From heas at shrubbery.net Thu Jan 4 03:34:08 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 3 Jan 2007 19:34:08 -0800 Subject: [tac_plus] Re: tacacs+ for redhat / fedora-core In-Reply-To: <001901c72a0a$f0b67f40$7400e589@sxgsj1> References: <001901c72a0a$f0b67f40$7400e589@sxgsj1> Message-ID: <20070104033408.GM1096@shrubbery.net> Wed, Dec 27, 2006 at 02:01:27PM -0900, Glen Johnson: > Hello, > > Looking at the different TACACS+ forks, yours seems to be the cleanest. I've > written a SPEC, so it can be packaged into redhat RPM format. If you are > interested, I'll send this... Sure; I don't use Linux, but that'd probably be useful to many. Thanks. > Your website says this fork is for you and customers. Would you be willing to > consider adding a TRAC instance (http://trac.edgewall.org) so others can > contribute? TACACS+ may be a legacy protocol, but I haven't seen anything that > quite fills the "authorization/accounting via network" niche like it does. Not > sure whether anyone WOULD contribute, but.... I find trac provides a great > project workspace even for personal projects. Sorry; it looks wiz-bang, but I just don't have the time to fool with it. > Also- do you have an "announce" mailing list? I added one. http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus-announce From Dan.Morales at Rbcdain.com Fri Jan 5 21:59:24 2007 From: Dan.Morales at Rbcdain.com (Morales, Dan (RBC Dain)) Date: Fri, 5 Jan 2007 15:59:24 -0600 Subject: [tac_plus] Errors Compiling tac_plus F4.0.4.10 Message-ID: <4AEF2FE5FDE30F4094B6D2E2A0D46CB101FD747C@MAIL3.corp.isib.net> Trying to compile F4.0.4.10 on Sun Solaris 2.6, getting the following during make - netmgr# make /usr/ccs/bin/make all-am if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_pwd.o -MD -MP -MF ".deps/ tac_pwd.Tpo" -c -o tac_pwd.o tac_pwd.c; \ then mv -f ".deps/tac_pwd.Tpo" ".deps/tac_pwd.Po"; else rm -f ".deps/tac_pwd.Tpo "; exit 1; fi gcc -g -O2 -o tac_pwd tac_pwd.o -lpam -lnsl -lsocket if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_plus.o -MD -MP -MF ".deps /tac_plus.Tpo" -c -o tac_plus.o tac_plus.c; \ then mv -f ".deps/tac_plus.Tpo" ".deps/tac_plus.Po"; else rm -f ".deps/tac_plus. Tpo"; exit 1; fi tac_plus.c: In function `main': tac_plus.c:338: error: `socklen_t' undeclared (first use in this function) tac_plus.c:338: error: (Each undeclared identifier is reported only once tac_plus.c:338: error: for each function it appears in.) tac_plus.c:338: error: syntax error before "name_len" tac_plus.c:343: error: `name_len' undeclared (first use in this function) tac_plus.c:520: error: syntax error before "from_len" tac_plus.c:525: error: `from_len' undeclared (first use in this function) *** Error code 1 make: Fatal error: Command failed for target `tac_plus.o' Current working directory /opt2/tac_plus/tacacs+-F4.0.4.14 *** Error code 1 make: Fatal error: Command failed for target `all' Any suggestions? Thanks Dan Morales RBC Dain Rauscher does not accept buy, sell or cancel orders by e-mail, or any instructions by e-mail that would require your signature. Information contained in this communication is not considered an official record of your account and does not supersede normal trade confirmations or statements. Any information provided has been prepared from sources believed to be reliable but is not guaranteed, does not represent all available data necessary for making investment decisions and is for informational purposes only. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you receive this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Information received by or sent from this system is subject to review by supervisory personnel, is retained and may be produced to regulatory authorities or others with a legal right to the information. E-mail messages are not encrypted. As such, client sensitive information sent to or received from your RBC Dain Rauscher Financial Consultant electronically may not be secure. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070105/d8d477e7/attachment.html From Dan.Morales at Rbcdain.com Mon Jan 8 15:19:29 2007 From: Dan.Morales at Rbcdain.com (Morales, Dan (RBC Dain)) Date: Mon, 8 Jan 2007 09:19:29 -0600 Subject: [tac_plus] Re: Errors Compiling tac_plus F4.0.4.10 Message-ID: <4AEF2FE5FDE30F4094B6D2E2A0D46CB1020279B1@MAIL3.corp.isib.net> No such luck after replacing the files you sent me - netmgr# make install if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_pwd.o -MD -MP -MF ".deps/ tac_pwd.Tpo" -c -o tac_pwd.o tac_pwd.c; \ then mv -f ".deps/tac_pwd.Tpo" ".deps/tac_pwd.Po"; else rm -f ".deps/tac_pwd.Tpo "; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_plus.o -MD -MP -MF ".deps /tac_plus.Tpo" -c -o tac_plus.o tac_plus.c; \ then mv -f ".deps/tac_plus.Tpo" ".deps/tac_plus.Po"; else rm -f ".deps/tac_plus. Tpo"; exit 1; fi tac_plus.c: In function `main': tac_plus.c:338: error: `socklen_t' undeclared (first use in this function) tac_plus.c:338: error: (Each undeclared identifier is reported only once tac_plus.c:338: error: for each function it appears in.) tac_plus.c:338: error: syntax error before "name_len" tac_plus.c:343: error: `name_len' undeclared (first use in this function) tac_plus.c:520: error: syntax error before "from_len" tac_plus.c:525: error: `from_len' undeclared (first use in this function) *** Error code 1 make: Fatal error: Command failed for target `tac_plus.o' -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, January 05, 2007 5:31 PM To: Morales, Dan (RBC Dain) Subject: Re: [tac_plus] Errors Compiling tac_plus F4.0.4.10 Fri, Jan 05, 2007 at 03:59:24PM -0600, Morales, Dan (RBC Dain): > Trying to compile F4.0.4.10 on Sun Solaris 2.6, getting the following > during make - Does the attached fix it? RBC Dain Rauscher does not accept buy, sell or cancel orders by e-mail, or any instructions by e-mail that would require your signature. Information contained in this communication is not considered an official record of your account and does not supersede normal trade confirmations or statements. Any information provided has been prepared from sources believed to be reliable but is not guaranteed, does not represent all available data necessary for making investment decisions and is for informational purposes only. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you receive this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Information received by or sent from this system is subject to review by supervisory personnel, is retained and may be produced to regulatory authorities or others with a legal right to the information. E-mail messages are not encrypted. As such, client sensitive information sent to or received from your RBC Dain Rauscher Financial Consultant electronically may not be secure. From robl at linx.net Mon Jan 8 03:34:03 2007 From: robl at linx.net (Robert Lister) Date: Mon, 8 Jan 2007 03:34:03 +0000 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061213235923.GG15378@shrubbery.net> References: <20061211193208.GD12223@linx.net> <20061212231113.GI18961@shrubbery.net> <20061212235331.GK18961@shrubbery.net> <20061213163905.GA31502@linx.net> <20061213235923.GG15378@shrubbery.net> Message-ID: <20070108033403.GB28673@linx.net> .. I wonder if I could ask another question. I have a cisco router with console lines on, and tac_plus config that calls a pre_authorize script to look in a group file to decide which users are allowed to access what devices (by IP) When I telnet to the router to port 23, tac_plus calls the script and I get allowed or denied as expected. When I telnet to a console line, tac_plus runs but does not seem to call my script, and allows every user in. I'm not sure what's different from the telnet request to the console access request about the tacacs request? Clearly the aaa config is set up on the router, and the debug output from tac_plus shows the requests, but the only difference I can see between them is that my script does not get called for console requests? Is it because "exec" auth is not getting called for console lines? Is there a way to make it call my script for all login requests? Cisco conf: aaa new-model ! ! aaa authentication login default group tacacs+ enable aaa authorization exec default group tacacs+ none aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa session-id common * Correct for telnet: spitfire:~>telnet ar1 Connected to ar1. Escape character is '^]'. User Access Verification Username: tac Password: % Authorization Failed - denied by TACACS+ cisco_group_acl:101 Connection closed by foreign host. * Incorrect for console lines: spitfire:~>telnet ar1 2052 Connected to ar1. Escape character is '^]'. User Access Verification Username: tac Password: AlterPath ACS acs.tfm7 login: tac_plus conf: # # tac_plus configuration # accounting file = /var/log/tac_plus_cisco_acct.log # logging = key = "" default authentication = file /etc/tacacs/passwd.remote group = tac_auth { default service = permit # this script looks up the group for the user in passwd.remote and # then checks the ACL for that group in cisco_group_acl. # It returns a permit or deny accordingly: before authorization "/etc/tacacs/pre_authorize $user $name $address" service = exec { priv-lvl = 1 } } user = DEFAULT { member = tac_auth } Thanks, Rob -- Robert Lister - London Internet Exchange - http://www.linx.net/ robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE From heas at shrubbery.net Tue Jan 9 06:29:55 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 8 Jan 2007 22:29:55 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? Message-ID: <20070109062955.GE7848@shrubbery.net> > .. I wonder if I could ask another question. > > I have a cisco router with console lines on, and tac_plus config that calls > a pre_authorize script to look in a group file to decide which users are > allowed to access what devices (by IP) > > When I telnet to the router to port 23, tac_plus calls the script and I get > allowed or denied as expected. > > When I telnet to a console line, tac_plus runs but does not seem to call my > script, and allows every user in. > > I'm not sure what's different from the telnet request to the console access > request about the tacacs request? Clearly the aaa config is set up on the > router, and