From georg.naggies at r-it.at Wed Jul 4 07:31:04 2007 From: georg.naggies at r-it.at (georg.naggies at r-it.at) Date: Wed, 4 Jul 2007 09:31:04 +0200 Subject: [tac_plus] tac_plus problem with acl Message-ID: Hello Andy! I am sorry that I have to write to you for my small problem with tac_plus, but the documentation doesn't seem to fit the software and I can't figure it out otherwise My problem is that access lists in tac_plus never deny access regardless of which hosts are permitted. My config is: acl = 1 { deny = .* } user = demo { login = cleartext "test" service = exec { "acl" = 1 priv-lvl = 1 } } And yet the request gets authorised: Thu Jun 28 16:10:28 2007 [17928]: login query for 'demo' tty130 from 10.14.1.201 accepted Thu Jun 28 16:10:28 2007 [18061]: connect from 10.14.1.201 [10.14.1.201] Thu Jun 28 16:10:28 2007 [18061]: Start authorization request Thu Jun 28 16:10:28 2007 [18061]: do_author: user='demo' Thu Jun 28 16:10:28 2007 [18061]: user 'demo' found Thu Jun 28 16:10:28 2007 [18061]: exec authorization request for demo Thu Jun 28 16:10:28 2007 [18061]: exec is explicitly permitted by line 31 Thu Jun 28 16:10:28 2007 [18061]: nas:service=shell (passed thru) Thu Jun 28 16:10:28 2007 [18061]: nas:cmd* (passed thru) Thu Jun 28 16:10:28 2007 [18061]: nas:absent, server:acl=1 -> add acl=1 (k) Thu Jun 28 16:10:28 2007 [18061]: nas:absent, server:priv-lvl=1 -> add priv-lvl=1 (k) Thu Jun 28 16:10:28 2007 [18061]: added 2 args Thu Jun 28 16:10:28 2007 [18061]: out_args[0] = service=shell input copy discarded Thu Jun 28 16:10:28 2007 [18061]: out_args[1] = cmd* input copy discarded Thu Jun 28 16:10:28 2007 [18061]: out_args[2] = acl=1 compacted to out_args[0] Thu Jun 28 16:10:28 2007 [18061]: out_args[3] = priv-lvl=1 compacted to out_args[1] Thu Jun 28 16:10:28 2007 [18061]: 2 output args Thu Jun 28 16:10:28 2007 [18061]: authorization query for 'demo' tty130 from 10.14.1.201 accepted I think I am using outdated configuration syntax, but can't find documentation on the newer format. Could you, if you find the time, drop me a hint on how to configure acls? thanks Georg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070704/5d959bd6/attachment.html From heas at shrubbery.net Wed Jul 4 14:42:01 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 4 Jul 2007 14:42:01 +0000 Subject: [tac_plus] Re: tac_plus problem with acl In-Reply-To: References: Message-ID: <20070704144201.GW25878@shrubbery.net> Wed, Jul 04, 2007 at 09:31:04AM +0200, georg.naggies at r-it.at: > Hello Andy! > > I am sorry that I have to write to you for my small problem with tac_plus, > but the documentation doesn't seem to fit the software and I can't figure > it out otherwise > My problem is that access lists in tac_plus never deny access regardless > of which hosts are permitted. > > My config is: > > acl = 1 { > deny = .* > } > > user = demo { > login = cleartext "test" > service = exec { > "acl" = 1 > priv-lvl = 1 > } > } this sends the AV pair acl, rather than setting tac_plus' acl. you want user = demo { acl = foo } From david at infotrek.co.uk Sun Jul 8 21:42:11 2007 From: david at infotrek.co.uk (David Croft) Date: Sun, 8 Jul 2007 22:42:11 +0100 Subject: [tac_plus] Default PAM authentication possible? Message-ID: Hi, I'm trying to set up tac_plus so that it authenticates against PAM without having to configure any users in tac_plus.conf. Is this possible? I can authenticate using locally defined usernames fine (e.g. rancid below) but it doesn't seem to even reach PAM for everything else - nothing appears in auth.log. My pam.d file is the same for tac_plus as for my working radiusd. tac_plus.conf -------------------> accounting file = /var/log/tac_plus.acct key = adglajhsas acl = all { permit = .