From Josef.Voggesser at de.debitel.com Fri Mar 2 13:38:30 2007 From: Josef.Voggesser at de.debitel.com (Josef Voggesser) Date: Fri, 2 Mar 2007 14:38:30 +0100 Subject: [tac_plus] Bug in current tac_plus Message-ID: Hi folks, a few weeks ago I found your project with the acl-enhancement on the cisco tacacs server. Testing your server for my needs I noticed a little bug in the current version. Logging to syslog doesn't continuously work with the configured logging="local6" in my tacacs.cfg - file. A debug on syslog (see attachment) showed: - after having read tacacs.cfg the loglevel changes to local6 --> correct - after "backgrounded" the loglevel changes to "daemon.debug" or "daemon.info" --> incorect I asked our student Timo Vanoni to examine this malfunction and - being a clever boy - he found the bug. In the attachment you can see his changes on three files. I think this could also help other users. One question or maybe suggest for improvement: As I use two separate log files for tac_plus, I don't need user related log messages in syslog. Daemon related log messages are still welcome. Is it possible to keep user related log messages away from syslog? Greetings from Stuttgart, Germany! Josef Voggesser Dipl.-Ing. IT-OP-SDN debitel AG Gropiusplatz 10 (Besucheradresse) Meitnerstrasse 16 (Lieferadresse) 70563 Stuttgart Tel : +49-711-721-6247 Fax : +49-711-2182-6247 E-Mail : josef.voggesser at de.debitel.com --------------------------------------------------------------------------------- debitel AG Gropiusplatz 10 70545 Stuttgart Sitz und Registergericht Stuttgart, HRB Nr. 19 835 Vorsitz Aufsichtsrat: Dr. Hellmut K. Albrecht Vorstand: Axel R?ckert (Vorsitzender) Joachim Preisig, Oliver Steil --------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070302/c61ce394/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: tac_plus-patched.zip Type: application/zip Size: 50436 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20070302/c61ce394/attachment.zip From Bill.Husler at CriticalPath.net Thu Mar 8 21:48:52 2007 From: Bill.Husler at CriticalPath.net (Bill Husler) Date: Thu, 8 Mar 2007 13:48:52 -0800 Subject: [tac_plus] Suggestion: The ability to put a user in multiple groups would be extremely helpful Message-ID: Greetings and thank you for making your implementation of TAC_PLUS available. We are rolling it out corporation wide and have found that we have two overlapping populations. Some job functions have responsibility world wide (like our network engineers), while others have more vertical responsibilities (like system administrators). There are cases where an individual, for various reasons where's two hats - one horizontal and one vertical and it would be nice to be able to reflect this in the TACACS authorizations conveniently. Thanks again, Bill Husler Security Architect Critical Path inc. 2 Harrison st San Francisco, CA 94108 415-541-2596 From antoninvitecek at seznam.cz Fri Mar 16 13:27:34 2007 From: antoninvitecek at seznam.cz (Antonin Vitecek) Date: Fri, 16 Mar 2007 14:27:34 +0100 Subject: [tac_plus] little bug Message-ID: <1174051655.11113.11.camel@localhost.localdomain> Hello, when I played with tacacs. I tryed set no key on NAS. And tac_plus daemon end with SIGSEGV. This happened only when daemon was run with "-g -d 256..511" parameters. From heas at shrubbery.net Sat Mar 17 05:00:00 2007 From: heas at shrubbery.net (john heasley) Date: Fri, 16 Mar 2007 22:00:00 -0700 Subject: [tac_plus] Re: little bug In-Reply-To: <1174051655.11113.11.camel@localhost.localdomain> References: <1174051655.11113.11.camel@localhost.localdomain> Message-ID: <20070317050000.GK29751@shrubbery.net> Fri, Mar 16, 2007 at 02:27:34PM +0100, Antonin Vitecek: > Hello, > > when I played with tacacs. I tryed set no key on NAS. And tac_plus > daemon end with SIGSEGV. This happened only when daemon was run with "-g > -d 256..511" parameters. Hi, I've tried to reproduce this and have not been successful. Could you show the last 10 or so lines of the debug output to me? And, if you've build the binary with symbols, you can show me where the SEGV was with the commands: # gdb -c core tac_plus gdb> where OR you could give a copy of your configuration to me and I can try again to reproduce the problem. Thanks for the bug report. From