the debug output from tac_plus shows the requests, but the only > difference I can see between them is that my script does not get called for > console requests? Is it because "exec" auth is not getting called for > console lines? > > Is there a way to make it call my script for all login requests? IIRC, the console/aux of the cisco simply does not perform the same authorization as a vty. If you enable authorization logging you can see the difference. Maybe there is some configuration knob that will make it act normally, but its unknown to me. > > Cisco conf: > > aaa new-model > ! > ! > aaa authentication login default group tacacs+ enable > aaa authorization exec default group tacacs+ none > aaa accounting send stop-record authentication failure > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 0 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > aaa session-id common > > > * Correct for telnet: > > spitfire:~>telnet ar1 > Connected to ar1. > Escape character is '^]'. > > User Access Verification > > Username: tac > Password: > % Authorization Failed - denied by TACACS+ cisco_group_acl:101 > > Connection closed by foreign host. > > * Incorrect for console lines: > > spitfire:~>telnet ar1 2052 > Connected to ar1. > Escape character is '^]'. > > User Access Verification > > Username: tac > Password: > > AlterPath ACS > > acs.tfm7 login: > > > tac_plus conf: > > # > # tac_plus configuration > # > > accounting file = /var/log/tac_plus_cisco_acct.log > > # logging = > > key = "" > > default authentication = file /etc/tacacs/passwd.remote > > group = tac_auth { > default service = permit > # this script looks up the group for the user in passwd.remote and > # then checks the ACL for that group in cisco_group_acl. > # It returns a permit or deny accordingly: > before authorization "/etc/tacacs/pre_authorize $user $name $address" > > service = exec { > priv-lvl = 1 > } > } > > user = DEFAULT { > member = tac_auth > } > > > Thanks, > > > Rob > > > -- > Robert Lister - London Internet Exchange - http://www.linx.net/ > robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE > From: tac_plus-request at shrubbery.net > Subject: confirm cbb9cf040d45266048e5f0ed48ced0ccb83e01e8 > > If you reply to this message, keeping the Subject: header intact, > Mailman will discard the held message. Do this if the message is > spam. If you reply to this message and include an Approved: header > with the list password in it, the message will be approved for posting > to the list. The Approved: header can also appear in the first line > of the body of the reply. From Martin.Bergs at t-systems.com Thu Jan 18 15:18:42 2007 From: Martin.Bergs at t-systems.com (Bergs, Martin) Date: Thu, 18 Jan 2007 16:18:42 +0100 Subject: [tac_plus] deny telnet? Message-ID: <1E4CCB2441C5C0409AD8A929482A09F301220201@S4DE9JSAAIG.ost.t-com.de> Hi, I have the problem that I want to deny users to telnet from a router to an other device. So I deny the telnet command but on IOS the user can also just enter an IP address an start like this a telnet session. How to configure TACAcS+ to deny telnet for a user by just entering an IP address? Do you have an idea? Yours Sincerely / Mit freundlichen Gruessen Martin Bergs From heas at shrubbery.net Thu Jan 18 17:14:04 2007 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Jan 2007 09:14:04 -0800 Subject: [tac_plus] Re: deny telnet? In-Reply-To: <1E4CCB2441C5C0409AD8A929482A09F301220201@S4DE9JSAAIG.ost.t-com.de> References: <1E4CCB2441C5C0409AD8A929482A09F301220201@S4DE9JSAAIG.ost.t-com.de> Message-ID: <20070118171404.GA9043@shrubbery.net> Thu, Jan 18, 2007 at 04:18:42PM +0100, Bergs, Martin: > Hi, > > I have the problem that I want to deny users to telnet from a router to > an other device. So I deny the telnet command but on IOS the user can > also just enter an IP address an start like this a telnet session. > How to configure TACAcS+ to deny telnet for a user by just entering an > IP address? Do you have an idea? Didn't know that was possible. you could list the commands that a user is authorized to use and deny all others. or, try a regex deny [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} deny [0-9A-F]{1,4}: From gardiner at purdigital.net Mon Jan 22 18:44:24 2007 From: gardiner at purdigital.net (Jason Gardiner) Date: Mon, 22 Jan 2007 13:44:24 -0500 Subject: [tac_plus] Problem With tac_plus Message-ID: <45B50608.5050505@purdigital.net> Hello, I've run across a problem and I'm about to tear out my hair. I have tac_plus setup for Ciscos, but it seems that every command issued after "config t" is allowed, even when explicitly denied. Here is the config user = xxxxx { default service = deny name = "xxxxxx" login = des xxxxxx ms-chap = cleartext yyyyyyy service=exec { priv-lvl = 15 } cmd = load-interval { deny .* } cmd = show { permit "arp|config" } cmd = write { permit "terminal" } cmd = terminal { permit "length .*" } cmd = configure { permit .* } cmd = arp { permit ".*" } cmd = ip { permit "route .* 255.255.255.255 .*" } cmd = interface { deny .