From heas at shrubbery.net Fri Dec 1 20:10:10 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 12:10:10 -0800 Subject: [tac_plus] [limseng: Re: Tac_plus & PAM] Message-ID: <20061201201010.GA17717@shrubbery.net> For posterity... ----- Forwarded message from Lim Seng Thanks, that worked too, but the logs are complaining a lot about deprecated pam_stack calls. I firgured that just a simple line, #%PAM-1.0 auth include system-auth allows PAM to work just fine with tac_plus. It doesn't lockout userids after 3 failed attempts though I have configured system-auth to do so, guess I'll look that up in PAM. However, thanks for the help though =) Cheers, Lim Seng >Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng: >> Hi, >> >> I have edited the configuration to the following: >> >> group = admin { >> login = PAM >> } >> >> user = testuser1 { >> default service = permit >> member = admin >> >> } >> >> When I type in the username, immediately I get "% Authentication >Failure", >> wihtout it even prompting me for a password, is there a certain >mandatory >> parameter that should have been inside? I manned through >tac_plus.conf.5, >> and it looks like simply this configuration will just work. >> >> Appreciate any advice once again, thanks a lot > >Did you configure PAM itself? This is what I used to test: > >linucks [2] cat /etc/pam.d/tac_plus >#%PAM-1.0 >auth required pam_stack.so service=system-auth >account required pam_stack.so service=system-auth >password required pam_stack.so service=system-auth >session required pam_limits.so > > >> Cheers, >> Lim Seng >> >> >> On 11/25/06 >> > >> >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng: >> >> Dear Sir, >> >> >> >> I have found RANCID to be a very interesting and useful software, and >I >> >am >> >> currently using it to backup my network devices. Due to my positive >> >> experience with RANCID, I decided to try out tac_plus by Shrubbery >too, >> >> seeing that your version comes with PAM authentication support as >well. >> >I am >> >> glad to say everything works fine, but I'll like advice on the >> >particular >> >> issue between tac_plus and PAM if possible. >> >> >> >> I am currently using: >> >> >> >> Fedora Core 6 >> >> uname -r : 2.6.18-1.2849.fc6 >> >> >> >> I have compiled and installed tacacs+-F4.0.4.13, authenticating >> >primarily >> >> from /etc/passwd. What I'll like to achieve is to set a system wide >> >login >> >> attempts of 3, and lockout any user account except root in PAM. My >> >system >> >> already has that policy set, but I'll like to apply this policy to >> >tacacs as >> >> well. I have tried to set the authentication method to pam but it >> >doesn't >> >> work, please see my config: >> >> >> >> ---------------------------------Start of >> >> Config------------------------------------------- >> >> key = examplekey >> >> >> >> # Use /etc/passwd file to do authentication >> >> >> >> default authentication = file /etc/passwd >> >> >> >> # Now tacacs+ also use default PAM authentication >> >> #default authentication = pam system-auth ####Tried to set to PAM >> >> authentication method but no go here. >> >> >> >> # Accounting records log file >> >> >> >> accounting file = /var/log/tac_acc.log >> >> >> >> #All services are alowed.. >> >> >> >> user = $enable$ { >> >> login = cleartext "iamenabled" >> >> } >> >> >> >> group = admin { >> >> service = exec { >> >> default attribute = permit >> >> priv-lvl = 1 >> >> } >> >> } >> >> >> >> user = tester1 { >> >> name = "tester1" >> >> member = testadmin >> >> } >> >> >> >> ---------------------------------End of >> >> Config------------------------------------------- >> >> >> >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h >in >> >the >> >> source code for further clues but I still can't get it right. I did >not >> >> input any special configuration prefixes during compilation phase: >> > >> >In order for tac_plus to query/use PAM, you must configure those users >or >> >groups to do so. See tac_plus.conf(5) top-level directive user and >follow >> >the relationship to user_attr, to login, then password_spec. eg: >> > >> >group = admin { >> > login = PAM >> >.... >> > >> >> ./configure --prefix=/usr/local/tacplus >> >> >> >> If the information provided is not sufficient I'll be glad to provide >> >more, >> >> looking forward to your advice. >> >> >> >> Cheers, >> >> Lim Seng From Lance.Vermilion at bestwestern.com Fri Dec 1 22:11:07 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 15:11:07 -0700 Subject: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Message-ID: All, I am hoping someone can point me in the right direction or already have a fix for this. I have tacacs+-F4.0.4.10 which I just downloaded a few days ago. Everything runs wonderfully, the only problem I have is when I issue a "kill -SIGHUP "or "kill -SIGUSR1 " as the user running the application the application dies and never returns. The man page says SIGNALS If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize itself and re-read its configuration file. Note: if an error is encountered in the configuration file, the daemon will die. Misc info: OS: Suse 9.3 Compile Options: -with-libwrap --with-userid= --with-groupid= *if you prefer here is a tac_plus -v* : tac_plus -v tac_plus version F4.0.4.10 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD REARMSIGNAL RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TACPLUS_GROUPID TAC_PLUS_PORT TACPLUS_USERID UENABLE __STDC__ Here is my /etc/tacacs/tac_plus.conf # Set the key to use for Tacacs+ key = tacacs_plus # Set the account file location. accounting file = /var/log/tacacs_plus/tac_plus.acct user = testuser { login = cleartext abcdef } So I ran a check and everything checks out fine when I run a "tac_plus -P -C /etc/tacacs/tac_plus.conf". I start tac_plus the following way. sudo /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf if I check to make sure it is running I see the following : ps aux | egrep "tac_plus|PID" USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND tac_plus 27564 0.0 0.0 1912 648 pts/3 S 14:43 0:00 /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf -d 256 If I issue any of the following kill commands I get the same result...a daemon that never returns. kill -SIGHUP 27564 kill -HUP 27564 kill -USR1 27564 kill -SIGUSR1 27564 kill -1 27564 kill -10 27564 Any ideas? Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com <> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/6f1dbbd4/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/6f1dbbd4/attachment.vcf From heas at shrubbery.net Fri Dec 1 22:17:51 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 14:17:51 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061201221751.GF18225@shrubbery.net> Fri, Dec 01, 2006 at 03:11:07PM -0700, Vermilion, Lance: > if I check to make sure it is running I see the following > : ps aux | egrep "tac_plus|PID" > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > tac_plus 27564 0.0 0.0 1912 648 pts/3 S 14:43 0:00 > /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf -d 256 Can user 'tac_plus' or it's gid(s) read /etc/tacacs/tac_plus.conf? From Lance.Vermilion at bestwestern.com Fri Dec 1 22:22:38 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 15:22:38 -0700 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 Message-ID: John, You are a life saver. Thank you. I didn't think to look at that. That fixed me. Is there a way to add a check like that in the code? Make sure the user has perms to that file and if not error on it? Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 01, 2006 3:18 PM To: Vermilion, Lance Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Fri, Dec 01, 2006 at 03:11:07PM -0700, Vermilion, Lance: > if I check to make sure it is running I see the following > : ps aux | egrep "tac_plus|PID" > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > tac_plus 27564 0.0 0.0 1912 648 pts/3 S 14:43 0:00 > /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf -d 256 Can user 'tac_plus' or it's gid(s) read /etc/tacacs/tac_plus.conf? -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/2765b423/attachment.vcf From heas at shrubbery.net Fri Dec 1 22:44:24 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 14:44:24 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061201224424.GH18225@shrubbery.net> Fri, Dec 01, 2006 at 03:22:38PM -0700, Vermilion, Lance: > John, > > You are a life saver. Thank you. I didn't think to look at that. That > fixed me. Is there a way to add a check like that in the code? Make sure > the user has perms to that file and if not error on it? You should have seen two log messages in your syslog; like this: if ((cf = fopen(cfile, "r")) == NULL) { report(LOG_ERR, "read_config: fopen() error for file %s %s, exiting", cfile, strerror(errno)); return(1); } and another "failure" msg from the signal handler (which technically is not async safe, but ...). or do you mean checking the access during initial configuration parsing? I suppose that the daemon really does not need to exit if it can't read the config, but that seems the path of least suprise ["hey, why is that user still active" - some months after it was removed]. From heas at shrubbery.net Fri Dec 1 23:11:41 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 15:11:41 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061201231141.GM18225@shrubbery.net> Fri, Dec 01, 2006 at 04:03:56PM -0700, Vermilion, Lance: > John, > > I didn't see anything like that in my local syslog local or remote > syslog. it would occur at HUP-time, not start-up. you really did not get a message? and you have 'logging = whatever' in your config (daemon facility is the default)? > In regards to the permissions on tac_plus.conf I was thinking of > something like this. > > if [ -r /etc/tacacs/tac_plus.conf ] > then > echo "Houston we have touchdown" > else > echo " Houston we have a PROBLEM" > fi That is not sufficient, afaik. tac_plus has to be started as root so that it can open port 49; root shouldn't have problem reading the config regardless of it's mode. You'd have to create a child process as the tac_plus user and then do this check. > I have added it to my tac_plus init file, which is attached if you want > to redistribute it with the package since there isn't one at the moment. > That I see. Someone else creates the linux (and any other o/s) package. From Lance.Vermilion at bestwestern.com Fri Dec 1 23:03:56 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 16:03:56 -0700 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 Message-ID: John, I didn't see anything like that in my local syslog local or remote syslog. In regards to the permissions on tac_plus.conf I was thinking of something like this. if [ -r /etc/tacacs/tac_plus.conf ] then echo "Houston we have touchdown" else echo " Houston we have a PROBLEM" fi I have added it to my tac_plus init file, which is attached if you want to redistribute it with the package since there isn't one at the moment. That I see. Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 01, 2006 3:44 PM To: Vermilion, Lance Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Fri, Dec 01, 2006 at 03:22:38PM -0700, Vermilion, Lance: > John, > > You are a life saver. Thank you. I didn't think to look at that. That > fixed me. Is there a way to add a check like that in the code? Make sure > the user has perms to that file and if not error on it? You should have seen two log messages in your syslog; like this: if ((cf = fopen(cfile, "r")) == NULL) { report(LOG_ERR, "read_config: fopen() error for file %s %s, exiting", cfile, strerror(errno)); return(1); } and another "failure" msg from the signal handler (which technically is not async safe, but ...). or do you mean checking the access during initial configuration parsing? I suppose that the daemon really does not need to exit if it can't read the config, but that seems the path of least suprise ["hey, why is that user still active" - some months after it was removed]. -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/5f2ca505/attachment.vcf -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tac_plus.init.txt Url: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/5f2ca505/attachment.txt From Lance.Vermilion at bestwestern.com Fri Dec 1 23:50:10 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 16:50:10 -0700 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 Message-ID: John, Comments inline. Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 01, 2006 4:12 PM To: Vermilion, Lance Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Fri, Dec 01, 2006 at 04:03:56PM -0700, Vermilion, Lance: > John, > > I didn't see anything like that in my local syslog local or remote > syslog. it would occur at HUP-time, not start-up. you really did not get a message? and you have 'logging = whatever' in your config (daemon facility is the default)? [Vermilion, Lance] My logging was default. But my syslog.conf didn't' have anything for daemon. :( > In regards to the permissions on tac_plus.conf I was thinking of > something like this. > > if [ -r /etc/tacacs/tac_plus.conf ] > then > echo "Houston we have touchdown" > else > echo " Houston we have a PROBLEM" > fi That is not sufficient, afaik. tac_plus has to be started as root so that it can open port 49; root shouldn't have problem reading the config regardless of it's mode. You'd have to create a child process as the tac_plus user and then do this check. > I have added it to my tac_plus init file, which is attached if you want > to redistribute it with the package since there isn't one at the moment. > That I see. Someone else creates the linux (and any other o/s) package. -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/ea41de67/attachment.vcf From heas at shrubbery.net Sat Dec 2 04:45:44 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 20:45:44 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061202044544.GC18225@shrubbery.net> > > I didn't see anything like that in my local syslog local or remote > > syslog. > > it would occur at HUP-time, not start-up. you really did not get a > message? and you have 'logging = whatever' in your config (daemon > facility is the default)? > [Vermilion, Lance] > My logging was default. But my syslog.conf didn't' have anything for > daemon. :( that would indeed make it difficult to see them! From limseng at gmail.com Mon Dec 4 09:56:58 2006 From: limseng at gmail.com (Lim Seng) Date: Mon, 4 Dec 2006 17:56:58 +0800 Subject: [tac_plus] Re: Tac_plus & PAM In-Reply-To: <4eccb24c0611301742i2d22fd69xc059a897dc5f44ff@mail.gmail.com> References: <4eccb24c0611240022w57854408h93d1557e0b728d61@mail.gmail.com> <20061125022526.GJ7881@shrubbery.net> <4eccb24c0611292315g7696383arfe2873a3bce4b90b@mail.gmail.com> <20061130072358.GK18541@shrubbery.net> <4eccb24c0611301742i2d22fd69xc059a897dc5f44ff@mail.gmail.com> Message-ID: <4eccb24c0612040156v33212177l2263faa33c26d6c9@mail.gmail.com> Hi, I am having issues with configuring account lockouts on 3 attempts using faillog and pam_tally, but I am not sure whether there is a parameter ( a.k.a I didnt RTFM) which has to be added in the configuration for it to work. I have read through man on AV Pairs, which I thought could solve the problem, but it didn't seem to help: My tac_plus file in /etc/pam.d/: #%PAM-1.0 auth required pam_tally.so per_user onerr=fail deny=3 auth required pam_env.so auth required pam_unix.so likeauth nullok account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_limits.so And my tac_plus.cfg group = admin { login = PAM } user = netadm { default service = permit member = admin } The problem that I have encountered, be it a successful or a failed login attempt, pam_tally counts it as a failure, but the lockout feature works fine when it reads that faillog has more than 3 "failed" attempts for user netadm albeit those 3 attempts were successful logins. My /var/log/secure: Dec 4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user netadm (500) tally 4, deny 3 Dec 4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=netadm I have figured that I have probably configured pam_tally to necessarily do failed login counting and lockout feature, greatly appreciate your help thus far but I am sorry I have to approach for your assistance once again. PS: Sorry if you received 2 copies of this mail. It was a re-send Cheers, Lim Seng On 12/1/06, Lim Seng wrote: > > Thanks, that worked too, but the logs are complaining a lot about > deprecated pam_stack calls. I firgured that just a simple line, > > #%PAM-1.0 > auth include system-auth > > allows PAM to work just fine with tac_plus. It doesn't lockout userids > after 3 failed attempts though I have configured system-auth to do so, guess > I'll look that up in PAM. However, thanks for the help though =) > > Cheers, > Lim Seng > > On 11/30/06, john heasley wrote: > > > > Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng: > > > Hi, > > > > > > I have edited the configuration to the following: > > > > > > group = admin { > > > login = PAM > > > } > > > > > > user = testuser1 { > > > default service = permit > > > member = admin > > > > > > } > > > > > > When I type in the username, immediately I get "% Authentication > > Failure", > > > wihtout it even prompting me for a password, is there a certain > > mandatory > > > parameter that should have been inside? I manned through > > tac_plus.conf.5, > > > and it looks like simply this configuration will just work. > > > > > > Appreciate