From rojmab at gmail.com Wed May 2 21:37:44 2007 From: rojmab at gmail.com (Ryan Jensen) Date: Wed, 2 May 2007 16:37:44 -0500 Subject: [tac_plus] Enhanced daemon Message-ID: <1fc9e5120705021437q2bd56688oe894f9bfb898c35a@mail.gmail.com> I was wondering where / if the code for this enhanced daemon is available somewhere? I would be really interested in only allowing users to access certain devices via TACACS. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070502/c9ced929/attachment.html From heas at shrubbery.net Wed May 2 22:20:33 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 2 May 2007 22:20:33 +0000 Subject: [tac_plus] Re: Enhanced daemon In-Reply-To: <1fc9e5120705021437q2bd56688oe894f9bfb898c35a@mail.gmail.com> References: <1fc9e5120705021437q2bd56688oe894f9bfb898c35a@mail.gmail.com> Message-ID: <20070502222033.GE27168@shrubbery.net> Wed, May 02, 2007 at 04:37:44PM -0500, Ryan Jensen: > I was wondering where / if the code for this enhanced daemon is available > somewhere? I would be really interested in only allowing users to access > certain devices via TACACS. ftp://ftp.shrubbery.net/pub/tac_plus From drose at nla.gov.au Mon May 14 05:58:24 2007 From: drose at nla.gov.au (Daniel Rose) Date: Mon, 14 May 2007 15:58:24 +1000 Subject: [tac_plus] silent failure if users are missing Message-ID: <4647FA80.6010501@nla.gov.au> Hi, I would like to have multiple tacacs servers configured on a device, with different authentication information. The intent is that if authentication fails on one server then the device should try the next server. It seems that this is not how the protocol works, a rejection is regarded as final by the device, which is fine. Others have worked around this: One might want to have the TACACS client query multiple servers each with a DIFFERENT UAF - if the given username/password isn't found on the first, then try the second. This can be done by defining TACACS_GOOD_NEWS_ONLY - this will make the TACACS server emit a response only if the username/password is accepted. http://vmsone.com/~decuslib/vmssig/vmslt98a/tacacs/vmstacacs022_3.readme Is there a similar option with the shrubbery networks version? Thanks! From Jimmy.Oliver at chick-fil-a.com Mon May 14 17:46:17 2007 From: Jimmy.Oliver at chick-fil-a.com (Jimmy Oliver) Date: Mon, 14 May 2007 13:46:17 -0400 Subject: [tac_plus] pipe accounting info to syslog? Message-ID: Is there any way to pipe accouning information to syslog? I would like to ping this data to a centralized syslog server and can not figure out how to do get it into a syslog facility instead of a local file. Thanks, -Jimmy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070514/7947ad7d/attachment.html From becca_Marsh at andresonbuilders.com Sun May 13 10:34:24 2007 From: becca_Marsh at andresonbuilders.com (becca Marsh) Date: Sun, 13 May 2007 12:34:24 +0200 Subject: [tac_plus] If the user name is also null, the credentials used will be those of the currently logged-on user. Message-ID: <679474190506.380048893401@andresonbuilders.com> Sehr geehrter Herr, wir haben heute folgende Nachricht erfolgreich f?r Sie ver?ffentlicht: boerse invest wachst sehr stark durch zukaufe BJ5N.F Nachrichtenart: Corporate News Datum: 10.05.2007 Eingabezeit: 10.05.2007 10:00:05 Ver?ffentlichungszeit: 10.05.2007 10:00:08 Verbreitungsnetzwerk: Basis (Siehe am Ende der Mitteilung) Nachricht: B?rse Invest Beteiligungs AG / Miscellaneous (Stock: BJ5N.F) 10.05.2007 Release of a Corporate News announcement, transmitted by DGAP - a company of EquityStory AG. The issuer / publisher is solely responsible for the content of this announcement. --------------------------------------------------------------------------- D?SSELDORF ? Goldfish Holdings Inc. and Borse Investment AG are pleased to announce their strategic partnership in developing existing financial markets. Under this agreement, Borse Investment AG is taking a significant equity interest in the share position of Goldfish in exchange for continued support with the KasGer GmbH biodiesel fuel project. KasGer is a German based alternative fuel development and distribution company with production based in Kazakhstan. Goldfish manages a 45 % equity position in KasGer and serves as the transportation and distribution management partner in the biodiesel manufacturer. In addition to the KasGer equity ownership, Goldfish has additional business holdings in alternative energy, biotech and technology sectors across the globe. Goldfish Holdings is currently traded on the Frankfurt and XETRA Exchanges and operates as a venture management organization with primary operations throughout Europe, USA