<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html><head><meta name="qrichtext" content="1" /><style type="text/css">
p, li { white-space: pre-wrap; }
</style></head><body style=" font-family:'DejaVu Sans'; font-size:9pt; font-weight:400; font-style:normal;">
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Hello,</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">I read the changelon to .15, but didn't see anything concerning my particular problem, so i didn't want to upgrade yet, because it's rather bothersome.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Now to the problem. I use before authorization bash script to determine if a host is hp or some other switch, which has different priv-lvls from cisco. The trouble is, that the script returns 1 most of the time. Although it should return 2 as you can see:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-style:italic;">#!/bin/sh</span></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;">if grep -q "^$2\$" /etc/tac-plus/hosts.txt ; then</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;"> echo priv-lvl=3</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;"> else</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;"> echo priv-lvl=15</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;">fi</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;">exit 2</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;"></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">The weird thing is, the script functions fine, when i run it manually, even with tacacs user, also sometimes it returns 2 even when run by tacacs daemon, so users must try to log in 5 may-be 6 times before they can get authenticated. So, am i doing something wrong, or is it a problem with tacacs? Almost forgot, i'm using debian etch on x86.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Log output of daemon:</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> Mon Sep 8 11:09:24 2008 [1797]: cfg_get_value: name=master isuser=1 attr=login rec=1 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:24 2008 [1797]: cfg_get_pvalue: returns des CSUMml1owULS2 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:24 2008 [1797]: cfg_get_value: name=master isuser=1 attr=nopassword rec=1 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:24 2008 [1797]: cfg_get_intvalue: returns 0 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:24 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:24 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:24 2008 [1797]: cfg_get_phvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_phvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=time rec=1 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_pvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=login rec=1 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_pvalue: returns des CSUMml1owULS2 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: verify Mypassword CSUMml1owULS2 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: Mypassword encrypts to CSUMml1owULS2 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: Password is correct </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=expires rec=1 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_pvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: Password has not expired <no expiry date set> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: login query for 'master' tty1 from 172.16.108.130 accepted </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1797]: cfg_get_phvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: name=172.16.108.130 attr=key </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: no host named 172.16.108.130 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_phvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: Start authorization request </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_value: name=master isuser=1 attr=before rec=1 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_pvalue: returns /bin/bash /etc/tac-plus/hp-exec.sh $user $name</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: Before authorization call: /bin/bash /etc/tac-plus/hp-exec.sh $user $name</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: substitute: /bin/bash /etc/tac-plus/hp-exec.sh $user $name </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: Dollar substitution: /bin/bash /etc/tac-plus/hp-exec.sh master 172.16.108.130</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: input service=shell </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: input cmd* </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user $name returns 1 (unconditional deny)</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: name=172.16.108.130 attr=key </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: no host named 172.16.108.130 </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: cfg_get_phvalue: returns NULL </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Mon Sep 8 11:09:27 2008 [1799]: authorization query for 'master' tty1 from 172.16.108.130 rejected</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-style:italic;"></p></body></html>