* } user = DEFAULT { default service = permit login = PAM acl = all service = exec { priv-lvl = 15 } } user = rancid { default service = permit login = cleartext "asd" acl = all service = exec { priv-lvl = 15 } } log ------------> Sun Jul 8 22:38:25 2007 [14066]: session.peerip is 213.12.21.71 Sun Jul 8 22:38:25 2007 [14110]: connect from 213.12.21.71 [213.12.21.71] Sun Jul 8 22:38:25 2007 [14110]: Authenticating ACLs for user 'DEFAULT' instead of 'david.croft' Sun Jul 8 22:38:25 2007 [14110]: cfg_acl_check(all, 213.12.21.71) Sun Jul 8 22:38:25 2007 [14110]: ip 213.12.21.71 matched permit regex .* of acl filter all Sun Jul 8 22:38:25 2007 [14110]: login query for 'david.croft' tty1 from 213.12.21.71 rejected Sun Jul 8 22:38:25 2007 [14110]: login failure: david.croft 213.12.21.71 (213.12.21.71) tty1 Sun Jul 8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71 Sun Jul 8 22:38:30 2007 [14111]: connect from 213.12.21.71 [213.12.21.71] Sun Jul 8 22:38:30 2007 [14111]: cfg_acl_check(all, 213.12.21.71) Sun Jul 8 22:38:30 2007 [14111]: ip 213.12.21.71 matched permit regex .* of acl filter all Sun Jul 8 22:38:30 2007 [14111]: login query for 'rancid' tty1 from 213.12.21.71 accepted Sun Jul 8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71 Sun Jul 8 22:38:30 2007 [14112]: connect from 213.12.21.71 [213.12.21.71] pam.d/tac_plus --------------> # # /etc/pam.d/tac_plus - PAM configuration for TACACS+ # auth sufficient pam_winbind.so require_membership_of=router_admins account sufficient pam_winbind.so require_membership_of=router_admins @include common-password @include common-session From heas at shrubbery.net Mon Jul 9 18:05:57 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 9 Jul 2007 18:05:57 +0000 Subject: [tac_plus] Re: Default PAM authentication possible? In-Reply-To: References: Message-ID: <20070709180557.GK25480@shrubbery.net> Sun, Jul 08, 2007 at 10:42:11PM +0100, David Croft: > Hi, > > I'm trying to set up tac_plus so that it authenticates against PAM > without having to configure any users in tac_plus.conf. Is this > possible? > > I can authenticate using locally defined usernames fine (e.g. rancid > below) but it doesn't seem to even reach PAM for everything else - > nothing appears in auth.log. My pam.d file is the same for tac_plus as > for my working radiusd. > > tac_plus.conf -------------------> > > accounting file = /var/log/tac_plus.acct > key = adglajhsas > > acl = all { > permit = .* > } > > user = DEFAULT { > default service = permit > login = PAM > acl = all > service = exec { > priv-lvl = 15 > } > } > > user = rancid { > default service = permit > login = cleartext "asd" > acl = all > service = exec { > priv-lvl = 15 > } > } > > log ------------> > > Sun Jul 8 22:38:25 2007 [14066]: session.peerip is 213.12.21.71 > Sun Jul 8 22:38:25 2007 [14110]: connect from 213.12.21.71 [213.12.21.71] > Sun Jul 8 22:38:25 2007 [14110]: Authenticating ACLs for user > 'DEFAULT' instead of 'david.croft' > Sun Jul 8 22:38:25 2007 [14110]: cfg_acl_check(all, 213.12.21.71) > Sun Jul 8 22:38:25 2007 [14110]: ip 213.12.21.71 matched permit regex > .* of acl filter all > Sun Jul 8 22:38:25 2007 [14110]: login query for 'david.croft' tty1 > from 213.12.21.71 rejected > Sun Jul 8 22:38:25 2007 [14110]: login failure: david.croft > 213.12.21.71 (213.12.21.71) tty1 did it prompt for a password or did it just fail immediately after the username prompt? > Sun Jul 8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71 > Sun Jul 8 22:38:30 2007 [14111]: connect from 213.12.21.71 [213.12.21.71] > Sun Jul 8 22:38:30 2007 [14111]: cfg_acl_check(all, 213.12.21.71) > Sun Jul 8 22:38:30 2007 [14111]: ip 213.12.21.71 matched permit regex > .