any advice once again, thanks a lot > > > > Did you configure PAM itself? This is what I used to test: > > > > linucks [2] cat /etc/pam.d/tac_plus > > #%PAM-1.0 > > auth required pam_stack.so service=system-auth > > account required pam_stack.so service=system-auth > > password required pam_stack.so service=system-auth > > session required pam_limits.so > > > > > > > Cheers, > > > Lim Seng > > > > > > > > > On 11/25/06, tac_plus at shrubbery.net wrote: > > > > > > > >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng: > > > >> Dear Sir, > > > >> > > > >> I have found RANCID to be a very interesting and useful software, > > and I > > > >am > > > >> currently using it to backup my network devices. Due to my positive > > > >> experience with RANCID, I decided to try out tac_plus by Shrubbery > > too, > > > >> seeing that your version comes with PAM authentication support as > > well. > > > >I am > > > >> glad to say everything works fine, but I'll like advice on the > > > >particular > > > >> issue between tac_plus and PAM if possible. > > > >> > > > >> I am currently using: > > > >> > > > >> Fedora Core 6 > > > >> uname -r : 2.6.18-1.2849.fc6 > > > >> > > > >> I have compiled and installed tacacs+-F4.0.4.13, authenticating > > > >primarily > > > >> from /etc/passwd. What I'll like to achieve is to set a system > > wide > > > >login > > > >> attempts of 3, and lockout any user account except root in PAM. My > > > >system > > > >> already has that policy set, but I'll like to apply this policy to > > > >tacacs as > > > >> well. I have tried to set the authentication method to pam but it > > > >doesn't > > > >> work, please see my config: > > > >> > > > >> ---------------------------------Start of > > > >> Config------------------------------------------- > > > >> key = examplekey > > > >> > > > >> # Use /etc/passwd file to do authentication > > > >> > > > >> default authentication = file /etc/passwd > > > >> > > > >> # Now tacacs+ also use default PAM authentication > > > >> #default authentication = pam system-auth ####Tried to set to PAM > > > >> authentication method but no go here. > > > >> > > > >> # Accounting records log file > > > >> > > > >> accounting file = /var/log/tac_acc.log > > > >> > > > >> #All services are alowed.. > > > >> > > > >> user = $enable$ { > > > >> login = cleartext "iamenabled" > > > >> } > > > >> > > > >> group = admin { > > > >> service = exec { > > > >> default attribute = permit > > > >> priv-lvl = 1 > > > >> } > > > >> } > > > >> > > > >> user = tester1 { > > > >> name = "tester1" > > > >> member = testadmin > > > >> } > > > >> > > > >> ---------------------------------End of > > > >> Config------------------------------------------- > > > >> > > > >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h > > in > > > >the > > > >> source code for further clues but I still can't get it right. I did > > not > > > >> input any special configuration prefixes during compilation phase: > > > > > > > >In order for tac_plus to query/use PAM, you must configure those > > users or > > > >groups to do so. See tac_plus.conf(5) top-level directive user and > > follow > > > >the relationship to user_attr, to login, then password_spec. eg: > > > > > > > >group = admin { > > > > login = PAM > > > >.... > > > > > > > >> ./configure --prefix=/usr/local/tacplus > > > >> > > > >> If the information provided is not sufficient I'll be glad to > > provide > > > >more, > > > >> looking forward to your advice. > > > >> > > > >> Cheers, > > > >> Lim Seng > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061204/8672783b/attachment.html From heas at shrubbery.net Mon Dec 4 16:50:24 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 4 Dec 2006 08:50:24 -0800 Subject: [tac_plus] Re: Tac_plus & PAM In-Reply-To: <4eccb24c0612040148s273e1a5emee5c4757652d3aa2@mail.gmail.com> References: <4eccb24c0611240022w57854408h93d1557e0b728d61@mail.gmail.com> <20061125022526.GJ7881@shrubbery.net> <4eccb24c0611292315g7696383arfe2873a3bce4b90b@mail.gmail.com> <20061130072358.GK18541@shrubbery.net> <4eccb24c0611301742i2d22fd69xc059a897dc5f44ff@mail.gmail.com> <4eccb24c0612040148s273e1a5emee5c4757652d3aa2@mail.gmail.com> Message-ID: <20061204165024.GC22126@shrubbery.net> Mon, Dec 04, 2006 at 05:48:29PM +0800, Lim Seng: > Hi, > > I am having issues with configuring account lockouts on 3 attempts using > faillog and pam_tally, but I am not sure whether there is a parameter ( > a.k.a I didnt RTFM) which has to be added in the configuration for it to > work. I have read through man on AV Pairs, which I thought could solve the > problem, but it didn't seem to help: > > My tac_plus file in /etc/pam.d/: > > #%PAM-1.0 > auth required pam_tally.so per_user onerr=fail deny=3 > auth required pam_env.so > auth required pam_unix.so likeauth nullok > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_limits.so > > And my tac_plus.cfg > > group = admin { > login = PAM > } > > user = netadm { > default service = permit > member = admin > } > > The problem that I have encountered, be it a successful or a failed login > attempt, pam_tally counts it as a failure, but the lockout feature works > fine when it reads that faillog has more than 3 "failed" attempts for user > netadm albeit those 3 attempts were successful logins. > > My /var/log/secure: > > Dec 4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user > netadm (500) tally 4, deny 3 > Dec 4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=netadm > > I have figured that I have probably configured pam_tally to necessarily do > failed login counting and lockout feature, greatly appreciate your help thus > far but I am sorry I have to approach for your assistance once again. I do not know about pam_tally. this site looks like it might be useful, as it appears that you're configuration might be a little slim: http://sial.org/howto/linux/pam_tally/ note that this could be a form of DOS attack; i intentionally try to login 3 times with the wrong password and your account is locked-out. From robl at linx.net Mon Dec 11 19:32:08 2006 From: robl at linx.net (Robert Lister) Date: Mon, 11 Dec 2006 19:32:08 +0000 Subject: [tac_plus] DEFAULT user option not working? Message-ID: <20061211193208.GD12223@linx.net> Hi, I've been fiddling with your implementation of tac_plus for a while, and I cannot seem to get the user = DEFAULT option to work correctly. (I have specified that I want user = DEFAULT to be in a member of a group, but that group does not seem to get applied.) If I put usernames directly into the config file, it works. (Ideally what I am trying to do is to have the user AND the group looked up in the passwd file, and then assign in the tac_plus config what I want to happen for users in that group, but I don't think tac_plus can do that for example if the GID in the passwd file is "103" then have a corresponding group = 103 entry to tell tac_plus what access that user should get.) I'd be grateful if you are able to tell me where I'm going wrong. I've tried lots of different things in the config file, and I believe I have done everything right if I understand the man page correctly. I've tried different passwd files, but I just can't seem to crack it... My config looks like: # # tac_plus configuration # key = "" default authentication = file /linx/tacacs/passwd.remote acl=all { permit = .* } acl=collectors { permit = ^195\.66\.232\.(254|239|223|247)$ deny = .* } group = test { acl = collectors } user = fred { login = cleartext "crap" member = test } user = DEFAULT { default service = permit member = test acl = collectors } If I try to login as "fred" to a router that is not in the acl, then I correctly get denied access to the router. If I try to login as a user listed in the passwd file, then no group appears to be found, and I get access (where I shouldn't get access, to a router that's not in the acl.) It seems the DEFAULT stuff is just being ignored completely? Here is what happens when I login to a router that I'm not supposed to be able to login to: spitfire tacacs # tac_plus -g -d8 -d16 -d32 -d64 -d128 -d256 -C /linx/tacacs/tac_plus.conf Reading config Version F4.0.4.13 Initialized 1 tac_plus server F4.0.4.13 starting uid=0 euid=0 gid=0 egid=0 s=4 session.peerip is 195.66.232.230 session request from 195.66.232.230 sock=5 connect from 195.66.232.230 [195.66.232.230] Waiting for packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Read AUTHEN/START size=37 validation request from 195.66.232.230 PACKET: key= version 192 (0xc0), type 1, seq no 1, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 25 (0x19) End header type=AUTHEN/START, priv_lvl = 1 action=login authen_type=ascii service=login user_len=0 port_len=4 (0x4), rem_addr_len=13 (0xd) data_len=0 User: port: tty2 