Josef.Voggesser at de.debitel.com Fri Mar 2 13:38:30 2007 From: Josef.Voggesser at de.debitel.com (Josef Voggesser) Date: Fri, 2 Mar 2007 14:38:30 +0100 Subject: [tac_plus] Bug in current tac_plus Message-ID: Hi folks, a few weeks ago I found your project with the acl-enhancement on the cisco tacacs server. Testing your server for my needs I noticed a little bug in the current version. Logging to syslog doesn't continuously work with the configured logging="local6" in my tacacs.cfg - file. A debug on syslog (see attachment) showed: - after having read tacacs.cfg the loglevel changes to local6 --> correct - after "backgrounded" the loglevel changes to "daemon.debug" or "daemon.info" --> incorect I asked our student Timo Vanoni to examine this malfunction and - being a clever boy - he found the bug. In the attachment you can see his changes on three files. I think this could also help other users. One question or maybe suggest for improvement: As I use two separate log files for tac_plus, I don't need user related log messages in syslog. Daemon related log messages are still welcome. Is it possible to keep user related log messages away from syslog? Greetings from Stuttgart, Germany! Josef Voggesser Dipl.-Ing. IT-OP-SDN debitel AG Gropiusplatz 10 (Besucheradresse) Meitnerstrasse 16 (Lieferadresse) 70563 Stuttgart Tel : +49-711-721-6247 Fax : +49-711-2182-6247 E-Mail : josef.voggesser at de.debitel.com --------------------------------------------------------------------------------- debitel AG Gropiusplatz 10 70545 Stuttgart Sitz und Registergericht Stuttgart, HRB Nr. 19 835 Vorsitz Aufsichtsrat: Dr. Hellmut K. Albrecht Vorstand: Axel R?ckert (Vorsitzender) Joachim Preisig, Oliver Steil --------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070302/c61ce394/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: tac_plus-patched.zip Type: application/zip Size: 50436 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20070302/c61ce394/attachment.zip From Bill.Husler at CriticalPath.net Thu Mar 8 21:48:52 2007 From: Bill.Husler at CriticalPath.net (Bill Husler) Date: Thu, 8 Mar 2007 13:48:52 -0800 Subject: [tac_plus] Suggestion: The ability to put a user in multiple groups would be extremely helpful Message-ID: Greetings and thank you for making your implementation of TAC_PLUS available. We are rolling it out corporation wide and have found that we have two overlapping populations. Some job functions have responsibility world wide (like our network engineers), while others have more vertical responsibilities (like system administrators). There are cases where an individual, for various reasons where's two hats - one horizontal and one vertical and it would be nice to be able to reflect this in the TACACS authorizations conveniently. Thanks again, Bill Husler Security Architect Critical Path inc. 2 Harrison st San Francisco, CA 94108 415-541-2596 From antoninvitecek at seznam.cz Fri Mar 16 13:27:34 2007 From: antoninvitecek at seznam.cz (Antonin Vitecek) Date: Fri, 16 Mar 2007 14:27:34 +0100 Subject: [tac_plus] little bug Message-ID: <1174051655.11113.11.camel@localhost.localdomain> Hello, when I played with tacacs. I tryed set no key on NAS. And tac_plus daemon end with SIGSEGV. This happened only when daemon was run with "-g -d 256..511" parameters. From heas at shrubbery.net Sat Mar 17 05:00:00 2007 From: heas at shrubbery.net (john heasley) Date: Fri, 16 Mar 2007 22:00:00 -0700 Subject: [tac_plus] Re: little bug In-Reply-To: <1174051655.11113.11.camel@localhost.localdomain> References: <1174051655.11113.11.camel@localhost.localdomain> Message-ID: <20070317050000.GK29751@shrubbery.net> Fri, Mar 16, 2007 at 02:27:34PM +0100, Antonin Vitecek: > Hello, > > when I played with tacacs. I tryed set no key on NAS. And tac_plus > daemon end with SIGSEGV. This happened only when daemon was run with "-g > -d 256..511" parameters. Hi, I've tried to reproduce this and have not been successful. Could you show the last 10 or so lines of the debug output to me? And, if you've build the binary with symbols, you can show me where the SEGV was with the commands: # gdb -c core tac_plus gdb> where OR you could give a copy of your configuration to me and I can try again to reproduce the problem. Thanks for the bug report.