* of acl filter all > Sun Jul 8 22:38:30 2007 [14111]: login query for 'rancid' tty1 from > 213.12.21.71 accepted > Sun Jul 8 22:38:30 2007 [14066]: session.peerip is 213.12.21.71 > Sun Jul 8 22:38:30 2007 [14112]: connect from 213.12.21.71 [213.12.21.71] > > > pam.d/tac_plus --------------> > > # > # /etc/pam.d/tac_plus - PAM configuration for TACACS+ > # > > auth sufficient pam_winbind.so require_membership_of=router_admins > account sufficient pam_winbind.so require_membership_of=router_admins > @include common-password > @include common-session > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From david at infotrek.co.uk Mon Jul 9 21:56:35 2007 From: david at infotrek.co.uk (David Croft) Date: Mon, 9 Jul 2007 22:56:35 +0100 Subject: [tac_plus] Re: Default PAM authentication possible? In-Reply-To: <20070709180557.GK25480@shrubbery.net> References: <20070709180557.GK25480@shrubbery.net> Message-ID: On 09/07/07, john heasley wrote: > did it prompt for a password or did it just fail immediately after the > username prompt? When I ssh to the server, it prompts for a password. No TACACS+ request is sent to tac_plus until I have entered the password. Here's the full debugging output when I do so: Mon Jul 9 22:39:58 2007 [18535]: session.peerip is 213.12.21.71 Mon Jul 9 22:39:58 2007 [18535]: session request from 213.12.21.71 sock=2 Mon Jul 9 22:39:58 2007 [18581]: connect from 213.12.21.71 [213.12.21.71] Mon Jul 9 22:39:58 2007 [18581]: Waiting for packet Mon Jul 9 22:39:58 2007 [18581]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:39:58 2007 [18581]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:39:58 2007 [18581]: cfg_get_phvalue: returns NULL Mon Jul 9 22:39:58 2007 [18581]: Read AUTHEN/START size=41 Mon Jul 9 22:39:58 2007 [18581]: validation request from 213.12.21.71 Mon Jul 9 22:39:58 2007 [18581]: PACKET: key= Mon Jul 9 22:39:58 2007 [18581]: version 192 (0xc0), type 1, seq no 1, encryption 1 Mon Jul 9 22:39:58 2007 [18581]: session_id 1857822279 (0x6ebc1e47), Data length 29 (0x1d) Mon Jul 9 22:39:58 2007 [18581]: End header Mon Jul 9 22:39:58 2007 [18581]: type=AUTHEN/START, priv_lvl = 1 Mon Jul 9 22:39:58 2007 [18581]: action=login Mon Jul 9 22:39:58 2007 [18581]: authen_type=ascii Mon Jul 9 22:39:58 2007 [18581]: service=login Mon Jul 9 22:39:58 2007 [18581]: user_len=5 port_len=4 (0x4), rem_addr_len=12 (0xc) Mon Jul 9 22:39:58 2007 [18581]: data_len=0 Mon Jul 9 22:39:58 2007 [18581]: User: Mon Jul 9 22:39:58 2007 [18581]: david Mon Jul 9 22:39:58 2007 [18581]: port: Mon Jul 9 22:39:58 2007 [18581]: tty2 Mon Jul 9 22:39:58 2007 [18581]: rem_addr: Mon Jul 9 22:39:58 2007 [18581]: 213.12.21.52 Mon Jul 9 22:39:58 2007 [18581]: data: Mon Jul 9 22:39:58 2007 [18581]: End packet Mon Jul 9 22:39:58 2007 [18581]: Authen Start request Mon Jul 9 22:39:58 2007 [18581]: cfg_get_value: name=david isuser=1 attr=login rec=1 Mon Jul 9 22:39:58 2007 [18581]: cfg_get_value: no user/group named david Mon Jul 9 22:39:58 2007 [18581]: cfg_get_pvalue: returns NULL Mon Jul 9 22:39:58 2007 [18581]: choose_authen chose default_fn Mon Jul 9 22:39:58 2007 [18581]: Calling authentication function Mon Jul 9 22:39:58 2007 [18581]: cfg_get_value: name=david isuser=1 attr=nopassword rec=1 Mon Jul 9 22:39:58 2007 [18581]: cfg_get_value: no user/group named david Mon Jul 9 22:39:58 2007 [18581]: cfg_get_intvalue: returns 0 Mon Jul 9 22:39:58 2007 [18581]: cfg_get_value: name=david isuser=1 attr=login rec=1 Mon Jul 9 22:39:58 2007 [18581]: cfg_get_value: no user/group named david Mon Jul 9 22:39:58 2007 [18581]: cfg_get_pvalue: returns NULL Mon Jul 9 22:39:58 2007 [18581]: Writing AUTHEN/GETPASS size=28 Mon Jul 9 22:39:58 2007 [18581]: PACKET: key= Mon Jul 9 