* } cmd = no { deny "ip address" } } As it stands, the user can perform a 'show arp,' but a 'show clock' returns with a "Command authorization failed" as expected. However, if the user does a 'config t,' then he can still perform an 'interface loopback 112' even though it should be denied AFAICT. Any insight that you can offer into this would be greatly appreciated. -- Thanks, Jason Gardiner Purdigital Engineering "You can swim all day in the Sea of Knowledge and still come out completely dry. Most people do." - Norton Juster From heas at shrubbery.net Tue Jan 23 16:04:50 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 23 Jan 2007 16:04:50 +0000 Subject: [tac_plus] Re: Problem With tac_plus In-Reply-To: <45B50608.5050505@purdigital.net> References: <45B50608.5050505@purdigital.net> Message-ID: <20070123160450.GB6459@shrubbery.net> Mon, Jan 22, 2007 at 01:44:24PM -0500, Jason Gardiner: > Hello, > > I've run across a problem and I'm about to tear out my hair. I have > tac_plus setup for Ciscos, but it seems that every command issued after > "config t" is allowed, even when explicitly denied. Here is the config > > user = xxxxx { > default service = deny > name = "xxxxxx" > login = des xxxxxx > ms-chap = cleartext yyyyyyy > service=exec { priv-lvl = 15 } > cmd = load-interval { deny .* } > cmd = show { permit "arp|config" } > cmd = write { permit "terminal" } > cmd = terminal { permit "length .*" } > cmd = configure { permit .* } > cmd = arp { permit ".*" } > cmd = ip { permit "route .* 255.255.255.255 .*" } > cmd = interface { deny .* } > cmd = no { deny "ip address" } > } > > > As it stands, the user can perform a 'show arp,' but a 'show clock' > returns with a "Command authorization failed" as expected. > > However, if the user does a 'config t,' then he can still perform an > 'interface loopback 112' even though it should be denied AFAICT. > > Any insight that you can offer into this would be greatly appreciated. > never tried config-mode command authorization. try authorization debugging with -d 8. perhaps there something is prepended to the command in config mode or, for the interface xx question, there is no authorization for moving among config 'levels". From drose at nla.gov.au Wed Jan 24 02:23:35 2007 From: drose at nla.gov.au (Daniel Rose) Date: Wed, 24 Jan 2007 13:23:35 +1100 Subject: [tac_plus] user-managed password changes Message-ID: <3F8819281E85774CA6CE6F4FB842874F0456FA5B@gimli.shire.nla.gov.au> It's sometimes possible in enterprise environments to change your own password by using the password "Changepass" or just enter at the password prompt. The user is then asked to enter their old password and the new one twice, and the tacacs database is updated. How is this done with the tac_plus implementation? Have I missed something significant here? -- Daniel Rose Business Systems Support National Library of Australia ph 6262 1599 -- fx 6273 3648 From heas at shrubbery.net Wed Jan 24 16:42:28 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 24 Jan 2007 16:42:28 +0000 Subject: [tac_plus] Re: user-managed password changes In-Reply-To: <3F8819281E85774CA6CE6F4FB842874F0456FA5B@gimli.shire.nla.gov.au> References: <3F8819281E85774CA6CE6F4FB842874F0456FA5B@gimli.shire.nla.gov.au> Message-ID: <20070124164228.GC7311@shrubbery.net> Wed, Jan 24, 2007 at 01:23:35PM +1100, Daniel Rose: > It's sometimes possible in enterprise environments to change your own > password by using the password "Changepass" or just enter at the > password prompt. > > The user is then asked to enter their old password and the new one > twice, and the tacacs database is updated. > > How is this done with the tac_plus implementation? Have I missed > something significant here? tacacs does not support this natively/internally. it only supports password expiration. what could be done, i believe, is to use PAM as the tacacs authentication method. using pam, the password can expire and begin an interaction with the user in a new password dialog. Others have used a web page, which changes either a database that is exported to tacacs configuration files or that is used via PAM. cheers. > -- > Daniel Rose > Business Systems Support > National Library of Australia > ph 6262 1599 -- fx 6273 3648 > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Fri Jan 26 02:32:05 2007 From: heas at shrubbery.net (john heasley) Date: Thu, 25 Jan 2007 18:32:05 -0800 Subject: [tac_plus] Fwd: Re: Problem With tac_plus Message-ID: <20070126023205.GV13993@shrubbery.net> ----- Forwarded message from Jason Gardiner ----- From: Jason Gardiner To: john heasley Subject: Re: [tac_plus] Problem With tac_plus Date: Tue, 23 Jan 2007 12:12:50 -0500 X-Original-To: heas at shrubbery.net X-Enigmail-Version: 0.94.1.2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.442722, version=0.96.6 john heasley wrote: > never tried config-mode command authorization. try authorization debugging > with -d 8. perhaps there something is prepended to the command in config > mode or, for the interface xx question, there is no authorization for moving > among config 'levels". > In case some asks again, the command "aaa authorization config-commands" is needed on the router. Thanks again. From heas at