rem_addr: 195.66.232.38 data: End packet Authen Start request choose_authen returns 1 cfg_get_hvalue: name=195.66.232.230 attr=prompt cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Writing AUTHEN/GETUSER size=55 PACKET: key= version 192 (0xc0), type 1, seq no 2, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 43 (0x2b) End header type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 msg_len=37, data_len=0 msg: 0xa User Access Verification 0xa 0xa Username: data: End packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Waiting for packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Read AUTHEN/CONT size=21 PACKET: key= version 192 (0xc0), type 1, seq no 3, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 9 (0x9) End header type=AUTHEN/CONT user_msg_len 4 (0x4), user_data_len 0 (0x0) flags=0x0 User msg: robl User data: End packet cfg_get_value: name=robl isuser=1 attr=login rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL choose_authen chose default_fn Calling authentication function cfg_get_value: name=robl isuser=1 attr=nopassword rec=1 cfg_get_value: no user/group named robl cfg_get_intvalue: returns 0 cfg_get_value: name=robl isuser=1 attr=login rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL Writing AUTHEN/GETPASS size=28 PACKET: key= version 192 (0xc0), type 1, seq no 4, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 16 (0x10) End header type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 msg_len=10, data_len=0 msg: Password: data: End packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Waiting for packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Read AUTHEN/CONT size=25 PACKET: key= version 192 (0xc0), type 1, seq no 5, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 13 (0xd) End header type=AUTHEN/CONT user_msg_len 8 (0x8), user_data_len 0 (0x0) flags=0x0 User msg: User data: End packet cfg_get_value: name=robl isuser=1 attr=login rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL cfg_get_value: name=robl isuser=1 attr=global rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL tac_passwd_lookup: open /linx/tacacs/passwd.remote 6 tac_passwd_lookup: close /linx/tacacs/passwd.remote 6 verify .sd7/jvP6lDCQ encrypts to .sd7/jvP6lDCQ Password is correct Password has not expired cfg_get_value: name=robl isuser=1 attr=acl rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL login query for 'robl' tty2 from 195.66.232.230 accepted Writing AUTHEN/SUCCEED size=18 PACKET: key= version 192 (0xc0), type 1, seq no 6, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 6 (0x6) End header type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 msg_len=0, data_len=0 msg: data: End packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL -- Robert Lister - London Internet Exchange - http://www.linx.net/ robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE From heas at shrubbery.net Tue Dec 12 23:11:13 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Dec 2006 15:11:13 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061211193208.GD12223@linx.net> References: <20061211193208.GD12223@linx.net> Message-ID: <20061212231113.GI18961@shrubbery.net> Mon, Dec 11, 2006 at 07:32:08PM +0000, Robert Lister: > > Hi, > > I've been fiddling with your implementation of tac_plus for a while, and I > cannot seem to get the user = DEFAULT option to work correctly. (I have > specified that I want user = DEFAULT to be in a member of a group, but that > group does not seem to get applied.) > > If I put usernames directly into the config file, it works. > > (Ideally what I am trying to do is to have the user AND the group looked up > in the passwd file, and then assign in the tac_plus config what I want to > happen for users in that group, but I don't think tac_plus can do that for > example if the GID in the passwd file is "103" then have a corresponding > group = 103 entry to tell tac_plus what access that user should get.) correct; tac_plus has no knowledge of the GID field of a passwd(5) file. > I'd be grateful if you are able to tell me where I'm going wrong. > > I've tried lots of different things in the config file, and I believe I have > done everything right if I understand the man page correctly. I've tried > different passwd files, but I just can't seem to crack it... > > My config looks like: > > # > # tac_plus configuration > # > > key = "" > > default authentication = file /linx/tacacs/passwd.remote > > acl=all { > permit = .* > } > > acl=collectors { > permit = ^195\.66\.232\.(254|239|223|247)$ > deny = .* > } > > > group = test { > acl = collectors > } > > > user = fred { > login = cleartext "crap" > member = test > } > > > user = DEFAULT { > default service = permit > member = test > acl = collectors > } > > > If I try to login as "fred" to a router that is not in the acl, then > I correctly get denied access to the router. > > If I try to login as a user listed in the passwd file, then no group appears > to be found, and I get access (where I shouldn't get access, to a router > that's not in the acl.) It seems the DEFAULT stuff is just being ignored > completely? Yeah, I think there is bug here. Let me duplicate it here. From heas at shrubbery.net Tue Dec 12 23:53:31 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Dec 2006 15:53:31 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061212231113.GI18961@shrubbery.net> References: <20061211193208.GD12223@linx.net> <20061212231113.GI18961@shrubbery.net> Message-ID: <20061212235331.GK18961@shrubbery.net> It is a bug. The authentication path does check ACLs for an user not in the config. Here is the patch. Thanks for the bug report! Index: default_fn.c =================================================================== RCS file: /home/heas/.CVS/src/routers/tac_plus/default_fn.c,v retrieving revision 1.10 diff -u -r1.10 default_fn.c --- default_fn.c 25 Nov 2006 03:39:16 -0000 1.10 +++ default_fn.c 12 Dec 2006 23:52:05 -0000 @@ -793,7 +793,14 @@ char *val; /* lookup host acl for user */ - val = cfg_get_pvalue(name, 1, type, recurse); + if (!cfg_user_exists(name) && cfg_user_exists(DEFAULT_USERNAME)) { + if (debug & DEBUG_AUTHEN_FLAG) { + report(LOG_DEBUG, "Authenticating ACLs for user '%s' instead of " + "'%s'", DEFAULT_USERNAME, name); + } + val = cfg_get_pvalue(DEFAULT_USERNAME, 1, type, recurse); + } else + val = cfg_get_pvalue(name, 1, type, recurse); /* no host acl for user */ if (val == NULL) From heas at shrubbery.net Wed Dec 13 23:59:23 2006 From: heas at shrubbery.net (john heasley) Date: Wed, 13 Dec 2006 15:59:23 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061213163905.GA31502@linx.net> References: <20061211193208.GD12223@linx.net> <20061212231113.GI18961@shrubbery.net> <20061212235331.GK18961@shrubbery.net> <20061213163905.GA31502@linx.net> Message-ID: <20061213235923.GG15378@shrubbery.net> Wed, Dec 13, 2006 at 04:39:05PM +0000, Robert Lister: > This has also fixed a bunch of other stuff which was not happening, such as > groups for user DEFAULT now work, so I can associate a script with : > "before authorization "pre_authorize $user $port $address"" in the > group for the user which can check in other places the user's groups > and return a yes or no to tac_plus, without having to put all of > the users into the tac_plus.conf file. It did? I did not expect that change to affect anything else. Could you explain further? I want to be sure I did not introduce some bug. From glen.johnson at alaska.edu Wed Dec 27 23:01:27 2006 From: glen.johnson at alaska.edu (Glen Johnson) Date: Wed, 27 Dec 2006 14:01:27 -0900 Subject: [tac_plus] tacacs+ for redhat / fedora-core Message-ID: <001901c72a0a$f0b67f40$7400e589@sxgsj1> Hello, Looking at the different TACACS+ forks, yours seems to be the cleanest. I've written a SPEC, so it can be packaged into redhat RPM format. If you are interested, I'll send this... Your website says this fork is for you and customers. Would you be willing to consider adding a TRAC instance (http://trac.edgewall.org) so others can contribute? TACACS+ may be a legacy protocol, but I haven't seen anything that quite fills the "authorization/accounting via network" niche like it does. Not sure whether anyone WOULD contribute, but.... I find trac provides a great project workspace even for personal projects. Also- do you have an "announce" mailing list? Thank you for your time Glen Johnson OIT Network Operations University of Alaska From heas at shrubbery.net Fri Dec 1 20:10:10 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 12:10:10 -0800 Subject: [tac_plus] [limseng: Re: Tac_plus & PAM] Message-ID: <20061201201010.GA17717@shrubbery.net> For posterity... ----- Forwarded message from Lim Seng Thanks, that worked too, but the logs are complaining a lot