From heas at shrubbery.net Sun Nov 2 07:53:08 2008 From: heas at shrubbery.net (john heasley) Date: Sun, 2 Nov 2008 07:53:08 +0000 Subject: [tac_plus] Re: after authorization In-Reply-To: <490B5DA8.3030108@gmail.com> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> <20081031064528.GA9209@shrubbery.net> <490AAA41.5030009@gmail.com> <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> <490B5DA8.3030108@gmail.com> Message-ID: <20081102075308.GJ8509@shrubbery.net> Sat, Nov 01, 2008 at 08:34:00AM +1300, Ian Batterbee: > Sorry, I seem to have missed out a few words there - to clarify, the PIX > is using tacacs to verify users who are terminating a VPN on it.. in > other words, this is not for authorizing CLI commands, but rather to > validate VPN user credentials. As a side issue, it also validates exec > users trying to connect, but that's not what I'm trying to deal with at > the moment. > > In addition to validating the user's name and password, I need tac_plus > to pass back an AV pair that tells the PIX which group policy to apply > to the conneting VPN user. I believe this can be done with radius or > cisco ACS by returning a value for "IETF-Radius-Class" - and from what > I can see of the tacacs+ protocol, it should be able to do the same > thing. The issue is how do I tell tac_plus to return that AV pair. you can ignore the suggestions or try them. try this or see/try svc_auth and attr_value_pair in tac_plus.conf. > > > Lance Vermilion wrote, On Sat 01/11/2008 03:52: > >Ian, > > > >What do you have set for your AAA statements on your PIX? What > >commands are you executing on your PIX that you think require > >authorization? > > > >On Thu, Oct 30, 2008 at 11:48 PM, Ian Batterbee >> wrote: > > > > > > > the client has to use authorization. also see the -d/debug options. > > > > > > > You mean as opposed to authentication ? The client in this case is a > > PIX that's using tacacs to verify the user's credentials. > > > > From ibatterb at gmail.com Mon Nov 3 01:42:45 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Mon, 3 Nov 2008 14:42:45 +1300 Subject: [tac_plus] Re: after authorization In-Reply-To: <20081102075308.GJ8509@shrubbery.net> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> <20081031064528.GA9209@shrubbery.net> <490AAA41.5030009@gmail.com> <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> <490B5DA8.3030108@gmail.com> <20081102075308.GJ8509@shrubbery.net> Message-ID: <489d9f1e0811021742w47c74399g3ac1ce3ef98d3ebb@mail.gmail.com> > > > you can ignore the suggestions or try them. try this or see/try svc_auth > and attr_value_pair in tac_plus.conf. > Yes, thanks for that helpful piece of advice. I have in fact tried the suggestions, and they're ineffective. After spending some time working backwards through the tac_plus source code, I have now worked out that the problem is that the PIX is sending only an authentication request when a VPN user connections - that is to say, it doesn't send an *authorization* request. As a result, the after authorization clause in tac_plus.conf has no effect, because authorization is never performed. I'm now going to try using a radius server, since others have had more success with it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081103/653c7769/attachment.html From heas at shrubbery.net Mon Nov 3 06:37:03 2008 From: heas at shrubbery.net (john heasley) Date: Mon, 3 Nov 2008 06:37:03 +0000 Subject: [tac_plus] Re: after authorization In-Reply-To: <489d9f1e0811021742w47c74399g3ac1ce3ef98d3ebb@mail.gmail.com> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> <20081031064528.GA9209@shrubbery.net> <490AAA41.5030009@gmail.com> <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> <490B5DA8.3030108@gmail.com> <20081102075308.GJ8509@shrubbery.net> <489d9f1e0811021742w47c74399g3ac1ce3ef98d3ebb@mail.gmail.com> Message-ID: <20081103063703.GA24668@shrubbery.net> Mon, Nov 03, 2008 at 02:42:45PM +1300, Ian Batterbee: > > > > > > you