shrubbery.net Thu Jan 4 03:34:08 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 3 Jan 2007 19:34:08 -0800 Subject: [tac_plus] Re: tacacs+ for redhat / fedora-core In-Reply-To: <001901c72a0a$f0b67f40$7400e589@sxgsj1> References: <001901c72a0a$f0b67f40$7400e589@sxgsj1> Message-ID: <20070104033408.GM1096@shrubbery.net> Wed, Dec 27, 2006 at 02:01:27PM -0900, Glen Johnson: > Hello, > > Looking at the different TACACS+ forks, yours seems to be the cleanest. I've > written a SPEC, so it can be packaged into redhat RPM format. If you are > interested, I'll send this... Sure; I don't use Linux, but that'd probably be useful to many. Thanks. > Your website says this fork is for you and customers. Would you be willing to > consider adding a TRAC instance (http://trac.edgewall.org) so others can > contribute? TACACS+ may be a legacy protocol, but I haven't seen anything that > quite fills the "authorization/accounting via network" niche like it does. Not > sure whether anyone WOULD contribute, but.... I find trac provides a great > project workspace even for personal projects. Sorry; it looks wiz-bang, but I just don't have the time to fool with it. > Also- do you have an "announce" mailing list? I added one. http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus-announce From Dan.Morales at Rbcdain.com Fri Jan 5 21:59:24 2007 From: Dan.Morales at Rbcdain.com (Morales, Dan (RBC Dain)) Date: Fri, 5 Jan 2007 15:59:24 -0600 Subject: [tac_plus] Errors Compiling tac_plus F4.0.4.10 Message-ID: <4AEF2FE5FDE30F4094B6D2E2A0D46CB101FD747C@MAIL3.corp.isib.net> Trying to compile F4.0.4.10 on Sun Solaris 2.6, getting the following during make - netmgr# make /usr/ccs/bin/make all-am if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_pwd.o -MD -MP -MF ".deps/ tac_pwd.Tpo" -c -o tac_pwd.o tac_pwd.c; \ then mv -f ".deps/tac_pwd.Tpo" ".deps/tac_pwd.Po"; else rm -f ".deps/tac_pwd.Tpo "; exit 1; fi gcc -g -O2 -o tac_pwd tac_pwd.o -lpam -lnsl -lsocket if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_plus.o -MD -MP -MF ".deps /tac_plus.Tpo" -c -o tac_plus.o tac_plus.c; \ then mv -f ".deps/tac_plus.Tpo" ".deps/tac_plus.Po"; else rm -f ".deps/tac_plus. Tpo"; exit 1; fi tac_plus.c: In function `main': tac_plus.c:338: error: `socklen_t' undeclared (first use in this function) tac_plus.c:338: error: (Each undeclared identifier is reported only once tac_plus.c:338: error: for each function it appears in.) tac_plus.c:338: error: syntax error before "name_len" tac_plus.c:343: error: `name_len' undeclared (first use in this function) tac_plus.c:520: error: syntax error before "from_len" tac_plus.c:525: error: `from_len' undeclared (first use in this function) *** Error code 1 make: Fatal error: Command failed for target `tac_plus.o' Current working directory /opt2/tac_plus/tacacs+-F4.0.4.14 *** Error code 1 make: Fatal error: Command failed for target `all' Any suggestions? Thanks Dan Morales RBC Dain Rauscher does not accept buy, sell or cancel orders by e-mail, or any instructions by e-mail that would require your signature. Information contained in this communication is not considered an official record of your account and does not supersede normal trade confirmations or statements. Any information provided has been prepared from sources believed to be reliable but is not guaranteed, does not represent all available data necessary for making investment decisions and is for informational purposes only. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you receive this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Information received by or sent from this system is subject to review by supervisory personnel, is retained and may be produced to regulatory authorities or others with a legal right to the information. E-mail messages are not encrypted. As such, client sensitive information sent to or received from your RBC Dain Rauscher Financial Consultant electronically may not be secure. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070105/d8d477e7/attachment.html From Dan.Morales at Rbcdain.com Mon Jan 8 15:19:29 2007 From: Dan.Morales at Rbcdain.com (Morales, Dan (RBC Dain)) Date: Mon, 8 Jan 2007 09:19:29 -0600 Subject: [tac_plus] Re: Errors Compiling tac_plus F4.0.4.10 Message-ID: <4AEF2FE5FDE30F4094B6D2E2A0D46CB1020279B1@MAIL3.corp.isib.net> No such luck after replacing the files you sent me - netmgr# make install if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_pwd.o -MD -MP -MF ".deps/ tac_pwd.Tpo" -c -o tac_pwd.o tac_pwd.c; \ then mv -f ".deps/tac_pwd.Tpo" ".deps/tac_pwd.Po"; else rm -f ".deps/tac_pwd.Tpo "; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT tac_plus.o -MD -MP -MF ".deps /tac_plus.Tpo" -c -o tac_plus.o tac_plus.c; \ then mv -f ".deps/tac_plus.Tpo" ".deps/tac_plus.Po"; else rm -f ".deps/tac_plus. Tpo"; exit 1; fi tac_plus.c: In function `main': tac_plus.c:338: error: `socklen_t' undeclared (first use in this function) tac_plus.c:338: error: (Each undeclared identifier is reported only once tac_plus.c:338: error: for each function it appears in.) tac_plus.c:338: error: syntax error before "name_len" tac_plus.c:343: error: `name_len' undeclared (first use in this function) tac_plus.c:520: error: syntax error before "from_len" tac_plus.c:525: error: `from_len' undeclared (first use in this function) *** Error code 1 make: Fatal error: Command failed for target `tac_plus.o' -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, January 05, 2007 5:31 PM To: Morales, Dan (RBC Dain) Subject: Re: [tac_plus] Errors Compiling tac_plus F4.0.4.10 Fri, Jan 05, 2007 at 03:59:24PM -0600, Morales, Dan (RBC Dain): > Trying to compile F4.0.4.10 on Sun Solaris 2.6, getting the following > during make - Does the attached fix it? RBC Dain Rauscher does not accept buy, sell or cancel orders by e-mail, or any instructions by e-mail that would require your signature. Information contained in this communication is not considered an official record of your account and does not supersede normal trade confirmations or statements. Any information provided has been prepared from sources believed to be reliable but is not guaranteed, does not represent all available data necessary for making investment decisions and is for informational purposes only. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you receive this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Information received by or sent from this system is subject to review by supervisory personnel, is retained and may be produced to regulatory authorities or others with a legal right to the information. E-mail messages are not encrypted. As such, client sensitive information sent to or received from your RBC Dain Rauscher Financial Consultant electronically may not be secure. From robl at linx.net Mon Jan 8 03:34:03 2007 From: robl at linx.net (Robert Lister) Date: Mon, 8 Jan 2007 03:34:03 +0000 Subject: [tac_plus] Re: DEFAULT user option not working? In-Reply-To: <20061213235923.GG15378@shrubbery.net> References: <20061211193208.GD12223@linx.net> <20061212231113.GI18961@shrubbery.net> <20061212235331.GK18961@shrubbery.net> <20061213163905.GA31502@linx.net> <20061213235923.GG15378@shrubbery.net> Message-ID: <20070108033403.GB28673@linx.net> .. I wonder if I could ask another question. I have a cisco router with console lines on, and tac_plus config that calls a pre_authorize script to look in a group file to decide which users are allowed to access what devices (by IP) When I telnet to the router to port 23, tac_plus calls the script and I get allowed or denied as expected. When I telnet to a console line, tac_plus runs but does not seem to call my script, and allows every user in. I'm not sure what's different from the telnet request to the console access request about the tacacs request? Clearly the aaa config is set up on the router, and the debug output from tac_plus shows the requests, but the only difference I can see between them is that my script does not get called for console requests? Is it because "exec" auth is not getting called for console lines? Is there a way to make it call my script for all login requests? Cisco conf: aaa new-model ! ! aaa authentication login default group tacacs+ enable aaa authorization exec default group tacacs+ none aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa session-id common * Correct for telnet: spitfire:~>telnet ar1 Connected to ar1. Escape character is '^]'. User Access Verification Username: tac Password: % Authorization Failed - denied by TACACS+ cisco_group_acl:101 Connection closed by foreign host. * Incorrect for console lines: spitfire:~>telnet ar1 2052 Connected to ar1. Escape character is '^]'. User Access Verification Username: tac Password: AlterPath ACS acs.tfm7 login: tac_plus conf: # # tac_plus configuration # accounting file = /var/log/tac_plus_cisco_acct.log # logging = key = "" default authentication = file /etc/tacacs/passwd.remote group = tac_auth { default service = permit # this script looks up the group for the user in passwd.remote and # then checks the ACL for that group in cisco_group_acl. # It returns a permit or deny accordingly: before authorization "/etc/tacacs/pre_authorize $user $name $address" service = exec { priv-lvl = 1 } } user = DEFAULT { member = tac_auth } Thanks, Rob -- Robert Lister - London Internet Exchange - http://www.linx.net/ robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE From heas at shrubbery.net Tue Jan 9 06:29:55 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 8 Jan 2007 22:29:55 -0800 Subject: [tac_plus] Re: DEFAULT user option not working? Message-ID: <20070109062955.GE7848@shrubbery.net> > .. I wonder if I could ask another question. > > I have a cisco router with console lines on, and tac_plus config that calls > a pre_authorize script to look in a group file to decide which users are > allowed to access what devices (by IP) > > When I telnet to the router to port 23, tac_plus calls the script and I get > allowed or denied as expected. > > When I telnet to a console line, tac_plus runs but does not seem to call my > script, and allows every user in. > > I'm not sure what's different from the telnet request to the console access > request about the tacacs request? Clearly the aaa config is set up on