22:39:58 2007 [18581]: version 192 (0xc0), type 1, seq no 2, encryption 1 Mon Jul 9 22:39:58 2007 [18581]: session_id 1857822279 (0x6ebc1e47), Data length 16 (0x10) Mon Jul 9 22:39:58 2007 [18581]: End header Mon Jul 9 22:39:58 2007 [18581]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Mon Jul 9 22:39:58 2007 [18581]: msg_len=10, data_len=0 Mon Jul 9 22:39:58 2007 [18581]: msg: Mon Jul 9 22:39:58 2007 [18581]: Password: Mon Jul 9 22:39:58 2007 [18581]: data: Mon Jul 9 22:39:58 2007 [18581]: End packet Mon Jul 9 22:39:58 2007 [18581]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:39:58 2007 [18581]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:39:58 2007 [18581]: cfg_get_phvalue: returns NULL Mon Jul 9 22:39:58 2007 [18581]: Waiting for packet Mon Jul 9 22:39:59 2007 [18581]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:39:59 2007 [18581]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:39:59 2007 [18581]: cfg_get_phvalue: returns NULL Mon Jul 9 22:39:59 2007 [18581]: Read AUTHEN/CONT size=25 Mon Jul 9 22:39:59 2007 [18581]: PACKET: key= Mon Jul 9 22:39:59 2007 [18581]: version 192 (0xc0), type 1, seq no 3, encryption 1 Mon Jul 9 22:39:59 2007 [18581]: session_id 1857822279 (0x6ebc1e47), Data length 13 (0xd) Mon Jul 9 22:39:59 2007 [18581]: End header Mon Jul 9 22:39:59 2007 [18581]: type=AUTHEN/CONT Mon Jul 9 22:39:59 2007 [18581]: user_msg_len 8 (0x8), user_data_len 0 (0x0) Mon Jul 9 22:39:59 2007 [18581]: flags=0x0 Mon Jul 9 22:39:59 2007 [18581]: User msg: Mon Jul 9 22:39:59 2007 [18581]: Mon Jul 9 22:39:59 2007 [18581]: User data: Mon Jul 9 22:39:59 2007 [18581]: End packet Mon Jul 9 22:39:59 2007 [18581]: cfg_get_value: name=david isuser=1 attr=login rec=1 Mon Jul 9 22:39:59 2007 [18581]: cfg_get_value: no user/group named david Mon Jul 9 22:39:59 2007 [18581]: cfg_get_pvalue: returns NULL Mon Jul 9 22:39:59 2007 [18581]: cfg_get_value: name=david isuser=1 attr=global rec=1 Mon Jul 9 22:39:59 2007 [18581]: cfg_get_value: no user/group named david Mon Jul 9 22:39:59 2007 [18581]: cfg_get_pvalue: returns NULL Mon Jul 9 22:39:59 2007 [18581]: Authenticating ACLs for user 'DEFAULT' instead of 'david' Mon Jul 9 22:39:59 2007 [18581]: cfg_get_value: name=DEFAULT isuser=1 attr=acl rec=1 Mon Jul 9 22:39:59 2007 [18581]: cfg_get_pvalue: returns all Mon Jul 9 22:39:59 2007 [18581]: cfg_acl_check(all, 213.12.21.71) Mon Jul 9 22:39:59 2007 [18581]: ip 213.12.21.71 matched permit regex .* of acl filter all Mon Jul 9 22:39:59 2007 [18581]: login query for 'david' tty2 from 213.12.21.71 rejected Mon Jul 9 22:39:59 2007 [18581]: login failure: david 213.12.21.71 (213.12.21.71) tty2 Mon Jul 9 22:39:59 2007 [18581]: Writing AUTHEN/FAIL size=18 Mon Jul 9 22:39:59 2007 [18581]: PACKET: key= Mon Jul 9 22:39:59 2007 [18581]: version 192 (0xc0), type 1, seq no 4, encryption 1 Mon Jul 9 22:39:59 2007 [18581]: session_id 1857822279 (0x6ebc1e47), Data length 6 (0x6) Mon Jul 9 22:39:59 2007 [18581]: End header Mon Jul 9 22:39:59 2007 [18581]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0 Mon Jul 9 22:39:59 2007 [18581]: msg_len=0, data_len=0 Mon Jul 9 22:39:59 2007 [18581]: msg: Mon Jul 9 22:39:59 2007 [18581]: data: Mon Jul 9 22:39:59 2007 [18581]: End packet Mon Jul 9 22:39:59 2007 [18581]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:39:59 2007 [18581]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:39:59 2007 [18581]: cfg_get_phvalue: returns NULL And here's the same from the cisco side (debug tacacs events) .Jul 9 22:39:58.890 BST: TAC+: periodic timer started .Jul 9 22:39:58.890 BST: TAC+: 213.12.21.52 req=47BD85D8 Qd id=1857822279 ver=192 handle=0x0 expire=5 AUTHEN/START/LOGIN/ASCII queued .Jul 9 22:39:58.990 BST: TAC+: 