can ignore the suggestions or try them. try this or see/try svc_auth > > and attr_value_pair in tac_plus.conf. > > > > Yes, thanks for that helpful piece of advice. I have in fact tried the > suggestions, and they're ineffective. > > After spending some time working backwards through the tac_plus source code, > I have now worked out that the problem is that the PIX is sending only an > authentication request when a VPN user connections - that is to say, it > doesn't send an *authorization* request. > > As a result, the after authorization clause in tac_plus.conf has no effect, > because authorization is never performed. > is your pix configured as in the pix configuration reference section titled "Configuring Authorization for Network Access"? have you tried enabling the debugging output to verify that the AV pair is NOT sent? From guy.morrell at oucs.ox.ac.uk Mon Nov 3 17:01:14 2008 From: guy.morrell at oucs.ox.ac.uk (Guy Morrell) Date: Mon, 3 Nov 2008 17:01:14 +0000 Subject: [tac_plus] Re: Tac+ and Cisco WCS Message-ID: > > Dear all, > > > > we are using your Tacacs+ server for AAA on our Cisco equipment which ever > > worked fine. > > Now we spent some money on Cisco's new "Wirless Lan Controller" and also a > > "Wirless Controll System" Server. > > > > These kits support AAA and Tacacs in their most recent version but I > > haven't got really a clue how to pair them off (neither WLC nor WCS + > > tacacs). > > > > I found some good manuals on the Cisco web > > (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml ), > > but they just state out how to use theyr ACS and that's a bit pricey if > > you don't already have that server. > > > > Mainly I failed in finding out how to use these rolebased auth methods in > > your tac Server. > > There should not be anything fancy about this. The device probably expects an > AV-pair, such as something = role:ALL. You just have to find out what the > something is and I don't see it in that document. > > However, this may require service = ciscowlc, under which this av pair would > be. such as: > > user = foo { > service = ciscwlc { > something = role:ALL > } > } Hello there, Apologies for any formatting issues - I wasn't on the list at the time so I've fudged a reply to this. I had the same problem and got it working the other day. You want something like this: user = foo { service = ciscowlc { role1 = ALL } } Hope this helps. Guy From guy.morrell at oucs.ox.ac.uk Mon Nov 3 17:11:35 2008 From: guy.morrell at oucs.ox.ac.uk (Guy Morrell) Date: Mon, 3 Nov 2008 17:11:35 +0000 Subject: [tac_plus] ASA tac_plus In-Reply-To: References: Message-ID: Hi everyone, I'm trying to get our 5540 to work with tac_plus, which I have partially succeeded in doing. My config so far is: aaa-server tac_plus protocol tacacs+ aaa-server tac_plus () host foo key bar aaa authentication match LOGIN tac_plus aaa authentication ssh console data-tacacs LOCAL aaa authorization exec authentication-server The issue is, that with our IOS kit, we go directly to enable privilege. I'd like to have the same setup on the ASA. Server side config is like this: user = auser { default service = permit login = des service = exec { priv-lvl = 15 } } If anyone knows how to get this working I'd be much obliged if they'd share the knowledge! Many thanks, Guy From pritam at subisu.net.np Fri Nov 21 08:00:30 2008 From: pritam at subisu.net.np (pritam) Date: Fri, 21 Nov 2008 13:45:30 +0545 Subject: [tac_plus] rpm spec for your version of tacacs Message-ID: <49266A9E.9000704@subisu.net.np> Hi, I am newbie in making rpm spec file. How can I get the spec file to make the rpm of yours version of tacacs. Regards, Pritam From michael.reynolds at gmail.com Sat Nov 22 09:45:21 2008 From: michael.reynolds at gmail.com (Michael Reynolds) Date: Sat, 22 Nov 2008 04:45:21 -0500 Subject: [tac_plus] Suggestion/feature-idea/whatever Message-ID: How about the ability to store passwords in a more secure format, such as