Systems, Inc.
ACE/Server is a trademark of RSA Security Inc.

Q) What is tacshell?

A) tacshell is a drop-in replacement for the RSA ACE/Server sdshell program,
   which allows UNIX shell authentication via a SecurID token.

Q) How does tacshell differ from sdshell?

A) tacshell authenticates against an ACE/Server via the Cisco TACACS+ protocol
   whereas sdshell authenticates via a proprietary protocol.

Q) Why would I want to use tacshell instead of sdshell?

A) Several reasons:

   * sdshell authentication breaks when the client is separated from the server
     by NATting (for instance, if the client is in a DMZ).
   * Source code for sdshell is not available, so it cannot be used in
     odd-ball UNIX boxen.
   * tacshell is much smaller than sdshell (~20k versus ~80k).
   * tacshell does not need suid root privileges.
   * tacshell doesn't have any buffer overflows or other nasties :)

Q) What operating systems does tacshell support?

A) I've personally tested it on NetBSD-1.6 and Solaris 2.[68].  In theory it
   should run on any POSIX-compliant system that implements getpass() or
   getpassphrase().

Q) How do I deploy tacshell?

A) Follow these steps (it is assumed that the target machine has a working
   C development environment):

   * ./configure
   * make
   * make install
   * copy /usr/local/etc/tacshell.conf-sample to /usr/local/etc/tacshell.conf
     and edit to suit.
   * edit the password file, making tacshell the target user's shell and
     nulling out their password.
   * ensure that the ACE/Server knows about the client machine.  Machine
     type probably should be "communication server".
   * if per-user shell overrides are desired, place a "shell /path/to/shell"
     directive in ~/.tacshell

Q) tacshell doesn't work with openssh and solaris!  What's wrong?

A) You've probably configured tacshell's user shell to be bash _and_ you're
   using the Sun-supplied bash package (i.e., bash-2.03).  This version tests
   stdin/stdout -- if they aren't a socket, bash assumes that it is a non-
   interactive shell and effectively hangs.  The solution is to use a newer
   version of bash.

Q) Why so many copyright notices?

A) tacshell started life as tacc-1.6.5, writted by Pawel Krawczyk.  The
   tacacs+ protocol implementation in tacc was _extremely_ suboptimal (read:
   was terribly sick and wrong), so a project that originally started as a
   quick code retrofit was transformed into what amounted to be a complete
   rewrite.  Some of Pawel's code is intact, so I preserved his copyright.

Q) So what license is the code under?

A) GPL :)