and Russia. Tobias Janssen, CEO stated, 'This opportunity to work hand in hand with the Borse Invest continues to allow both companies the opportunity to leverage existing financial markets as well as opening new markets to the collective strenghts of both organizations'. Borse Investment AG is a Swiss based investment management company. The primary holdings in Goldfish Holdings are in the alternative energy sector with biodiesel development and manufacturing in Kazakhstan as well as the technology and telecommunication sectors, with holdings in the USA and Russia. Symbol:BJ5N.F DGAP 10.05.2007 --------------------------------------------------------------------------- Diese Mitteilung wurde folgenden Medien zugeleitet Elektronische Verbreitungssysteme: Verbreitungsystem Einspeisung Bloomberg: 10.05.2007 10:00:08 Reuters: 10.05.2007 10:00:08 vwd: 10.05.2007 10:00:08 Auswahl aus dem deutschen Medienb?ndel: Medium Zuleitung Dow Jones 10.05.2007 10:00:08 dpa-afx 10.05.2007 10:00:08 dgap.de 10.05.2007 10:00:08 FTD 10.05.2007 10:00:08 From heas at shrubbery.net Mon May 14 21:42:38 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 14 May 2007 14:42:38 -0700 Subject: [tac_plus] Re: pipe accounting info to syslog? In-Reply-To: References: Message-ID: <20070514214238.GI18180@shrubbery.net> Mon, May 14, 2007 at 01:46:17PM -0400, Jimmy Oliver: > > > Is there any way to pipe accouning information to syslog? I would like > to ping this data to a centralized syslog server and can not figure out > how to do get it into a syslog facility instead of a local file. > nope. most modern syslogds can forward messages to a central server without needing to change the applications that are logging. From Jimmy.Oliver at chick-fil-a.com Tue May 15 13:07:01 2007 From: Jimmy.Oliver at chick-fil-a.com (Jimmy Oliver) Date: Tue, 15 May 2007 09:07:01 -0400 Subject: [tac_plus] Re: pipe accounting info to syslog? In-Reply-To: <20070514214238.GI18180@shrubbery.net> References: <20070514214238.GI18180@shrubbery.net> Message-ID: Hi John, Thanks for your fast response to my message. I am able to get the log messages to go to a centralized syslog server. My issue is with the accounting information. This is a snippet from the tac_plus config file: accounting file = /var/log/tac_plus.acct logging = local6 from syslog.conf: # Send tac_plus messages to central server local6.* @syslog.somehost.com With this setup, all tac_plus log messages are sent via the local6 facility to syslog.somehost.com. The problem is the accounting data. I *could use a hack like this to get them into syslog, but it is ugly at best. tail -f /var/log/tac_plus.acct | logger -t "tac_plus accounting" -p local6.info & This works, but I end up with a double timestamp on all of my messages like so: May 14 14:16:14 centos tac_plus accounting: Mon May 14 14:16:13 2007 192.168.1.1 joliver tty2 192.168.1.2 stop task_id=217 timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief I checked the man pages you provided (which are by the way very good) and could not find a way to send accounting data to syslog. I guess I'm looking for something like this: accounting file = syslog local6 Is this even possible, or would it require a code change? Also, thank you for your maintenance of this tac_plus version. I have been looking for a clean version for a while, and settled on your fork. You guys are doing a great job. I created a Redhat Enterprise Linux SRPM/RPM of your fork that I would gladly offer anyone who was interested. It includes an init script that works great with Redhat's init/chkconfig system. Thanks again, -Jimmy -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, May 14, 2007 5:43 PM To: Jimmy Oliver Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] pipe accounting info to syslog? Mon, May 14, 2007 at 01:46:17PM -0400, Jimmy Oliver: > > > Is there any way to pipe accouning information to syslog? I would like > to ping this data to a centralized syslog server and can not figure out > how to do get it into a syslog facility instead of a local file. > nope. most modern syslogds can forward messages to a central server without needing to change the applications that are logging. From heas at shrubbery.net Wed May 16 21:30:45 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 16 May 2007 14:30:45 -0700 Subject: [tac_plus] Re: pipe accounting info to syslog? In-Reply-To: References: <20070514214238.GI18180@shrubbery.net> Message-ID: <20070516213045.GA12242@shrubbery.net> Tue, May 15, 2007 at 09:07:01AM -0400, Jimmy Oliver: > Hi John, > > Thanks for your fast response to my message. I am able to get the log > messages to go to a centralized syslog server. My issue is with the > accounting information. This is a snippet from the tac_plus config > file: > > accounting file = /var/log/tac_plus.acct > logging = local6 > > from syslog.conf: > > # Send tac_plus messages to central server > local6.