about deprecated pam_stack calls. I firgured that just a simple line, #%PAM-1.0 auth include system-auth allows PAM to work just fine with tac_plus. It doesn't lockout userids after 3 failed attempts though I have configured system-auth to do so, guess I'll look that up in PAM. However, thanks for the help though =) Cheers, Lim Seng >Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng: >> Hi, >> >> I have edited the configuration to the following: >> >> group = admin { >> login = PAM >> } >> >> user = testuser1 { >> default service = permit >> member = admin >> >> } >> >> When I type in the username, immediately I get "% Authentication >Failure", >> wihtout it even prompting me for a password, is there a certain >mandatory >> parameter that should have been inside? I manned through >tac_plus.conf.5, >> and it looks like simply this configuration will just work. >> >> Appreciate any advice once again, thanks a lot > >Did you configure PAM itself? This is what I used to test: > >linucks [2] cat /etc/pam.d/tac_plus >#%PAM-1.0 >auth required pam_stack.so service=system-auth >account required pam_stack.so service=system-auth >password required pam_stack.so service=system-auth >session required pam_limits.so > > >> Cheers, >> Lim Seng >> >> >> On 11/25/06 >> > >> >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng: >> >> Dear Sir, >> >> >> >> I have found RANCID to be a very interesting and useful software, and >I >> >am >> >> currently using it to backup my network devices. Due to my positive >> >> experience with RANCID, I decided to try out tac_plus by Shrubbery >too, >> >> seeing that your version comes with PAM authentication support as >well. >> >I am >> >> glad to say everything works fine, but I'll like advice on the >> >particular >> >> issue between tac_plus and PAM if possible. >> >> >> >> I am currently using: >> >> >> >> Fedora Core 6 >> >> uname -r : 2.6.18-1.2849.fc6 >> >> >> >> I have compiled and installed tacacs+-F4.0.4.13, authenticating >> >primarily >> >> from /etc/passwd. What I'll like to achieve is to set a system wide >> >login >> >> attempts of 3, and lockout any user account except root in PAM. My >> >system >> >> already has that policy set, but I'll like to apply this policy to >> >tacacs as >> >> well. I have tried to set the authentication method to pam but it >> >doesn't >> >> work, please see my config: >> >> >> >> ---------------------------------Start of >> >> Config------------------------------------------- >> >> key = examplekey >> >> >> >> # Use /etc/passwd file to do authentication >> >> >> >> default authentication = file /etc/passwd >> >> >> >> # Now tacacs+ also use default PAM authentication >> >> #default authentication = pam system-auth ####Tried to set to PAM >> >> authentication method but no go here. >> >> >> >> # Accounting records log file >> >> >> >> accounting file = /var/log/tac_acc.log >> >> >> >> #All services are alowed.. >> >> >> >> user = $enable$ { >> >> login = cleartext "iamenabled" >> >> } >> >> >> >> group = admin { >> >> service = exec { >> >> default attribute = permit >> >> priv-lvl = 1 >> >> } >> >> } >> >> >> >> user = tester1 { >> >> name = "tester1" >> >> member = testadmin >> >> } >> >> >> >> ---------------------------------End of >> >> Config------------------------------------------- >> >> >> >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h >in >> >the >> >> source code for further clues but I still can't get it right. I did >not >> >> input any special configuration prefixes during compilation phase: >> > >> >In order for tac_plus to query/use PAM, you must configure those users >or >> >groups to do so. See tac_plus.conf(5) top-level directive user and >follow >> >the relationship to user_attr, to login, then password_spec. eg: >> > >> >group = admin { >> > login = PAM >> >.... >> > >> >> ./configure --prefix=/usr/local/tacplus >> >> >> >> If the information provided is not sufficient I'll be glad to provide >> >more, >> >> looking forward to your advice. >> >> >> >> Cheers, >> >> Lim Seng From Lance.Vermilion at bestwestern.com Fri Dec 1 22:11:07 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 15:11:07 -0700 Subject: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Message-ID: All, I am hoping someone can point me in the right direction or already have a fix for this. I have tacacs+-F4.0.4.10 which I just downloaded a few days ago. Everything runs wonderfully, the only problem I have is when I issue a "kill -SIGHUP "or "kill -SIGUSR1 " as the user running the application the application dies and never returns. The man page says SIGNALS If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize itself and re-read its configuration file. Note: if an error is encountered in the configuration file, the daemon will die. Misc info: OS: Suse 9.3 Compile Options: -with-libwrap --with-userid= --with-groupid= *if you prefer here is a tac_plus -v* : tac_plus -v tac_plus version F4.0.4.10 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD REARMSIGNAL RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TACPLUS_GROUPID TAC_PLUS_PORT TACPLUS_USERID UENABLE __STDC__ Here is my /etc/tacacs/tac_plus.conf # Set the key to use for Tacacs+ key = tacacs_plus # Set the account file location. accounting file = /var/log/tacacs_plus/tac_plus.acct user = testuser { login = cleartext abcdef } So I ran a check and everything checks out fine when I run a "tac_plus -P -C /etc/tacacs/tac_plus.conf". I start tac_plus the following way. sudo /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf if I check to make sure it is running I see the following : ps aux | egrep "tac_plus|PID" USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND tac_plus 27564 0.0 0.0 1912 648 pts/3 S 14:43 0:00 /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf -d 256 If I issue any of the following kill commands I get the same result...a daemon that never returns. kill -SIGHUP 27564 kill -HUP 27564 kill -USR1 27564 kill -SIGUSR1 27564 kill -1 27564 kill -10 27564 Any ideas? Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com <> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/6f1dbbd4/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/6f1dbbd4/attachment.vcf From heas at shrubbery.net Fri Dec 1 22:17:51 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 14:17:51 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061201221751.GF18225@shrubbery.net> Fri, Dec 01, 2006 at 03:11:07PM -0700, Vermilion, Lance: > if I check to make sure it is running I see the following > : ps aux | egrep "tac_plus|PID" > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > tac_plus 27564 0.0 0.0 1912 648 pts/3 S 14:43 0:00 > /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf -d 256 Can user 'tac_plus' or it's gid(s) read /etc/tacacs/tac_plus.conf? From Lance.Vermilion at bestwestern.com Fri Dec 1 22:22:38 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 15:22:38 -0700 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 Message-ID: John, You are a life saver. Thank you. I didn't think to look at that. That fixed me. Is there a way to add a check like that in the code? Make sure the user has perms to that file and if not error on it? Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 01, 2006 3:18 PM To: Vermilion, Lance Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Fri, Dec 01, 2006 at 03:11:07PM -0700, Vermilion, Lance: > if I check to make sure it is running I see the following > : ps aux | egrep "tac_plus|PID" > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > tac_plus 27564 0.0 0.0 1912 648 pts/3 S 14:43 0:00 > /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.conf -d 256 Can user 'tac_plus' or it's gid(s) read /etc/tacacs/tac_plus.conf? -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/2765b423/attachment.vcf From heas at shrubbery.net Fri Dec 1 22:44:24 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 14:44:24 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061201224424.GH18225@shrubbery.net> Fri, Dec 01, 2006 at 03:22:38PM -0700, Vermilion, Lance: > John, > > You are a life saver. Thank you. I didn't think to look at that. That > fixed me. Is there a way to add a check like that in the code? Make sure > the user has perms to that file and if not error on it? You should have seen two log messages in your syslog; like this: if ((cf = fopen(cfile, "r")) == NULL) { report(LOG_ERR, "read_config: fopen() error for file %s %s, exiting", cfile, strerror(errno)); return(1); } and another "failure" msg from the signal handler (which technically is not async safe, but ...). or do you mean checking the access during initial configuration parsing? I suppose that the daemon really does not need to exit if it can't read the config, but