the > router, and the debug output from tac_plus shows the requests, but the only > difference I can see between them is that my script does not get called for > console requests? Is it because "exec" auth is not getting called for > console lines? > > Is there a way to make it call my script for all login requests? IIRC, the console/aux of the cisco simply does not perform the same authorization as a vty. If you enable authorization logging you can see the difference. Maybe there is some configuration knob that will make it act normally, but its unknown to me. > > Cisco conf: > > aaa new-model > ! > ! > aaa authentication login default group tacacs+ enable > aaa authorization exec default group tacacs+ none > aaa accounting send stop-record authentication failure > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 0 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > aaa session-id common > > > * Correct for telnet: > > spitfire:~>telnet ar1 > Connected to ar1. > Escape character is '^]'. > > User Access Verification > > Username: tac > Password: > % Authorization Failed - denied by TACACS+ cisco_group_acl:101 > > Connection closed by foreign host. > > * Incorrect for console lines: > > spitfire:~>telnet ar1 2052 > Connected to ar1. > Escape character is '^]'. > > User Access Verification > > Username: tac > Password: > > AlterPath ACS > > acs.tfm7 login: > > > tac_plus conf: > > # > # tac_plus configuration > # > > accounting file = /var/log/tac_plus_cisco_acct.log > > # logging = > > key = "" > > default authentication = file /etc/tacacs/passwd.remote > > group = tac_auth { > default service = permit > # this script looks up the group for the user in passwd.remote and > # then checks the ACL for that group in cisco_group_acl. > # It returns a permit or deny accordingly: > before authorization "/etc/tacacs/pre_authorize $user $name $address" > > service = exec { > priv-lvl = 1 > } > } > > user = DEFAULT { > member = tac_auth > } > > > Thanks, > > > Rob > > > -- > Robert Lister - London Internet Exchange - http://www.linx.net/ > robl at linx.net - tel: +44 (0)20 7645 3510 - RL786-RIPE > From: tac_plus-request at shrubbery.net > Subject: confirm cbb9cf040d45266048e5f0ed48ced0ccb83e01e8 > > If you reply to this message, keeping the Subject: header intact, > Mailman will discard the held message. Do this if the message is > spam. If you reply to this message and include an Approved: header > with the list password in it, the message will be approved for posting > to the list. The Approved: header can also appear in the first line > of the body of the reply. From Martin.Bergs at t-systems.com Thu Jan 18 15:18:42 2007 From: Martin.Bergs at t-systems.com (Bergs, Martin) Date: Thu, 18 Jan 2007 16:18:42 +0100 Subject: [tac_plus] deny telnet? Message-ID: <1E4CCB2441C5C0409AD8A929482A09F301220201@S4DE9JSAAIG.ost.t-com.de> Hi, I have the problem that I want to deny users to telnet from a router to an other device. So I deny the telnet command but on IOS the user can also just enter an IP address an start like this a telnet session. How to configure TACAcS+ to deny telnet for a user by just entering an IP address? Do you have an idea? Yours Sincerely / Mit freundlichen Gruessen Martin Bergs From heas at shrubbery.net Thu Jan 18 17:14:04 2007 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Jan 2007 09:14:04 -0800 Subject: [tac_plus] Re: deny telnet? In-Reply-To: <1E4CCB2441C5C0409AD8A929482A09F301220201@S4DE9JSAAIG.ost.t-com.de> References: <1E4CCB2441C5C0409AD8A929482A09F301220201@S4DE9JSAAIG.ost.t-com.de> Message-ID: <20070118171404.GA9043@shrubbery.net> Thu, Jan 18, 2007 at 04:18:42PM +0100, Bergs, Martin: > Hi, > > I have the problem that I want to deny users to telnet from a router to > an other device. So I deny the telnet command but on IOS the user can > also just enter an IP address an start like this a telnet session. > How to configure TACAcS+ to deny telnet for a user by just entering an > IP address? Do you have an idea? Didn't know that was possible. you could list the commands that a user is authorized to use and deny all others. or, try a regex deny [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} deny [0-9A-F]{1,4}: From gardiner at purdigital.net Mon Jan 22 18:44:24 2007 From: gardiner at purdigital.net (Jason Gardiner) Date: Mon, 22 Jan 2007 13:44:24 -0500 Subject: [tac_plus] Problem With tac_plus Message-ID: <45B50608.5050505@purdigital.net> Hello, I've run across a problem and I'm about to tear out my hair. I have tac_plus setup for Ciscos, but it seems that every command issued after "config t" is allowed, even when explicitly denied. Here is the config user = xxxxx { default service = deny name = "xxxxxx" login = des xxxxxx ms-chap = cleartext yyyyyyy service=exec { priv-lvl = 15 } cmd = load-interval { deny .* } cmd = show { permit "arp|config" } cmd = write { permit "terminal" } cmd = terminal { permit "length .*" } cmd = configure { permit .* } cmd = arp { permit ".*" } cmd = ip { permit "route .* 255.255.255.255 .*" } cmd = interface { deny .