213.12.21.52 id=1857822279 wrote 41 of 41 bytes .Jul 9 22:39:58.990 BST: TAC+: 213.12.21.52 req=47BD85D8 Qd id=1857822279 ver=192 handle=0x0 expire=4 AUTHEN/START/LOGIN/ASCII sent .Jul 9 22:39:58.990 BST: TAC+: Server 213.12.21.52 awaiting 1 replies .Jul 9 22:39:58.990 BST: TAC+: 213.12.21.52 read END-OF-FILE .Jul 9 22:39:58.990 BST: TAC+: Closing TCP/IP 0x47BD7C10 connection to 213.12.21.52/49 .Jul 9 22:39:58.990 BST: TAC+: Opening TCP/IP to 213.12.21.52/49 timeout=5 .Jul 9 22:39:58.990 BST: TAC+: Opened TCP/IP handle 0x47BFFDE8 to 213.12.21.52/49 using source 213.12.21.71 .Jul 9 22:39:58.990 BST: TAC+: 213.12.21.52 partly processed START req 47BD85D8 requeued after unexpected handle 0x47BD7C10 closure. .Jul 9 22:39:59.090 BST: TAC+: 213.12.21.52 id=1857822279 wrote 41 of 41 bytes .Jul 9 22:39:59.090 BST: TAC+: 213.12.21.52 req=47BD85D8 Tx id=1857822279 ver=192 handle=0x0 expire=4 AUTHEN/START/LOGIN/ASCII sent .Jul 9 22:39:59.090 BST: TAC+: Server 213.12.21.52 awaiting 1 replies .Jul 9 22:39:59.190 BST: TAC+: Server 213.12.21.52 awaiting 1 replies .Jul 9 22:39:59.190 BST: TAC+: 213.12.21.52 read=12 wanted=12 alloc=55 got=12 .Jul 9 22:39:59.190 BST: TAC+: 213.12.21.52 read=28 wanted=28 alloc=55 got=16 .Jul 9 22:39:59.190 BST: TAC+: 213.12.21.52 received 28 byte reply for 47BD85D8 id=1857822279 .Jul 9 22:39:59.190 BST: TAC+: req=47BD85D8 Tx id=1857822279 ver=192 handle=0x0 expire=4 AUTHEN/START/LOGIN/ASCII processed .Jul 9 22:39:59.190 BST: TAC+: periodic timer stopped (queue empty) .Jul 9 22:39:59.190 BST: TAC+: periodic timer started .Jul 9 22:39:59.190 BST: TAC+: 213.12.21.52 req=47C00340 Qd id=1857822279 ver=192 handle=0x0 expire=5 AUTHEN/CONT queued .Jul 9 22:39:59.290 BST: TAC+: 213.12.21.52 id=1857822279 wrote 25 of 25 bytes .Jul 9 22:39:59.290 BST: TAC+: 213.12.21.52 req=47C00340 Qd id=1857822279 ver=192 handle=0x0 expire=4 AUTHEN/CONT sent .Jul 9 22:39:59.290 BST: TAC+: Server 213.12.21.52 awaiting 1 replies .Jul 9 22:39:59.390 BST: TAC+: Server 213.12.21.52 awaiting 1 replies .Jul 9 22:39:59.390 BST: TAC+: 213.12.21.52 read=12 wanted=12 alloc=55 got=12 .Jul 9 22:39:59.390 BST: TAC+: 213.12.21.52 read=18 wanted=18 alloc=55 got=6 .Jul 9 22:39:59.390 BST: TAC+: 213.12.21.52 received 18 byte reply for 47C00340 id=1857822279 .Jul 9 22:39:59.390 BST: TAC+: req=47C00340 Tx id=1857822279 ver=192 handle=0x0 expire=4 AUTHEN/CONT processed .Jul 9 22:39:59.390 BST: TAC+: periodic timer stopped (queue empty) .Jul 9 22:39:59.390 BST: TAC+: periodic timer started .Jul 9 22:39:59.390 BST: TAC+: 213.12.21.52 req=47C00338 Qd id=1857822279 ver=193 handle=0x0 expire=5 AUTHEN/CONT queued .Jul 9 22:39:59.490 BST: TAC+: 213.12.21.52 id=1857822279 wrote 24 of 24 bytes .Jul 9 22:39:59.490 BST: TAC+: 213.12.21.52 req=47C00338 Qd id=1857822279 ver=193 handle=0x0 expire=4 AUTHEN/CONT sent .Jul 9 22:39:59.490 BST: TAC+: req=47C00338 Tx id=1857822279 ver=193 handle=0x0 expire=4 AUTHEN/CONT processed .Jul 9 22:39:59.490 BST: TAC+: periodic timer stopped (queue empty) For comparison, here's what happens when I use the exec command "login" - it is now in three parts - Prior to entering username: Mon Jul 9 22:49:05 2007 [18535]: session.peerip is 213.12.21.71 Mon Jul 9 22:49:05 2007 [18535]: session request from 213.12.21.71 sock=2 Mon Jul 9 22:49:05 2007 [18628]: connect from 213.12.21.71 [213.12.21.71] Mon Jul 9 22:49:05 2007 [18628]: Waiting for packet Mon Jul 9 22:49:05 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:49:05 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:05 2007 [18628]: cfg_get_phvalue: returns NULL Mon Jul 9 22:49:05 2007 [18628]: Read AUTHEN/START size=36 Mon Jul 9 22:49:05 2007 [18628]: validation request from 213.12.21.71 Mon Jul 9 22:49:05 2007 [18628]: PACKET: key= Mon Jul 9 22:49:05 2007 [18628]: version 192 (0xc0), type 1, seq no 1, encryption 1 Mon Jul 9 22:49:05 2007 [18628]: session_id 279968395 (0x10affa8b), Data length 24 (0x18) Mon Jul 9 22:49:05 2007 [18628]: End header Mon Jul 9 22:49:05 2007 [18628]: type=AUTHEN/START, priv_lvl = 1 Mon Jul 9 22:49:05 2007 [18628]: action=login Mon Jul 9 22:49:05 2007 [18628]: authen_type=ascii Mon Jul 9 22:49:05 2007 [18628]: service=login Mon Jul 9 22:49:05 2007 [18628]: user_len=0 port_len=4 (0x4), rem_addr_len=12 (0xc) Mon Jul 9 22:49:05 2007 [18628]: data_len=0 Mon Jul 9 22:49:05 2007 [18628]: User: Mon Jul 9 22:49:05 2007 [18628]: port: Mon Jul 9 22:49:05 2007 [18628]: tty1 Mon Jul 9 22:49:05 2007 [18628]: rem_addr: Mon Jul 9 22:49:05 2007 [18628]: 213.12.21.53 Mon Jul 9 22:49:05 2007 [18628]: data: Mon Jul 9 22:49:05 2007 [18628]: End packet Mon Jul 9 22:49:05 2007 [18628]: Authen Start request Mon Jul 9 22:49:05 2007 [18628]: choose_authen returns 1 Mon Jul 9 22:49:05 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=prompt Mon Jul 9 22:49:05 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:05 2007 [18628]: cfg_get_phvalue: returns NULL Mon Jul 9 22:49:05 2007 [18628]: Writing AUTHEN/GETUSER size=55 Mon Jul 9 22:49:05 2007 [18628]: PACKET: key= Mon Jul 9 22:49:05 2007 [18628]: version 192 (0xc0), type 1, seq no 2, encryption 1 Mon Jul 9 22:49:05 2007 [18628]: session_id 279968395 (0x10affa8b), Data length 43 (0x2b) Mon Jul 9 22:49:05 2007 [18628]: End header Mon Jul 9 22:49:05 2007 [18628]: type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 Mon Jul 9 22:49:05 2007 [18628]: msg_len=37, data_len=0 Mon Jul 9 22:49:05 2007 [18628]: msg: Mon Jul 9 22:49:05 2007 [18628]: 0xa User Access Verification 0xa 0xa Username: Mon Jul 9 22:49:05 2007 [18628]: data: Mon Jul 9 22:49:05 2007 [18628]: End packet Mon Jul 9 22:49:05 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:49:05 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:05 2007 [18628]: cfg_get_phvalue: returns NULL Mon Jul 9 22:49:05 2007 [18628]: Waiting for packet [enter username] Mon Jul 9 22:49:10 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:49:10 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:10 2007 [18628]: cfg_get_phvalue: returns NULL Mon Jul 9 22:49:10 2007 [18628]: Read AUTHEN/CONT size=28 Mon Jul 9 22:49:10 2007 [18628]: PACKET: key= Mon Jul 9 22:49:10 2007 [18628]: version 192 (0xc0), type 1, seq no 3, encryption 1 Mon Jul 9 22:49:10 2007 [18628]: session_id 279968395 (0x10affa8b), Data length 16 (0x10) Mon Jul 9 22:49:10 2007 [18628]: End header Mon Jul 9 22:49:10 2007 [18628]: type=AUTHEN/CONT Mon Jul 9 22:49:10 2007 [18628]: user_msg_len 11 (0xb), user_data_len 0 (0x0) Mon Jul 9 22:49:10 2007 [18628]: flags=0x0 Mon Jul 9 22:49:10 2007 [18628]: User msg: Mon Jul 9 22:49:10 2007 [18628]: david.croft Mon Jul 9 22:49:10 2007 [18628]: User data: Mon Jul 9 22:49:10 2007 [18628]: End packet Mon Jul 9 22:49:10 2007 [18628]: cfg_get_value: name=david.croft isuser=1 attr=login rec=1 Mon Jul 9 22:49:10 2007 [18628]: cfg_get_value: no user/group named david.croft Mon Jul 9 22:49:10 2007 [18628]: cfg_get_pvalue: returns NULL Mon Jul 9 22:49:10 2007 [18628]: choose_authen chose default_fn Mon Jul 9 22:49:10 2007 [18628]: Calling authentication function Mon Jul 9 22:49:10 2007 [18628]: cfg_get_value: name=david.croft isuser=1 attr=nopassword rec=1 Mon Jul 9 22:49:10 2007 [18628]: cfg_get_value: no user/group named david.croft Mon Jul 9 22:49:10 2007 [18628]: cfg_get_intvalue: returns 0 Mon Jul 9 22:49:10 2007 [18628]: cfg_get_value: name=david.croft isuser=1 attr=login rec=1 Mon Jul 9 22:49:10 2007 [18628]: cfg_get_value: no user/group named david.croft