SHA1/2 or salted MD5? You can theoretically bastardize crypt() for BF and SHA assuming your system supports it, but you're SOL otherwise. That is, unless you toss in some strncmp's and custom crypt functions before crypt(). I ask for this because cracking DES isn't a matter of years or months. It's a matter of hours. Another idea I had is context based command control. For example, what if an admin wants a user to be able to modify 'ip access-list extended bob' only to block based on source IP, but not modify any other access list, nor add/remove other filters in bob? It would require authorization and accounting to keep track of sessions and context, but not impossible. An example: context = "configuration terminal" { default = deny context = "ip access-list-extended 4" { default = deny cmd = deny { permit "^ip host [0-9.]+ any$" deny .* } end ^exit$ # makes the exit command permitted, and causes it toend the context } end ^exit$ # makes the exit command permitted, and causes it to endthe context } The only problem I can see, however, is when they issue a ctrl-z to exit the context instead of the exit command. Without rewriting the entire config system in a lex format (ie: bison), it'd be a PITA for someone like myself to add this in. From kissg at ssg.ki.iif.hu Sat Nov 22 18:09:49 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sat, 22 Nov 2008 19:09:49 +0100 (CET) Subject: [tac_plus] Re: Suggestion/feature-idea/whatever In-Reply-To: References: Message-ID: > How about the ability to store passwords in a more secure format, such > as SHA1/2 or salted MD5? You can theoretically bastardize crypt() for Under Linux MD5 is supported. Actually it depends on libcrypt that handles MD5 passwords in transparent way. Gabor From kissg at ssg.ki.iif.hu Sat Nov 22 18:17:44 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sat, 22 Nov 2008 19:17:44 +0100 (CET) Subject: [tac_plus] Re: Suggestion/feature-idea/whatever In-Reply-To: References: Message-ID: > if an admin wants a user to be able to modify 'ip access-list extended > bob' only to block based on source IP, but not modify any other access > list, nor add/remove other filters in bob? It would require > authorization and accounting to keep track of sessions and context, > but not impossible. This would not be practical. Cisco routers can connect more than TACACS+ server. So if one of them is unreachable or busy an other server can authorize/authenticate well. Actually we use two AAA servers. According to its logs the second one is not idle. It has also jobs even if the first server is always reachable. So it can occur easily that two consecutive authorization request are served by different TACACS. Gabor From michael.reynolds at gmail.com Sat Nov 22 20:44:07 2008 From: michael.reynolds at gmail.com (Michael Reynolds) Date: Sat, 22 Nov 2008 15:44:07 -0500 Subject: [tac_plus] Re: Suggestion/feature-idea/whatever In-Reply-To: References: Message-ID: On Sat, Nov 22, 2008 at 1:09 PM, Kiss Gabor (Bitman) wrote: > Under Linux MD5 is supported. > Actually it depends on libcrypt that handles MD5 passwords > in transparent way. However, it's not guaranteed that one system has X and another has Y. I am currently working on bastardizing the sha256_crypt function by drepper at redhat.com, and can submit a diff, but there might be a licensing conflict (absorbing GPL into BSD vs BSD into GPL). It would probably be trivial to add in guaranteed support for MD5 ($1$), so I'll work on that after I've finished with or given up on sha256. On Sat, Nov 22, 2008 at 1:17 PM, Kiss Gabor (Bitman) wrote: > Cisco routers can connect more than TACACS+ server. So if one of > them is unreachable or busy an other server can authorize/authenticate well. > > Actually we use two AAA servers. According to its logs the second > one is not idle. It has also jobs even if the first server is always > reachable. So it can occur easily that two consecutive authorization > request are served