that seems the path of least suprise ["hey, why is that user still active" - some months after it was removed]. From heas at shrubbery.net Fri Dec 1 23:11:41 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 15:11:41 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061201231141.GM18225@shrubbery.net> Fri, Dec 01, 2006 at 04:03:56PM -0700, Vermilion, Lance: > John, > > I didn't see anything like that in my local syslog local or remote > syslog. it would occur at HUP-time, not start-up. you really did not get a message? and you have 'logging = whatever' in your config (daemon facility is the default)? > In regards to the permissions on tac_plus.conf I was thinking of > something like this. > > if [ -r /etc/tacacs/tac_plus.conf ] > then > echo "Houston we have touchdown" > else > echo " Houston we have a PROBLEM" > fi That is not sufficient, afaik. tac_plus has to be started as root so that it can open port 49; root shouldn't have problem reading the config regardless of it's mode. You'd have to create a child process as the tac_plus user and then do this check. > I have added it to my tac_plus init file, which is attached if you want > to redistribute it with the package since there isn't one at the moment. > That I see. Someone else creates the linux (and any other o/s) package. From Lance.Vermilion at bestwestern.com Fri Dec 1 23:03:56 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 16:03:56 -0700 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 Message-ID: John, I didn't see anything like that in my local syslog local or remote syslog. In regards to the permissions on tac_plus.conf I was thinking of something like this. if [ -r /etc/tacacs/tac_plus.conf ] then echo "Houston we have touchdown" else echo " Houston we have a PROBLEM" fi I have added it to my tac_plus init file, which is attached if you want to redistribute it with the package since there isn't one at the moment. That I see. Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 01, 2006 3:44 PM To: Vermilion, Lance Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Fri, Dec 01, 2006 at 03:22:38PM -0700, Vermilion, Lance: > John, > > You are a life saver. Thank you. I didn't think to look at that. That > fixed me. Is there a way to add a check like that in the code? Make sure > the user has perms to that file and if not error on it? You should have seen two log messages in your syslog; like this: if ((cf = fopen(cfile, "r")) == NULL) { report(LOG_ERR, "read_config: fopen() error for file %s %s, exiting", cfile, strerror(errno)); return(1); } and another "failure" msg from the signal handler (which technically is not async safe, but ...). or do you mean checking the access during initial configuration parsing? I suppose that the daemon really does not need to exit if it can't read the config, but that seems the path of least suprise ["hey, why is that user still active" - some months after it was removed]. -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/5f2ca505/attachment.vcf -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tac_plus.init.txt Url: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/5f2ca505/attachment.txt From Lance.Vermilion at bestwestern.com Fri Dec 1 23:50:10 2006 From: Lance.Vermilion at bestwestern.com (Vermilion, Lance) Date: Fri, 1 Dec 2006 16:50:10 -0700 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 Message-ID: John, Comments inline. Lance Vermilion Communications System Engineer Best Western International, Inc. | The World's Largest Hotel Chain(r) 20400 N. 29th Avenue Phoenix, Arizona 85027 --Contact Info-- Office: 623.780.6637 Mobile: 602.354.6365 eMail: lance.vermilion at bestwestern.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 01, 2006 4:12 PM To: Vermilion, Lance Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Possible Bug in tacacs+-F4.0.4.10 Fri, Dec 01, 2006 at 04:03:56PM -0700, Vermilion, Lance: > John, > > I didn't see anything like that in my local syslog local or remote > syslog. it would occur at HUP-time, not start-up. you really did not get a message? and you have 'logging = whatever' in your config (daemon facility is the default)? [Vermilion, Lance] My logging was default. But my syslog.conf didn't' have anything for daemon. :( > In regards to the permissions on tac_plus.conf I was thinking of > something like this. > > if [ -r /etc/tacacs/tac_plus.conf ] > then > echo "Houston we have touchdown" > else > echo " Houston we have a PROBLEM" > fi That is not sufficient, afaik. tac_plus has to be started as root so that it can open port 49; root shouldn't have problem reading the config regardless of it's mode. You'd have to create a child process as the tac_plus user and then do this check. > I have added it to my tac_plus init file, which is attached if you want > to redistribute it with the package since there isn't one at the moment. > That I see. Someone else creates the linux (and any other o/s) package. -------------- next part -------------- A non-text attachment was scrubbed... Name: Vermilion, Lance.vcf Type: text/x-vcard Size: 275 bytes Desc: Vermilion, Lance.vcf Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20061201/ea41de67/attachment.vcf From heas at shrubbery.net Sat Dec 2 04:45:44 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 1 Dec 2006 20:45:44 -0800 Subject: [tac_plus] Re: Possible Bug in tacacs+-F4.0.4.10 In-Reply-To: References: Message-ID: <20061202044544.GC18225@shrubbery.net> > > I didn't see anything like that in my local syslog local or remote > > syslog. > > it would occur at HUP-time, not start-up. you really did not get a > message? and you have 'logging = whatever' in your config (daemon > facility is the default)? > [Vermilion, Lance] > My logging was default. But my syslog.conf didn't' have anything for > daemon. :( that would indeed make it difficult to see them! From limseng at gmail.com Mon Dec 4 09:56:58 2006 From: limseng at gmail.com (Lim Seng) Date: Mon, 4 Dec 2006 17:56:58 +0800 Subject: [tac_plus] Re: Tac_plus & PAM In-Reply-To: <4eccb24c0611301742i2d22fd69xc059a897dc5f44ff@mail.gmail.com> References: <4eccb24c0611240022w57854408h93d1557e0b728d61@mail.gmail.com> <20061125022526.GJ7881@shrubbery.net> <4eccb24c0611292315g7696383arfe2873a3bce4b90b@mail.gmail.com> <20061130072358.GK18541@shrubbery.net> <4eccb24c0611301742i2d22fd69xc059a897dc5f44ff@mail.gmail.com> Message-ID: <4eccb24c0612040156v33212177l2263faa33c26d6c9@mail.gmail.com> Hi, I am having issues with configuring account lockouts on 3 attempts using faillog and pam_tally, but I am not sure whether there is a parameter ( a.k.a I didnt RTFM) which has to be added in the configuration for it to work. I have read through man on AV Pairs, which I thought could solve the problem, but it didn't seem to help: My tac_plus file in /etc/pam.d/: #%PAM-1.0 auth required pam_tally.so per_user onerr=fail deny=3 auth required pam_env.so auth required pam_unix.so likeauth nullok account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_limits.so And my tac_plus.cfg group = admin { login = PAM } user = netadm { default service = permit member = admin } The problem that I have encountered, be it a successful or a failed login attempt, pam_tally counts it as a failure, but the lockout feature works fine when it reads that faillog has more than 3 "failed" attempts for user netadm albeit those 3 attempts were successful logins. My /var/log/secure: Dec 4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user netadm (500) tally 4, deny 3 Dec 4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=netadm I have figured that I have probably configured pam_tally to necessarily do failed login counting and lockout feature, greatly appreciate your help thus far but I am sorry I have to approach for your assistance once again. PS: Sorry if you received 2 copies of this mail. It was a re-send Cheers, Lim Seng On 12/1/06, Lim Seng wrote: > > Thanks, that worked too, but the logs are complaining a lot about > deprecated pam_stack calls. I firgured that just a simple line, > > #%PAM-1.0 > auth include system-auth > > allows PAM to work just fine with tac_plus. It doesn't lockout userids > after 3 failed attempts though I have configured system-auth to do so, guess > I'll look that up in PAM. However, thanks for the help though =) > > Cheers, > Lim Seng > > On 11/30/06, john heasley wrote: > > > > Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng: > > > Hi, > > > > > > I have edited the configuration to the following: > > > > > > group = admin { > > > login = PAM > > > } > > > > > > user = testuser1 { > > > default service = permit > > > member = admin > > > > > > } > > > > > > When I type in the username, immediately I get "% Authentication > > Failure", > > > wihtout it even