* > @syslog.somehost.com > > > With this setup, all tac_plus log messages are sent via the local6 > facility to syslog.somehost.com. The problem is the accounting data. I > *could use a hack like this to get them into syslog, but it is ugly at > best. > > tail -f /var/log/tac_plus.acct | logger -t "tac_plus accounting" -p > local6.info & > > This works, but I end up with a double timestamp on all of my messages > like so: > > May 14 14:16:14 centos tac_plus accounting: Mon May 14 14:16:13 2007 > 192.168.1.1 joliver tty2 192.168.1.2 stop task_id=217 > timezone=UTC service=shell priv-lvl=1 cmd=show ip interface > brief > > > I checked the man pages you provided (which are by the way very good) > and could not find a way to send accounting data to syslog. I guess I'm > looking for something like this: > > accounting file = syslog local6 > > Is this even possible, or would it require a code change? I misunderstood or did not read closely. This is not possible ATM, but I do agree it is silly not to have go to syslog if you disired. I'll have to look into adding that feature. > Also, thank you for your maintenance of this tac_plus version. I have > been looking for a clean version for a while, and settled on your fork. > You guys are doing a great job. I created a Redhat Enterprise Linux > SRPM/RPM of your fork that I would gladly offer anyone who was > interested. It includes an init script that works great with Redhat's > init/chkconfig system. I can place it on my ftp server. > Thanks again, > -Jimmy > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, May 14, 2007 5:43 PM > To: Jimmy Oliver > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] pipe accounting info to syslog? > > Mon, May 14, 2007 at 01:46:17PM -0400, Jimmy Oliver: > > > > > > Is there any way to pipe accouning information to syslog? I would > like > > to ping this data to a centralized syslog server and can not figure > out > > how to do get it into a syslog facility instead of a local file. > > > > nope. most modern syslogds can forward messages to a central server > without > needing to change the applications that are logging. From heas at shrubbery.net Wed May 16 21:37:37 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 16 May 2007 14:37:37 -0700 Subject: [tac_plus] Re: silent failure if users are missing In-Reply-To: <4647FA80.6010501@nla.gov.au> References: <4647FA80.6010501@nla.gov.au> Message-ID: <20070516213737.GB12242@shrubbery.net> Mon, May 14, 2007 at 03:58:24PM +1000, Daniel Rose: > Hi, > > I would like to have multiple tacacs servers configured on a device, > with different authentication information. The intent is that if > authentication fails on one server then the device should try the next > server. > > It seems that this is not how the protocol works, a rejection is > regarded as final by the device, which is fine. > > Others have worked around this: > > One might want to have the TACACS client query multiple servers > each with a DIFFERENT UAF - if the given username/password isn't > found on the first, then try the second. This can be done by > defining TACACS_GOOD_NEWS_ONLY - this will make the TACACS server > emit a response only if the username/password is accepted. > > http://vmsone.com/~decuslib/vmssig/vmslt98a/tacacs/vmstacacs022_3.readme > > Is there a similar option with the shrubbery networks version? No there is not, and it seems ugly to me. Perhaps a better solution would be a pre-authentication script that could close the connection with the client (without responding)? From rojmab at gmail.com Wed May 2 21:37:44 2007 From: rojmab at gmail.com (Ryan Jensen) Date: Wed, 2 May 2007 16:37:44 -0500 Subject: [tac_plus] Enhanced daemon Message-ID: <1fc9e5120705021437q2bd56688oe894f9bfb898c35a@mail.gmail.com> I was wondering where / if the code for this enhanced daemon is available somewhere? I would be really interested in only allowing users to access certain devices via TACACS. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070502/c9ced929/attachment.html From heas at shrubbery.net Wed May 2 22:20:33 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 2 May 2007 22:20:33 +0000 Subject: [tac_plus] Re: Enhanced daemon In-Reply-To: <1fc9e5120705021437q2bd56688oe894f9bfb898c35a@mail.gmail.com> References: <1fc9e5120705021437q2bd56688oe894f9bfb898c35a@mail.gmail.com> Message-ID: <20070502222033.GE27168@shrubbery.net> Wed, May 02, 2007 at 04:37:44PM -0500, Ryan Jensen: > I was wondering where / if the code for this enhanced daemon is available > somewhere? I would be really interested in only allowing users to access > certain devices via TACACS. ftp://ftp.shrubbery.net/pub/tac_plus From drose at nla.gov.au Mon May 14 05:58:24 2007 From: drose at nla.gov.au (Daniel Rose) Date: Mon, 14 May 2007 15:58:24 +1000 Subject: [tac_plus] silent failure if users are missing Message-ID: <4647FA80.6010501@nla.gov.au> Hi, I would like to have multiple tacacs servers configured on a device, with different authentication information. The intent is that if authentication fails on one server then the device should try the next server. It seems that this is not how the protocol works, a rejection is regarded as final by the device, which is fine. Others have worked around this: One might want to have the TACACS client query multiple servers each with a DIFFERENT UAF - if the given username/password isn't found on the first, then try the second. This can be done by defining TACACS_GOOD_NEWS_ONLY - this will make the TACACS server emit a response only if the username/password is accepted. http://vmsone.com/~decuslib/vmssig/vmslt98a/tacacs/vmstacacs022_3.readme Is there a similar option with the shrubbery networks version? Thanks! From Jimmy.Oliver at chick-fil-a.com Mon May 14 17:46:17 2007 From: Jimmy.Oliver at chick-fil-a.com (Jimmy Oliver) Date: Mon, 14 May 2007 13:46:17 -0400 Subject: [tac_plus] pipe accounting info to syslog? Message-ID: Is there any way to pipe accouning information to syslog? I would like to ping this data to a centralized syslog server and can not figure out how to do get it into a syslog facility instead of a local file. Thanks, -Jimmy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070514/7947ad7d/attachment.html From heas at shrubbery.net Mon May 14 21:42:38 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 14 May 2007 14:42:38 -0700 Subject: [tac_plus] Re: pipe accounting info to syslog? In-Reply-To: References: Message-ID: <20070514214238.GI18180@shrubbery.net> Mon, May 14, 2007 at 01:46:17PM -0400, Jimmy Oliver: > > > Is there any way to pipe accouning information to syslog? I would like > to ping this data to a centralized syslog server and can not figure out > how to do get it into a syslog facility instead of a local file. > nope. most modern syslogds can forward messages to a central server without needing to change the applications that are logging. From Jimmy.Oliver at chick-fil-a.com Tue May 15 13:07:01 2007 From: Jimmy.Oliver at chick-fil-a.com (Jimmy Oliver) Date: Tue, 15 May 2007 09:07:01 -0400 Subject: [tac_plus] Re: pipe accounting info to syslog? In-Reply-To: <20070514214238.GI18180@shrubbery.net> References: <20070514214238.GI18180@shrubbery.net> Message-ID: Hi John, Thanks for your fast response to my message. I am able to get the log messages to go to a centralized syslog server. My issue is with the accounting information. This is a snippet from the tac_plus config file: accounting file = /var/log/tac_plus.acct logging = local6 from syslog.conf: # Send tac_plus messages to central server local6.* @syslog.somehost.com With this setup, all tac_plus log messages are sent via the local6 facility to syslog.somehost.com. The problem is the accounting data. I *could use a hack like this to get them into syslog, but it is ugly at best. tail -f /var/log/tac_plus.acct | logger -t "tac_plus accounting" -p local6.info & This works, but I end up with a double timestamp on all of my messages like so: May 14 14:16:14 centos tac_plus accounting: Mon May 14 14:16:13 2007 192.168.1.1 joliver tty2 192.168.1.2 stop task_id=217 timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief I checked the man pages you provided (which are by the way very good) and could not find a way to send accounting data to syslog. I guess I'm looking for something like this: accounting file = syslog local6 Is this even possible, or would it require a code change? Also, thank you for your maintenance of this tac_plus version. I have been looking for a clean version for a while, and settled on your fork. You guys are doing a great job. I created a Redhat Enterprise Linux SRPM/RPM of your fork that I would gladly offer anyone who was interested. It includes an init script that works great with Redhat's init/chkconfig system. Thanks again, -Jimmy -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, May 14, 2007 5:43 PM To: Jimmy Oliver Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] pipe accounting info to syslog? Mon, May 14, 2007 at 