* } cmd = no { deny "ip address" } } As it stands, the user can perform a 'show arp,' but a 'show clock' returns with a "Command authorization failed" as expected. However, if the user does a 'config t,' then he can still perform an 'interface loopback 112' even though it should be denied AFAICT. Any insight that you can offer into this would be greatly appreciated. -- Thanks, Jason Gardiner Purdigital Engineering "You can swim all day in the Sea of Knowledge and still come out completely dry. Most people do." - Norton Juster From heas at shrubbery.net Tue Jan 23 16:04:50 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 23 Jan 2007 16:04:50 +0000 Subject: [tac_plus] Re: Problem With tac_plus In-Reply-To: <45B50608.5050505@purdigital.net> References: <45B50608.5050505@purdigital.net> Message-ID: <20070123160450.GB6459@shrubbery.net> Mon, Jan 22, 2007 at 01:44:24PM -0500, Jason Gardiner: > Hello, > > I've run across a problem and I'm about to tear out my hair. I have > tac_plus setup for Ciscos, but it seems that every command issued after > "config t" is allowed, even when explicitly denied. Here is the config > > user = xxxxx { > default service = deny > name = "xxxxxx" > login = des xxxxxx > ms-chap = cleartext yyyyyyy > service=exec { priv-lvl = 15 } > cmd = load-interval { deny .* } > cmd = show { permit "arp|config" } > cmd = write { permit "terminal" } > cmd = terminal { permit "length .*" } > cmd = configure { permit .* } > cmd = arp { permit ".*" } > cmd = ip { permit "route .* 255.255.255.255 .*" } > cmd = interface { deny .* } > cmd = no { deny "ip address" } > } > > > As it stands, the user can perform a 'show arp,' but a 'show clock' > returns with a "Command authorization failed" as expected. > > However, if the user does a 'config t,' then he can still perform an > 'interface loopback 112' even though it should be denied AFAICT. > > Any insight that you can offer into this would be greatly appreciated. > never tried config-mode command authorization. try authorization debugging with -d 8. perhaps there something is prepended to the command in config mode or, for the interface xx question, there is no authorization for moving among config 'levels". From drose at nla.gov.au Wed Jan 24 02:23:35 2007 From: drose at nla.gov.au (Daniel Rose) Date: Wed, 24 Jan 2007 13:23:35 +1100 Subject: [tac_plus] user-managed password changes Message-ID: <3F8819281E85774CA6CE6F4FB842874F0456FA5B@gimli.shire.nla.gov.au> It's sometimes possible in enterprise environments to change your own password by using the password "Changepass" or just enter at the password prompt. The user is then asked to enter their old password and the new one twice, and the tacacs database is updated. How is this done with the tac_plus implementation? Have I missed something significant here? -- Daniel Rose Business Systems Support National Library of Australia ph 6262 1599 -- fx 6273 3648 From heas at shrubbery.net Wed Jan 24 16:42:28 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 24 Jan 2007 16:42:28 +0000 Subject: [tac_plus] Re: user-managed password changes In-Reply-To: <3F8819281E85774CA6CE6F4FB842874F0456FA5B@gimli.shire.nla.gov.au> References: <3F8819281E85774CA6CE6F4FB842874F0456FA5B@gimli.shire.nla.gov.au> Message-ID: <20070124164228.GC7311@shrubbery.net> Wed, Jan 24, 2007 at 01:23:35PM +1100, Daniel Rose: > It's sometimes possible in enterprise environments to change your own > password by using the password "Changepass" or just enter at the > password prompt. > > The user is then asked to enter their old password and the new one > twice, and the tacacs database is updated. > > How is this done with the tac_plus implementation? Have I missed > something significant here? tacacs does not support this natively/internally. it only supports password expiration. what could be done, i believe, is to use PAM as the tacacs authentication method. using pam, the password can expire and begin an interaction with the user in a new password dialog. Others have used a web page, which changes either a database that is exported to tacacs configuration files or that is used via PAM. cheers. > -- > Daniel Rose > Business Systems Support > National Library of Australia > ph 6262 1599 -- fx 6273 3648 > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Fri Jan 26 02:32:05 2007 From: heas at shrubbery.net (john heasley) Date: Thu, 25 Jan 2007 18:32:05 -0800 Subject: [tac_plus] Fwd: Re: Problem With tac_plus Message-ID: <20070126023205.GV13993@shrubbery.net> ----- Forwarded message from Jason Gardiner ----- From: Jason Gardiner To: john heasley Subject: Re: [tac_plus] Problem With tac_plus Date: Tue, 23 Jan 2007 12:12:50 -0500 X-Original-To: heas at shrubbery.net X-Enigmail-Version: 0.94.1.2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.442722, version=0.96.6 john heasley wrote: > never tried config-mode command authorization. try authorization debugging > with -d 8. perhaps there something is prepended to the command in config > mode or, for the interface xx question, there is no authorization for moving > among config 'levels". > In case some asks again, the command "aaa authorization config-commands" is needed on the router. Thanks again.