by different TACACS. Completely forgot about that. Shame Cisco never considered hosting companies with clients having router access, nor large companies where the IT guy in LA can only mess with LA's settings. Seems like the only way this could work is if a new tacacs protocol is rolled out to support contexts, the operator uses only one tacacs server, or if tacacs servers could somehow sync. Bah, looks like I'm stuck using TCL. From nathan at schrenk.org Sun Nov 23 23:06:21 2008 From: nathan at schrenk.org (Nathan Schrenk) Date: Sun, 23 Nov 2008 15:06:21 -0800 Subject: [tac_plus] Re: rpm spec for your version of tacacs In-Reply-To: <49266A9E.9000704@subisu.net.np> References: <49266A9E.9000704@subisu.net.np> Message-ID: <6121a88b0811231506r4d115fdeycc50307fc04fd6fc@mail.gmail.com> On 11/21/08, pritam wrote: > Hi, > > I am newbie in making rpm spec file. > > How can I get the spec file to make the rpm of yours version of tacacs. > > Regards, > > > Pritam Below is the spec file I use. Hope this helps, Nathan --- begin tacacs+.spec --- %define major_ver 4.0.4.15 Summary: A TACACS+ server from http://www.shrubbery.net/tac_plus/ Name: tacacs+ Version: %{major_ver} Release: %{?release:%{release}}%{!?release:eng} BuildRoot: %{_tmppath}/%{name}-root Prefix: %{_prefix} Epoch: 1 License: BSD Group: System Environment/Daemons URL: http://www.shrubbery.net/tac_plus/ Source0: ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F%{major_ver}.tar.gz Patch1: tacacs+-F4.0.4.15-foreground.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: /usr/include/tcpd.h BuildRequires: perl BuildRequires: pam-devel Requires: pam %description A TACACS+ daemon based on Cisco's publicly available TACACS+ "developer's kit". %prep %setup -q -n %{name}-F%{major_ver} %patch1 -p0 -b .foreground %build %configure --enable-uenable --enable-maxsess %{?a4_configure:exit 0} make %install rm -rf ${RPM_BUILD_ROOT} %makeinstall rm ${RPM_BUILD_ROOT}/usr/share/man/man3/regexp.3 %clean rm -rf ${RPM_BUILD_ROOT} %files %defattr(-,root,root,-) %{_prefix}/bin/tac_pwd %{_prefix}/bin/tac_plus %{_mandir}/man5/tac_plus.conf.5.gz %{_mandir}/man8/tac_pwd.8.gz %{_mandir}/man8/tac_plus.8.gz %{_prefix}/share/tacacs+/users_guide %{_prefix}/share/tacacs+/tac_convert --- end tacacs+.spec --- From pritam at subisu.net.np Mon Nov 24 07:26:39 2008 From: pritam at subisu.net.np (pritam) Date: Mon, 24 Nov 2008 13:11:39 +0545 Subject: [tac_plus] pam and tacacs In-Reply-To: <49266A9E.9000704@subisu.net.np> References: <49266A9E.9000704@subisu.net.np> Message-ID: <492A572F.5080105@subisu.net.np> Hi All, I have tried around many option to use PAM with tacac+. But I couldn't. I couldn't figure out actually does the tacacs+ ( from shrubbery ) has a pam plugin inbuilt or we need to have third party module plugged ? It would be glad to get help from you all. Cheers, Pritam -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Attached Message Part Url: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081124/5c7418aa/attachment.ksh From guy.morrell at oucs.ox.ac.uk Mon Nov 24 10:46:43 2008 From: guy.morrell at oucs.ox.ac.uk (Guy Morrell) Date: Mon, 24 Nov 2008 10:46:43 +0000 Subject: [tac_plus] Re: rpm spec for your version of tacacs In-Reply-To: References: Message-ID: <4AB7D0DF-6C52-4995-A408-777DD7831452@oucs.ox.ac.uk> On 21 Nov 2008, at 20:00, tac_plus-request at shrubbery.net wrote: > > Today's Topics: > > 1. rpm spec for your version of tacacs (pritam) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 21 Nov 2008 13:45:30 +0545 > From: pritam > Subject: [tac_plus] rpm spec for your version of tacacs > To: tac_plus at shrubbery.net > Message-ID: <49266A9E.9000704 at subisu.net.np> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi, > > I am newbie in making rpm spec file. > > How can I get the spec file to make the rpm of yours version of > tacacs. > > Regards, > > Pritam > Hi Pritam, Here is the one I used; it's based on another build by Devrim SERAL . I've included the config files below. As I mention in the changelog, I'm no packaging expert. This build suits our purposes, I hope it helps. If anyone on the list has any improvements to offer I'd welcome them. #This is tac_plus rpm spec file %define name tac_plus %define ver F4.0.4 %define rel 15 %define prefix /usr Summary: Cisco Tacacs+ Daemon (Shrubbery version) Name: %name Version: %ver Release: %rel License: Free Software Group: Networking/Daemons Source0: ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz Source1: tac_plus.cfg Source2: tac_plus.init Source3: tac_plus.rotate Url: http://www.shrubbery.net/tac_plus/ Packager: Guy Morrell BuildRoot: /tmp/%{name}-%{ver}-%{rel} %description TACACS+ daemon using with Cisco's NASs (Or other vendors) for AAA (Authentication , Authorization and Accounting) propose. %prep %setup -n tacacs+-%{ver}.%{rel} %build ./configure --with-prefix=%{prefix} --without-libwrap %install rm -rf $RPM_BUILD_ROOT %makeinstall # these aren't created by default mkdir -p $RPM_BUILD_ROOT/etc/tacacs mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc0.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc1.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc2.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc3.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc4.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc5.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc6.d # by default, tac_plus doesn't do any of this so let's make life easy for ourselves # config install -c -m 0600 %SOURCE1 ${RPM_BUILD_ROOT}/etc/tacacs/ # start / stop install -c -m 0755 %SOURCE2 ${RPM_BUILD_ROOT}/etc/rc.d/init.d/tac_plus # log rotation install -b -c -m 0644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/ tac_plus # set up the simlinks ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc0.d/ K20tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc1.d/ K20tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc2.d/ S80tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc3.d/ S80tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc4.d/ K20tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc5.d/ S80tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc6.d/ K20tac_plus %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) %dir /etc/tacacs %attr(750,root,root) %{prefix}/bin/tac_pwd %attr(750,root,root) %{prefix}/bin/tac_plus %doc %{prefix}/share/man/man3/regexp.3.gz %doc %{prefix}/share/man/man5/tac_plus.conf.5.gz %doc %{prefix}/share/man/man8/tac_plus.8.gz %doc %{prefix}/share/man/man8/tac_pwd.8.gz %doc %{prefix}/share/tacacs+/users_guide %dir %{prefix}/share/tacacs+ %{prefix}/share/tacacs+/tac_convert /etc/logrotate.d/tac_plus /etc/tacacs/tac_plus.cfg /etc/rc.d/init.d/tac_plus /etc/rc.d/rc0.d/K20tac_plus /etc/rc.d/rc1.d/K20tac_plus /etc/rc.d/rc2.d/S80tac_plus /etc/rc.d/rc3.d/S80tac_plus /etc/rc.d/rc4.d/K20tac_plus /etc/rc.d/rc5.d/S80tac_plus /etc/rc.d/rc6.d/K20tac_plus %changelog * Wed Nov 12 2008 Guy Morrell - Basic package. - This is my first attempt at packaging an rpm, there may well be a better way to do this but the above works. "tac_plus.spec" 95L, 3159C written guym at rhodesia:/usr/src/redhat/SPECS$ cat tac_plus.spec #This is tac_plus rpm spec file %define name tac_plus %define ver F4.0.4 %define rel 15 %define prefix /usr Summary: Cisco Tacacs+ Daemon (Shrubbery version) Name: %name Version: %ver Release: %rel License: Free Software Group: Networking/Daemons Source0: ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz Source1: tac_plus.cfg Source2: tac_plus.init Source3: tac_plus.rotate Url: http://www.shrubbery.net/tac_plus/ Packager: Guy Morrell BuildRoot: /tmp/%{name}-%{ver}-%{rel} %description TACACS+ daemon using with Cisco's NASs (Or other vendors) for AAA (Authentication , Authorization and Accounting) propose. %prep %setup -n tacacs+-%{ver}.