01:46:17PM -0400, Jimmy Oliver: > > > Is there any way to pipe accouning information to syslog? I would like > to ping this data to a centralized syslog server and can not figure out > how to do get it into a syslog facility instead of a local file. > nope. most modern syslogds can forward messages to a central server without needing to change the applications that are logging. From heas at shrubbery.net Wed May 16 21:30:45 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 16 May 2007 14:30:45 -0700 Subject: [tac_plus] Re: pipe accounting info to syslog? In-Reply-To: References: <20070514214238.GI18180@shrubbery.net> Message-ID: <20070516213045.GA12242@shrubbery.net> Tue, May 15, 2007 at 09:07:01AM -0400, Jimmy Oliver: > Hi John, > > Thanks for your fast response to my message. I am able to get the log > messages to go to a centralized syslog server. My issue is with the > accounting information. This is a snippet from the tac_plus config > file: > > accounting file = /var/log/tac_plus.acct > logging = local6 > > from syslog.conf: > > # Send tac_plus messages to central server > local6.* > @syslog.somehost.com > > > With this setup, all tac_plus log messages are sent via the local6 > facility to syslog.somehost.com. The problem is the accounting data. I > *could use a hack like this to get them into syslog, but it is ugly at > best. > > tail -f /var/log/tac_plus.acct | logger -t "tac_plus accounting" -p > local6.info & > > This works, but I end up with a double timestamp on all of my messages > like so: > > May 14 14:16:14 centos tac_plus accounting: Mon May 14 14:16:13 2007 > 192.168.1.1 joliver tty2 192.168.1.2 stop task_id=217 > timezone=UTC service=shell priv-lvl=1 cmd=show ip interface > brief > > > I checked the man pages you provided (which are by the way very good) > and could not find a way to send accounting data to syslog. I guess I'm > looking for something like this: > > accounting file = syslog local6 > > Is this even possible, or would it require a code change? I misunderstood or did not read closely. This is not possible ATM, but I do agree it is silly not to have go to syslog if you disired. I'll have to look into adding that feature. > Also, thank you for your maintenance of this tac_plus version. I have > been looking for a clean version for a while, and settled on your fork. > You guys are doing a great job. I created a Redhat Enterprise Linux > SRPM/RPM of your fork that I would gladly offer anyone who was > interested. It includes an init script that works great with Redhat's > init/chkconfig system. I can place it on my ftp server. > Thanks again, > -Jimmy > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, May 14, 2007 5:43 PM > To: Jimmy Oliver > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] pipe accounting info to syslog? > > Mon, May 14, 2007 at 01:46:17PM -0400, Jimmy Oliver: > > > > > > Is there any way to pipe accouning information to syslog? I would > like > > to ping this data to a centralized syslog server and can not figure > out > > how to do get it into a syslog facility instead of a local file. > > > > nope. most modern syslogds can forward messages to a central server > without > needing to change the applications that are logging. From heas at shrubbery.net Wed May 16 21:37:37 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 16 May 2007 14:37:37 -0700 Subject: [tac_plus] Re: silent failure if users are missing In-Reply-To: <4647FA80.6010501@nla.gov.au> References: <4647FA80.6010501@nla.gov.au> Message-ID: <20070516213737.GB12242@shrubbery.net> Mon, May 14, 2007 at 03:58:24PM +1000, Daniel Rose: > Hi, > > I would like to have multiple tacacs servers configured on a device, > with different authentication information. The intent is that if > authentication fails on one server then the device should try the next > server. > > It seems that this is not how the protocol works, a rejection is > regarded as final by the device, which is fine. > > Others have worked around this: > > One might want to have the TACACS client query multiple servers > each with a DIFFERENT UAF - if the given username/password isn't > found on the first, then try the second. This can be done by > defining TACACS_GOOD_NEWS_ONLY - this will make the TACACS server > emit a response only if the username/password is accepted. > > http://vmsone.com/~decuslib/vmssig/vmslt98a/tacacs/vmstacacs022_3.readme > > Is there a similar option with the shrubbery networks version? No there is not, and it seems ugly to me. Perhaps a better solution would be a pre-authentication script that could close the connection with the client (without responding)?