Mon Jul 9 22:49:10 2007 [18628]: cfg_get_pvalue: returns NULL Mon Jul 9 22:49:10 2007 [18628]: Writing AUTHEN/GETPASS size=28 Mon Jul 9 22:49:10 2007 [18628]: PACKET: key= Mon Jul 9 22:49:10 2007 [18628]: version 192 (0xc0), type 1, seq no 4, encryption 1 Mon Jul 9 22:49:10 2007 [18628]: session_id 279968395 (0x10affa8b), Data length 16 (0x10) Mon Jul 9 22:49:10 2007 [18628]: End header Mon Jul 9 22:49:10 2007 [18628]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Mon Jul 9 22:49:10 2007 [18628]: msg_len=10, data_len=0 Mon Jul 9 22:49:10 2007 [18628]: msg: Mon Jul 9 22:49:10 2007 [18628]: Password: Mon Jul 9 22:49:10 2007 [18628]: data: Mon Jul 9 22:49:10 2007 [18628]: End packet Mon Jul 9 22:49:10 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:49:10 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:10 2007 [18628]: cfg_get_phvalue: returns NULL Mon Jul 9 22:49:10 2007 [18628]: Waiting for packet [enter password] Mon Jul 9 22:49:14 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:49:14 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:14 2007 [18628]: cfg_get_phvalue: returns NULL Mon Jul 9 22:49:14 2007 [18628]: Read AUTHEN/CONT size=25 Mon Jul 9 22:49:14 2007 [18628]: PACKET: key= Mon Jul 9 22:49:14 2007 [18628]: version 192 (0xc0), type 1, seq no 5, encryption 1 Mon Jul 9 22:49:14 2007 [18628]: session_id 279968395 (0x10affa8b), Data length 13 (0xd) Mon Jul 9 22:49:14 2007 [18628]: End header Mon Jul 9 22:49:14 2007 [18628]: type=AUTHEN/CONT Mon Jul 9 22:49:14 2007 [18628]: user_msg_len 8 (0x8), user_data_len 0 (0x0) Mon Jul 9 22:49:14 2007 [18628]: flags=0x0 Mon Jul 9 22:49:14 2007 [18628]: User msg: Mon Jul 9 22:49:14 2007 [18628]: Mon Jul 9 22:49:14 2007 [18628]: User data: Mon Jul 9 22:49:14 2007 [18628]: End packet Mon Jul 9 22:49:14 2007 [18628]: cfg_get_value: name=david.croft isuser=1 attr=login rec=1 Mon Jul 9 22:49:14 2007 [18628]: cfg_get_value: no user/group named david.croft Mon Jul 9 22:49:14 2007 [18628]: cfg_get_pvalue: returns NULL Mon Jul 9 22:49:14 2007 [18628]: cfg_get_value: name=david.croft isuser=1 attr=global rec=1 Mon Jul 9 22:49:14 2007 [18628]: cfg_get_value: no user/group named david.croft Mon Jul 9 22:49:14 2007 [18628]: cfg_get_pvalue: returns NULL Mon Jul 9 22:49:14 2007 [18628]: Authenticating ACLs for user 'DEFAULT' instead of 'david.croft' Mon Jul 9 22:49:14 2007 [18628]: cfg_get_value: name=DEFAULT isuser=1 attr=acl rec=1 Mon Jul 9 22:49:14 2007 [18628]: cfg_get_pvalue: returns all Mon Jul 9 22:49:14 2007 [18628]: cfg_acl_check(all, 213.12.21.71) Mon Jul 9 22:49:14 2007 [18628]: ip 213.12.21.71 matched permit regex .* of acl filter all Mon Jul 9 22:49:14 2007 [18628]: login query for 'david.croft' tty1 from 213.12.21.71 rejected Mon Jul 9 22:49:14 2007 [18628]: login failure: david.croft 213.12.21.71 (213.12.21.71) tty1 Mon Jul 9 22:49:14 2007 [18628]: Writing AUTHEN/FAIL size=18 Mon Jul 9 22:49:14 2007 [18628]: PACKET: key= Mon Jul 9 22:49:14 2007 [18628]: version 192 (0xc0), type 1, seq no 6, encryption 1 Mon Jul 9 22:49:14 2007 [18628]: session_id 279968395 (0x10affa8b), Data length 6 (0x6) Mon Jul 9 22:49:14 2007 [18628]: End header Mon Jul 9 22:49:14 2007 [18628]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0 Mon Jul 9 22:49:14 2007 [18628]: msg_len=0, data_len=0 Mon Jul 9 22:49:14 2007 [18628]: msg: Mon Jul 9 22:49:14 2007 [18628]: data: Mon Jul 9 22:49:14 2007 [18628]: End packet Mon Jul 9 22:49:14 2007 [18628]: cfg_get_hvalue: name=213.12.21.71 attr=key Mon Jul 9 22:49:14 2007 [18628]: cfg_get_hvalue: no host named 213.12.21.71 Mon Jul 9 22:49:14 2007 [18628]: cfg_get_phvalue: returns NULL In both cases, nothing appears to hit PAM (nothing in /var/log/auth.log) Regards, David