From dlambert at OneCommunications.com Wed Apr 2 15:23:10 2008 From: dlambert at OneCommunications.com (Lambert, David) Date: Wed, 2 Apr 2008 11:23:10 -0400 Subject: [tac_plus] Is it possble to nest acl groups inside each other I tried it and getting an error si there a way to do this? Message-ID: David Lambert 585-530-2768 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080402/56d36101/attachment.html From heas at shrubbery.net Wed Apr 2 23:04:14 2008 From: heas at shrubbery.net (john heasley) Date: Wed, 2 Apr 2008 23:04:14 +0000 Subject: [tac_plus] Re: Is it possble to nest acl groups inside each other I tried it and getting an error si there a way to do this? In-Reply-To: References: Message-ID: <20080402230414.GW3271@shrubbery.net> no, it is not, with the current code. Wed, Apr 02, 2008 at 11:23:10AM -0400, Lambert, David: > > > > > David Lambert > > 585-530-2768 > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080402/56d36101/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Thu Apr 3 04:32:00 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Thu, 3 Apr 2008 06:32:00 +0200 (CEST) Subject: [tac_plus] Re: Is it possble to nest acl groups inside each other I tried it and getting an error si there a way to do this? In-Reply-To: <20080402230414.GW3271@shrubbery.net> References: <20080402230414.GW3271@shrubbery.net> Message-ID: > Subject: [tac_plus] Re: Is it possble to nest acl groups inside each other I > tried it and getting an error si there a way to do this? > > no, it is not, with the current code. It IS with my patch. http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/ http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/README Gabor From dan.schmidt at uplinkdata.com Fri Apr 4 00:04:01 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Thu, 3 Apr 2008 18:04:01 -0600 Subject: [tac_plus] Re: enable = file /etc/passwd In-Reply-To: <46E65922.9080708@seznam.cz> References: <390DD3915314C044A2B6D54FF84E872B29EA75@che-exch-001.uplinkdata.com> <46E65922.9080708@seznam.cz> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC0CE5AA@che-exch-003.uplinkdata.com> Has anybody created a patch like this for tacacs+-F4.0.4.15? My apologies if I have missed something. Many thanks, -Dan Schmidt -----Original Message----- From: Antonin Vitecek [mailto:antoninvitecek at seznam.cz] Sent: Tuesday, September 11, 2007 3:00 AM To: Dan Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] enable = file /etc/passwd Dan Schmidt wrote: > I am having the same problem as this user: > > http://www.shrubbery.net/pipermail/tac_plus/2007-February/000078.html > > > > Is this a bug? Terribly sorry if this has been talked about before - I > could not seem to google it. > > > > Thanks, > > -Dan > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070905/fd30a19 b/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > Hi, Jeff Gehlbach sent me a patch solving this problem, but format of his patch didn't work to me, so I created new. There is mail from Jeff: ======================================================================== ========================= Hi! I just ran across this same issue. Sorry if my reply doesn't get properly threaded, I'm pasting your message from the mailman archive as I was not subscribed to the list at the time you sent it. On Wed Feb 14 14:40:16 UTC 2007, Antonin Vitecek wrote: > > I have a little question. Is it possible authenticate enable password > > using passwd(5) file? Because I found it on Shrubbery > > page(http://www.shrubbery.net/tac_plus/) at the bottom: > > > > user = bar { > > enable = file /etc/tac_enable_pwd > > } > > > > But, if I try it, I get this message: > > > > 192.168.0.1: Error cannot identify password type file /etc/passwd for > > john > > > > For login it is ok. In pwlib.c I found: > > > > /* Oops. No idea what kind of password this is. This should never > > * happen as the parser should never create such passwords. */ > > > > What I want is to have same login and enable password. > I believe this may be a bug in the Shrubbery code. I applied the attached patch to the source as obtained by extracting tacacs+-F4.0.4.14.tar.gz from ftp.shrubbery.net. I can now use 'enable = file /path/foo' with no issues. I don't have a sufficiently deep understanding of the TACACS+ protocol to know whether this will work in every situation, but it got me running. If anybody sees a problem with this patch, please let me know. The patch also adds single quotes around the parameterized strings in the "Error cannot identify password type" messages, so that they read e.g.: Error cannot identify password type 'file' for 'john' -jeff *** pwlib.c.orig 2007-03-08 09:58:36.000000000 -0500 --- pwlib.c 2007-03-08 09:04:07.000000000 -0500 *************** *** 207,213 **** /* Oops. No idea what kind of password this is. This should never * happen as the parser should never create such passwords. */ ! report(LOG_ERR, "%s: Error cannot identify password type %s for %s", session.peer, cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", name ? name : ""); --- 207,213 ---- /* Oops. No idea what kind of password this is. This should never * happen as the parser should never create such passwords. */ ! report(LOG_ERR, "%s: Error cannot identify password type '%s' for '%s'", session.peer, cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", name ? name : ""); *************** *** 261,270 **** return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); } /* Oops. No idea what kind of password this is. This should never * happen as the parser should never create such passwords. */ ! report(LOG_ERR, "%s: Error cannot identify password type %s for %s", session.peer, cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", name ? name : ""); --- 261,281 ---- return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); } + p = tac_find_substring("file ", cfg_passwd); + if (p) { + if (!passwd_file_verify(name, passwd, data, p)) { + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; + return(0); + } else { + data->status = TAC_PLUS_AUTHEN_STATUS_PASS; + } + return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); + } + /* Oops. No idea what kind of password this is. This should never * happen as the parser should never create such passwords. */ ! report(LOG_ERR, "%s: Error cannot identify password type '%'s for '%s'", session.peer, cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", name ? name : ""); ======================================================================== ========================= From dlambert at OneCommunications.com Mon Apr 14 18:00:13 2008 From: dlambert at OneCommunications.com (Lambert, David) Date: Mon, 14 Apr 2008 14:00:13 -0400 Subject: [tac_plus] I was wandering if anyone new of a tacacs client that I could use to laod test my TACACS SERVER Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080414/10fdb880/attachment.html From john at sackheads.org Mon Apr 14 19:45:47 2008 From: john at sackheads.org (John Payne) Date: Mon, 14 Apr 2008 15:45:47 -0400 Subject: [tac_plus] Re: I was wandering if anyone new of a tacacs client that I could use to laod test my TACACS SERVER In-Reply-To: References: Message-ID: <61CBF073-0D34-4B03-82F7-6CEDCBCFA786@sackheads.org> Have you tried http://search.cpan.org/dist/Net-TacacsPlus/ ? From antoninvitecek at seznam.cz Tue Apr 22 09:23:44 2008 From: antoninvitecek at seznam.cz (Antonin Vitecek) Date: Tue, 22 Apr 2008 11:23:44 +0200 Subject: [tac_plus] Re: enable = file /etc/passwd In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC0CE5AA@che-exch-003.uplinkdata.com> References: <390DD3915314C044A2B6D54FF84E872B29EA75@che-exch-001.uplinkdata.com> <46E65922.9080708@seznam.cz> <05CC562AFB5A9446A1BC3F66AD04A3BC0CE5AA@che-exch-003.uplinkdata.com> Message-ID: <480DAEA0.2090006@seznam.cz> Hi The old patch for 4.0.4.14 should work too. Try to copy it to tacacs+-F4.0.4.15 directory and run: patch -p1 < enable_passwdfile.patch Or try to use the attached one. Antonin Vitecek Dan Schmidt wrote: > Has anybody created a patch like this for tacacs+-F4.0.4.15? My > apologies if I have missed something. > > Many thanks, > -Dan Schmidt > -------------- next part -------------- A non-text attachment was scrubbed... Name: tac_enab_new.patch Type: text/x-patch Size: 1487 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20080422/c020de3d/attachment.bin From kissg at ssg.ki.iif.hu Wed Apr 23 08:38:03 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 23 Apr 2008 10:38:03 +0200 (CEST) Subject: [tac_plus] Multiple group membership patch available Message-ID: Dear all, I've ported my patch from F4.0.4.14 to F4.0.4.15. It allows multiple group membership, more flexible handling of ACLs and using (nested) include files in config. It can be found at http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus More in is on page http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html Cheers Gabor From dan.schmidt at uplinkdata.com Wed Apr 23 20:40:39 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Wed, 23 Apr 2008 14:40:39 -0600 Subject: [tac_plus] Re: enable = file /etc/passwd In-Reply-To: <480DAEA0.2090006@seznam.cz> References: <390DD3915314C044A2B6D54FF84E872B29EA75@che-exch-001.uplinkdata.com> <46E65922.9080708@seznam.cz> <05CC562AFB5A9446A1BC3F66AD04A3BC0CE5AA@che-exch-003.uplinkdata.com> <480DAEA0.2090006@seznam.cz> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC0CE76D@che-exch-003.uplinkdata.com> Thanks! -----Original Message----- From: Antonin Vitecek [mailto:antoninvitecek at seznam.cz] Sent: Tuesday, April 22, 2008 3:24 AM To: Dan Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Re: enable = file /etc/passwd Hi The old patch for 4.0.4.14 should work too. Try to copy it to tacacs+-F4.0.4.15 directory and run: patch -p1 < enable_passwdfile.patch Or try to use the attached one. Antonin Vitecek Dan Schmidt wrote: > Has anybody created a patch like this for tacacs+-F4.0.4.15? My > apologies if I have missed something. > > Many thanks, > -Dan Schmidt > From kissg at ssg.ki.iif.hu Wed Apr 30 08:54:14 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 30 Apr 2008 10:54:14 +0200 (CEST) Subject: [tac_plus] Let's discuss some new features Message-ID: Dear folks, I plan to do some enhancements of tac_plus daemon. It would be lovely if network manager can assign individual attributes based not only on username but - host (NAS) address/name - terminal line (console, async/modem, vty etc.) - connection time (workdays, weekend, day and night etc.) However this requires more sophisticated database backend practically speaking a relational database. Sqlite seems to be a good choice. Configure script would accept --with-sqlite option on systems where libsqlite is available. At startup or when catching HUP signal daemon read the usual configuration file and fills database with approprate record. Database could be in memory entirely (i.e. no external file) so daemon would be acting as a black box that cannot be distinguish from the current one. Lookout is the same but there is a V8 engine under the hood. :-) Moreover I wish to keep backward compaibility of config file. So I'm thinking on some new syntax elements that could describe the above functionality. I mean somethink like this: ----------------------------------- acl = local_net_acl { permit = ^172\.16\.192\. } user = melany_local { ifhost = local_net_acl { service = exec { priv-lvl = 15 } } service = exec { priv-lvl = 2 } member = working_girl } time = business_hours { permit = Mo-Fr,8-15:30 } group = working_girl { iftime = business_hours { default service = permit } default service = deny } ----------------------------------- What is your opinion? Gabor