Question about minimal tacacs integration in newer klish

9 views
Skip to first unread message

Dharmik

unread,
Dec 25, 2025, 6:01:55 AM (2 days ago) Dec 25
to klish

hi all,

i’m pretty new to klish and have mostly been tinkering with the older klish 2.2 that ships on openwrt devices. until recently i didn’t really realize how much the architecture has changed in the newer versions.

i’ve started playing around with newer klish now and was wondering how a minimal tacacs (or tacacs-like) integration is expected to look in the current architecture (with the older one, it looked a lot complicated but with the klishd, it looks possible and a lot simpler).

mostly trying to understand:

  • where auth / authorization would typically live now

  • what a minimal setup would look like (even conceptually)

  • whether this is usually done via a daemon / hooks, and how logging would fit in in a production environment.

i am still exploring the architecture and understanding things. any help would be nice.

thanks,

dharmik

Serj Kalichev

unread,
Dec 25, 2025, 9:48:22 AM (2 days ago) Dec 25
to kl...@googlegroups.com
Hi

The KTP (Klish Transfer Protocol - protocol between klish client and klishd) has mandatory "auth" phase. But current implementation is simplified. Now it's supposed that klishd listens on UNIX domain socket and client connects to it. The klishd can get peer's UID from the UNIX socket. So the client is executed on the same system as a klishd.

In my opinion if you use klish utility as a client you don't need integrated complex auth in klishd because the network auth can be performed by third-party software. The SSH has some TACACS support. So user connects to the system via ssh (using TACACS) and then executes klish utility.

If client is not klish or another console utility and client locates on the another computer rather than klishd the complex auth can be needed. Now klishd is not ready for that. It listens on UNIX socket and doesn't have another auth than getting peer's UID from socket. But you can try to patch it to support another method.
--
You received this message because you are subscribed to the Google Groups "klish" group.
To unsubscribe from this group and stop receiving emails from it, send an email to klish+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/klish/3425de30-d1c3-4120-babc-fd23b6b965afn%40googlegroups.com.


Reply all
Reply to author
Forward
0 new messages