From bcheung at wrhambrecht.com Tue Jul 10 22:11:31 2007 From: bcheung at wrhambrecht.com (Betty Cheung) Date: Tue, 10 Jul 2007 15:11:31 -0700 Subject: [tac_plus] Tacacs install on Fedora Message-ID: Hi, I am new on Tacacs install on Fedora in my work lab. Would you give me step by step? I have Pix 515 I need a detail information, where I can get the Tacacs plus server? Thanks a lot. Betty IMPORTANT NOTICES: ************************************************************** This message is intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its content to any other person and any such actions may be unlawful. Electronic mail sent through the Internet is not secure. WR Hambrecht + Co (WRH+Co) does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via email. WRH+Co reserves the right to monitor and review the content of all messages sent to or from this email address. Messages sent to or from this email address may be stored on the WRH+Co email system. ************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070710/8f6589c0/attachment.html From bcheung at wrhambrecht.com Wed Jul 11 18:32:29 2007 From: bcheung at wrhambrecht.com (Betty Cheung) Date: Wed, 11 Jul 2007 11:32:29 -0700 Subject: [tac_plus] (no subject) Message-ID: I am new on Tacacs install on Fedora in my work lab. Would you give me step by step? I have Pix 515 I need a detail information, where I can get the Tacacs plus server? Thanks a lot. Betty IMPORTANT NOTICES: ************************************************************** This message is intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its content to any other person and any such actions may be unlawful. Electronic mail sent through the Internet is not secure. WR Hambrecht + Co (WRH+Co) does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via email. WRH+Co reserves the right to monitor and review the content of all messages sent to or from this email address. Messages sent to or from this email address may be stored on the WRH+Co email system. ************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070711/b5b0c022/attachment.html From vss3178 at sify.com Fri Jul 27 08:06:43 2007 From: vss3178 at sify.com (vijay singh sihag) Date: Fri, 27 Jul 2007 14:06:43 +0600 (IST) Subject: [tac_plus] Regardin error while compiling Tacacs+ Message-ID: <1185525403.46a9ae9bae08a@mail.sify.com> Hi, While tacacs+ from source tacacs+-F4.0.4.14, I am getting errror while "make install" as gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -c tac_plus.c tac_plus.c:31: tcpd.h: No such file or directory *** Error code 1 make: Fatal error: Command failed for target `tac_plus.o' Please let me know how to resolve this. Best Regards VSS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070727/7209e5b6/attachment.html From heas at shrubbery.net Fri Jul 27 15:09:56 2007 From: heas at shrubbery.net (john heasley) Date: Fri, 27 Jul 2007 08:09:56 -0700 Subject: [tac_plus] Re: Regardin error while compiling Tacacs+ In-Reply-To: <1185525403.46a9ae9bae08a@mail.sify.com> References: <1185525403.46a9ae9bae08a@mail.sify.com> Message-ID: <20070727150956.GI29942@shrubbery.net> Fri, Jul 27, 2007 at 02:06:43PM +0600, vijay singh sihag: > Hi, > > While tacacs+ from source tacacs+-F4.0.4.14, > > I am getting errror while "make install" as > gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -c tac_plus.c > tac_plus.c:31: tcpd.h: No such file or directory > *** Error code 1 > make: Fatal error: Command failed for target `tac_plus.o' tcpd.h is from the tcp_wrappers package. the configure script must have failed somehow in locating it. either re-configure without tcp_wrappers or set CPPFLAGS appropriately in your environment (see configure --help).