prompting me for a password, is there a certain > > mandatory > > > parameter that should have been inside? I manned through > > tac_plus.conf.5, > > > and it looks like simply this configuration will just work. > > > > > > Appreciate any advice once again, thanks a lot > > > > Did you configure PAM itself? This is what I used to test: > > > > linucks [2] cat /etc/pam.d/tac_plus > > #%PAM-1.0 > > auth required pam_stack.so service=system-auth > > account required pam_stack.so service=system-auth > > password required pam_stack.so service=system-auth > > session required pam_limits.so > > > > > > > Cheers, > > > Lim Seng > > > > > > > > > On 11/25/06, tac_plus at shrubbery.net wrote: > > > > > > > >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng: > > > >> Dear Sir, > > > >> > > > >> I have found RANCID to be a very interesting and useful software, > > and I > > > >am > > > >> currently using it to backup my network devices. Due to my positive > > > >> experience with RANCID, I decided to try out tac_plus by Shrubbery > > too, > > > >> seeing that your version comes with PAM authentication support as > > well. > > > >I am > > > >> glad to say everything works fine, but I'll like advice on the > > > >particular > > > >> issue between tac_plus and PAM if possible. > > > >> > > > >> I am currently using: > > > >> > > > >> Fedora Core 6 > > > >> uname -r : 2.6.18-1.2849.fc6 > > > >> > > > >> I have compiled and installed tacacs+-F4.0.4.13, authenticating > > > >primarily > > > >> from /etc/passwd. What I'll like to achieve is to set a system > > wide > > > >login > > > >> attempts of 3, and lockout any user account except root in PAM. My > > > >system > > > >> already has that policy set, but I'll like to apply this policy to > > > >tacacs as > > > >> well. I have tried to set the authentication method to pam but it > > > >doesn't > > > >> work, please see my config: > > > >> > > > >> ---------------------------------Start of > > > >> Config------------------------------------------- > > > >> key = examplekey > > > >> > > > >> # Use /etc/passwd file to do authentication > > > >> > > > >> default authentication = file /etc/passwd > > > >> > > > >> # Now tacacs+ also use default PAM authentication > > > >> #default authentication = pam system-auth ####Tried to set to PAM > > > >> authentication method but no go here. > > > >> > > > >> # Accounting records log file > > > >> > > > >> accounting file = /var/log/tac_acc.log > > > >> > > > >> #All services are alowed.. > > > >> > > > >> user = $enable$ { > > > >> login = cleartext "iamenabled" > > > >> } > > > >> > > > >> group = admin { > > > >> service = exec { > > > >> default attribute = permit > > > >> priv-lvl = 1 > > > >> } > > > >> } > > > >> > > > >> user = tester1 { > > > >> name = "tester1" > > > >> member = testadmin > > > >> } > > > >> > > > >> ---------------------------------End of > > > >> Config------------------------------------------- > > > >> > > > >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h > > in > > > >the > > > >> source code for further clues but I still can't get it right. I did > > not > > > >> input any special configuration prefixes during compilation phase: > > > > > > > >In order for tac_plus to query/use PAM, you must configure those > > users or > > > >groups to do so. See tac_plus.conf(5) top-level directive user and > > follow > > > >the relationship to user_attr, to login, then password_spec. eg: > > > > > > > >group = admin { > > > > login = PAM > > > >.... > > > > > > > >> ./configure --prefix=/usr/local/tacplus > > > >> > > > >> If the information provided is not sufficient I'll be glad to > > provide > > > >more, > > > >> looking forward to your advice. > > > >> > > > >> Cheers, > > > >> Lim Seng > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20061204/8672783b/attachment.html From heas at shrubbery.net Mon Dec 4 16:50:24 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 4 Dec 2006 08:50:24 -0800 Subject: [tac_plus] Re: Tac_plus & PAM In-Reply-To: <4eccb24c0612040148s273e1a5emee5c4757652d3aa2@mail.gmail.com> References: <4eccb24c0611240022w57854408h93d1557e0b728d61@mail.gmail.com> <20061125022526.GJ7881@shrubbery.net> <4eccb24c0611292315g7696383arfe2873a3bce4b90b@mail.gmail.com> <20061130072358.GK18541@shrubbery.net> <4eccb24c0611301742i2d22fd69xc059a897dc5f44ff@mail.gmail.com> <4eccb24c0612040148s273e1a5emee5c4757652d3aa2@mail.gmail.com> Message-ID: <20061204165024.GC22126@shrubbery.net> Mon, Dec 04, 2006 at 05:48:29PM +0800, Lim Seng: > Hi, > > I am having issues with configuring account lockouts on 3 attempts using > faillog and pam_tally, but I am not sure whether there is a parameter ( > a.k.a I didnt RTFM) which has to be added in the configuration for it to > work. I have read through man on AV Pairs, which I thought could solve the > problem, but it didn't seem to help: > > My tac_plus file in /etc/pam.d/: > > #%PAM-1.0 > auth required pam_tally.so per_user onerr=fail deny=3 > auth required pam_env.so > auth required pam_unix.so likeauth nullok > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_limits.so > > And my tac_plus.cfg > > group = admin { > login = PAM > } > > user = netadm { > default service = permit > member = admin > } > > The problem that I have encountered, be it a successful or a failed login > attempt, pam_tally counts it as a failure, but the lockout feature works > fine when it reads that faillog has more than 3 "failed" attempts for user > netadm albeit those 3 attempts were successful logins. > > My /var/log/secure: > > Dec 4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user > netadm (500) tally 4, deny 3 > Dec 4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=netadm > > I have figured that I have probably configured pam_tally to necessarily do > failed login counting and lockout feature, greatly appreciate your help thus > far but I am sorry I have to approach for your assistance once again. I do not know about pam_tally. this site looks like it might be useful, as it appears that you're configuration might be a little slim: http://sial.org/howto/linux/pam_tally/ note that this could be a form of DOS attack; i intentionally try to login 3 times with the wrong password and your account is locked-out. From robl at linx.net Mon Dec 11 19:32:08 2006 From: robl at linx.net (Robert Lister) Date: Mon, 11 Dec 2006 19:32:08 +0000 Subject: [tac_plus] DEFAULT user option not working? Message-ID: <20061211193208.GD12223@linx.net> Hi, I've been fiddling with your implementation of tac_plus for a while, and I cannot seem to get the user = DEFAULT option to work correctly. (I have specified that I want user = DEFAULT to be in a member of a group, but that group does not seem to get applied.) If I put usernames directly into the config file, it works. (Ideally what I am trying to do is to have the user AND the group looked up in the passwd file, and then assign in the tac_plus config what I want to happen for users in that group, but I don't think tac_plus can do that for example if the GID in the passwd file is "103" then have a corresponding group = 103 entry to tell tac_plus what access that user should get.) I'd be grateful if you are able to tell me where I'm going wrong. I've tried lots of different things in the config file, and I believe I have done everything right if I understand the man page correctly. I've tried different passwd files, but I just can't seem to crack it... My config looks like: # # tac_plus configuration # key = "" default authentication = file /linx/tacacs/passwd.remote acl=all { permit = .* } acl=collectors { permit = ^195\.66\.232\.(254|239|223|247)$ deny = .