[tac_plus] Re: enable passwords

Schmidt, Daniel dan.schmidt at uplinkdata.com
Mon Aug 4 20:38:28 UTC 2008 

You need the tac_plus password patch.  I'm not exactly sure why this
never made it into the latest version.  

diff -ruN tacacs+-F4.0.4.15/pwlib.c tacacs+-F4.0.4.15.new/pwlib.c
--- tacacs+-F4.0.4.15/pwlib.c	2007-12-13 20:18:39.000000000 +0100
+++ tacacs+-F4.0.4.15.new/pwlib.c	2008-04-22 11:05:11.000000000
+0200
@@ -206,7 +206,7 @@
     /* Oops. No idea what kind of password this is. This should never
      * happen as the parser should never create such passwords.
      */
-    report(LOG_ERR, "%s: Error cannot identify password type %s for
%s",
+    report(LOG_ERR, "%s: Error cannot identify password type '%s' for
'%s'",
 	   session.peer,
 	   cfg_passwd && cfg_passwd[0] ? cfg_passwd : "<NULL>",
 	   name ? name : "<unknown>");
@@ -260,10 +260,22 @@
 	return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS);
     }
 
+    p = tac_find_substring("file ", cfg_passwd);
+    if (p) {
+        if (!passwd_file_verify(name, passwd, data, p)) {
+            data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
+            return(0);
+        } else {
+            data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
+        }
+      
+        return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS);
+    }
+
     /* Oops. No idea what kind of password this is. This should never
      * happen as the parser should never create such passwords. */
 
-    report(LOG_ERR, "%s: Error cannot identify password type %s for
%s",
+    report(LOG_ERR, "%s: Error cannot identify password type '%s' for
'%s'",
 	   session.peer,
 	   cfg_passwd && cfg_passwd[0] ? cfg_passwd : "<NULL>",
 	   name ? name : "<unknown>");

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Martin, Jeremy
Sent: Monday, August 04, 2008 1:56 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] enable passwords
Importance: High

Hi,

 

We got logins working, authenticating against /etc/passwd with this line
in the config:

login = file /etc/passwd

 

However users could not enable once logged in. Tried this extra line:

enable = file /etc/passwd

 

but tac_plus fails to authenticate enabling against /etc/passwd ... Are
there are plans on letting enable passwords authenticate against
/etc/passwd too?

 

One of the examples on the website showed this:

enable = file /etc/tac_enable_pwd

However I can't find any documentation on the format of that file. Do
you have any details of what I need to put in that file, just
username:DES-password or what is the syntax exactly?

 

It's also a bit of a pain to have to run tac_pwd because it prompts for
user input, not terribly scriptable but I can get around that.

 

Thanks!

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.shrubbery.net/pipermail/tac_plus/attachments/20080804/646de71
2/attachment.html 
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tac_enab_new.patch
Type: application/octet-stream
Size: 1523 bytes
Desc: tac_enab_new.patch
Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20080804/20b1f24b/attachment.obj

More information about the tac_plus mailing list