* } group = test { acl = collectors } user = fred { login = cleartext "crap" member = test } user = DEFAULT { default service = permit member = test acl = collectors } If I try to login as "fred" to a router that is not in the acl, then I correctly get denied access to the router. If I try to login as a user listed in the passwd file, then no group appears to be found, and I get access (where I shouldn't get access, to a router that's not in the acl.) It seems the DEFAULT stuff is just being ignored completely? Here is what happens when I login to a router that I'm not supposed to be able to login to: spitfire tacacs # tac_plus -g -d8 -d16 -d32 -d64 -d128 -d256 -C /linx/tacacs/tac_plus.conf Reading config Version F4.0.4.13 Initialized 1 tac_plus server F4.0.4.13 starting uid=0 euid=0 gid=0 egid=0 s=4 session.peerip is 195.66.232.230 session request from 195.66.232.230 sock=5 connect from 195.66.232.230 [195.66.232.230] Waiting for packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Read AUTHEN/START size=37 validation request from 195.66.232.230 PACKET: key= version 192 (0xc0), type 1, seq no 1, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 25 (0x19) End header type=AUTHEN/START, priv_lvl = 1 action=login authen_type=ascii service=login user_len=0 port_len=4 (0x4), rem_addr_len=13 (0xd) data_len=0 User: port: tty2 rem_addr: 195.66.232.38 data: End packet Authen Start request choose_authen returns 1 cfg_get_hvalue: name=195.66.232.230 attr=prompt cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Writing AUTHEN/GETUSER size=55 PACKET: key= version 192 (0xc0), type 1, seq no 2, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 43 (0x2b) End header type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 msg_len=37, data_len=0 msg: 0xa User Access Verification 0xa 0xa Username: data: End packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Waiting for packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Read AUTHEN/CONT size=21 PACKET: key= version 192 (0xc0), type 1, seq no 3, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 9 (0x9) End header type=AUTHEN/CONT user_msg_len 4 (0x4), user_data_len 0 (0x0) flags=0x0 User msg: robl User data: End packet cfg_get_value: name=robl isuser=1 attr=login rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL choose_authen chose default_fn Calling authentication function cfg_get_value: name=robl isuser=1 attr=nopassword rec=1 cfg_get_value: no user/group named robl cfg_get_intvalue: returns 0 cfg_get_value: name=robl isuser=1 attr=login rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL Writing AUTHEN/GETPASS size=28 PACKET: key= version 192 (0xc0), type 1, seq no 4, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 16 (0x10) End header type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 msg_len=10, data_len=0 msg: Password: data: End packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Waiting for packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL Read AUTHEN/CONT size=25 PACKET: key= version 192 (0xc0), type 1, seq no 5, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 13 (0xd) End header type=AUTHEN/CONT user_msg_len 8 (0x8), user_data_len 0 (0x0) flags=0x0 User msg: User data: End packet cfg_get_value: name=robl isuser=1 attr=login rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL cfg_get_value: name=robl isuser=1 attr=global rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL tac_passwd_lookup: open /linx/tacacs/passwd.remote 6 tac_passwd_lookup: close /linx/tacacs/passwd.remote 6 verify .sd7/jvP6lDCQ encrypts to .sd7/jvP6lDCQ Password is correct Password has not expired cfg_get_value: name=robl isuser=1 attr=acl rec=1 cfg_get_value: no user/group named robl cfg_get_pvalue: returns NULL login query for 'robl' tty2 from 195.66.232.230 accepted Writing AUTHEN/SUCCEED size=18 PACKET: key= version 192 (0xc0), type 1, seq no 6, encryption 1 session_id 4208708661 (0xfadbcc35), Data length 6 (0x6) End header type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 msg_len=0, data_len=0 msg: data: End packet cfg_get_hvalue: name=195.66.232.230 attr=key cfg_get_hvalue: no host named 195.66.232.230 cfg_get_phvalue: returns NULL -- Robert Lister - London Internet Exchange - http://www.linx.net/ robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE From heas at shrubbery.net Tue Dec 12 23:11:13 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Dec 2006 15:11:13 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061211193208.GD12223@linx.net> References: <20061211193208.GD12223@linx.net> Message-ID: <20061212231113.GI18961@shrubbery.net> Mon, Dec 11, 2006 at 07:32:08PM +0000, Robert Lister: > > Hi, > > I've been fiddling with your implementation of tac_plus for a while, and I > cannot seem to get the user = DEFAULT option to work correctly. (I have > specified that I want user = DEFAULT to be in a member of a group, but that > group does not seem to get applied.) > > If I put usernames directly into the config file, it works. > > (Ideally what I am trying to do is to have the user AND the group looked up > in the passwd file, and then assign in the tac_plus config what I want to > happen for users in that group, but I don't think tac_plus can do that for > example if the GID in the passwd file is "103" then have a corresponding > group = 103 entry to tell tac_plus what access that user should get.) correct; tac_plus has no knowledge of the GID field of a passwd(5) file. > I'd be grateful if you are able to tell me where I'm going wrong. > > I've tried lots of different things in the config file, and I believe I have > done everything right if I understand the man page correctly. I've tried > different passwd files, but I just can't seem to crack it... > > My config looks like: > > # > # tac_plus configuration > # > > key = "" > > default authentication = file /linx/tacacs/passwd.remote > > acl=all { > permit = .* > } > > acl=collectors { > permit = ^195\.66\.232\.(254|239|223|247)$ > deny = .* > } > > > group = test { > acl = collectors > } > > > user = fred { > login = cleartext "crap" > member = test > } > > > user = DEFAULT { > default service = permit > member = test > acl = collectors > } > > > If I try to login as "fred" to a router that is not in the acl, then > I correctly get denied access to the router. > > If I try to login as a user listed in the passwd file, then no group appears > to be found, and I get access (where I shouldn't get access, to a router > that's not in the acl.) It seems the DEFAULT stuff is just being ignored > completely? Yeah, I think there is bug here. Let me duplicate it here. From heas at shrubbery.net Tue Dec 12 23:53:31 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 12 Dec 2006 15:53:31 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061212231113.GI18961@shrubbery.net> References: <20061211193208.GD12223@linx.net> <20061212231113.GI18961@shrubbery.net> Message-ID: <20061212235331.GK18961@shrubbery.net> It is a bug. The authentication path does check ACLs for an user not in the config. Here is the patch. Thanks for the bug report! Index: default_fn.c =================================================================== RCS file: /home/heas/.CVS/src/routers/tac_plus/default_fn.c,v retrieving revision 1.10 diff -u -r1.10 default_fn.c --- default_fn.c 25 Nov 2006 03:39:16 -0000 1.10 +++ default_fn.c 12 Dec 2006 23:52:05 -0000 @@ -793,7 +793,14 @@ char *val; /* lookup host acl for user */ - val = cfg_get_pvalue(name, 1, type, recurse); + if (!cfg_user_exists(name) && cfg_user_exists(DEFAULT_USERNAME)) { + if (debug & DEBUG_AUTHEN_FLAG) { + report(LOG_DEBUG, "Authenticating ACLs for user '%s' instead of " + "'%s'", DEFAULT_USERNAME, name); + } + val = cfg_get_pvalue(DEFAULT_USERNAME, 1, type, recurse); + } else + val = cfg_get_pvalue(name, 1, type, recurse); /* no host acl for user */ if (val == NULL) From heas at shrubbery.net Wed Dec 13 23:59:23 2006 From: heas at shrubbery.net (john heasley) Date: Wed, 13 Dec 2006 15:59:23 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061213163905.GA31502@linx.net> References: <20061211193208.GD12223@linx.net> <20061212231113.GI18961@shrubbery.net> <20061212235331.GK18961@shrubbery.net> <20061213163905.GA31502@linx.net> Message-ID: <20061213235923.GG15378@shrubbery.net> Wed, Dec 13, 2006 at 04:39:05PM +0000, Robert Lister: > This has also fixed a bunch of other stuff which was not happening, such as > groups for user DEFAULT now work, so I can associate a script with : > "before authorization "pre_authorize $user $port $address"" in the > group for the user which can check in other places the user's groups > and return a yes or no to tac_plus, without having to put all of > the users into the tac_plus.conf file. It did? I did not expect that change to affect anything else. Could you explain further? I want to be sure I did not introduce some bug. From glen.johnson at alaska.edu Wed Dec 27 23:01:27 2006 From: glen.johnson at alaska.edu (Glen Johnson) Date: Wed, 27 Dec 2006 14:01:27 -0900 Subject: [tac_plus] tacacs+ for redhat / fedora-core Message-ID: <001901c72a0a$f0b67f40$7400e589@sxgsj1> Hello, Looking at the different TACACS+ forks, yours seems to be the cleanest. I've written a SPEC, so it can be packaged into redhat RPM format. If you are interested, I'll send this... Your website says this fork is for you and customers. Would you be willing to consider adding a TRAC instance (http://trac.edgewall.org) so others can contribute? TACACS+ may be a legacy protocol, but I haven't seen anything that quite fills the "authorization/accounting via network" niche like it does. Not sure whether anyone WOULD contribute, but.... I find trac provides a great project workspace even for personal projects. Also- do you have an "announce" mailing list? Thank you for your time Glen Johnson OIT Network Operations University of Alaska