%{rel} %build ./configure --with-prefix=%{prefix} --without-libwrap %install rm -rf $RPM_BUILD_ROOT %makeinstall # these aren't created by default mkdir -p $RPM_BUILD_ROOT/etc/tacacs mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc0.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc1.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc2.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc3.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc4.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc5.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/rc6.d # by default, tac_plus doesn't do any of this so let's make life easy for ourselves # config install -c -m 0600 %SOURCE1 ${RPM_BUILD_ROOT}/etc/tacacs/ # start / stop install -c -m 0755 %SOURCE2 ${RPM_BUILD_ROOT}/etc/rc.d/init.d/tac_plus # log rotation install -b -c -m 0644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/ tac_plus # set up the simlinks ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc0.d/ K20tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc1.d/ K20tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc2.d/ S80tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc3.d/ S80tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc4.d/ K20tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc5.d/ S80tac_plus ln -s /etc/rc.d/init.d/tac_plus $RPM_BUILD_ROOT/etc/rc.d/rc6.d/ K20tac_plus %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) %dir /etc/tacacs %attr(750,root,root) %{prefix}/bin/tac_pwd %attr(750,root,root) %{prefix}/bin/tac_plus %doc %{prefix}/share/man/man3/regexp.3.gz %doc %{prefix}/share/man/man5/tac_plus.conf.5.gz %doc %{prefix}/share/man/man8/tac_plus.8.gz %doc %{prefix}/share/man/man8/tac_pwd.8.gz %doc %{prefix}/share/tacacs+/users_guide %dir %{prefix}/share/tacacs+ %{prefix}/share/tacacs+/tac_convert /etc/logrotate.d/tac_plus /etc/tacacs/tac_plus.cfg /etc/rc.d/init.d/tac_plus /etc/rc.d/rc0.d/K20tac_plus /etc/rc.d/rc1.d/K20tac_plus /etc/rc.d/rc2.d/S80tac_plus /etc/rc.d/rc3.d/S80tac_plus /etc/rc.d/rc4.d/K20tac_plus /etc/rc.d/rc5.d/S80tac_plus /etc/rc.d/rc6.d/K20tac_plus %changelog * Wed Nov 12 2008 Guy Morrell - Basic package. - This is my first attempt at packaging an rpm, there may well be a better way to do this but the above works. ################### # tac_plus.init ################### #!/bin/sh # # tac_plus This shell script takes care of starting and stopping # the Shrubbery tac_plus (TACACS+ daemon). # # chkconfig: 235 80 20 # description: tac_plus is TACACS+ daemon. # processname: tac_plus # config: /etc/tacacs/tac_plus.cfg # pidfile: /var/run/tac_plus.pid # debug : 0 # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # Some config parameters #For config file tacacs_config="/etc/tacacs/tac_plus.cfg" #For debug option debug=0 [ -f /usr/bin/tac_plus ] || exit 0 [ -f $tacacs_config ] || exit 0 # See how we were called. case "$1" in start) # Start daemon. if [ $debug -gt 0 ] then echo -n "Starting TACACS+ with debug level $debug : " daemon tac_plus -C $tacacs_config -d $debug else echo -n "Starting TACACS+ :" daemon tac_plus -C $tacacs_config fi echo touch /var/lock/subsys/tac_plus ;; stop) # Stop daemons. echo -n "Shutting down TACACS+: " killproc tac_plus rm -f /var/lock/subsys/tac_plus echo ;; status) status tac_plus exit $? ;; restart) $0 stop $0 start ;; reload) echo "TACACS+ now reloading......" kill -SIGUSR1 `cat /var/run/tac_plus.pid` exit $? ;; test) echo "TACACS+ config being testing..." /usr/sbin/tac_plus -P -C $tacacs_config ;; *) echo "Usage: tac_plus {start|stop|status|restart|reload|test}" exit 1 esac exit 0 ################### # tac_plus.rotate ################### # This is tac_plus logrotate config file # For more info please refer logrotate man page /var/log/tac_plus.log { size 3M missingok errors root at localhost compress postrotate /usr/bin/killall -HUP tac_plus 2> /dev/null || true endscript } /var/log/tac_acc.log { size 5M missingok errors root at localhost nocompress postrotate /usr/bin/killall -HUP tac_plus 2> /dev/null || true endscript } Cheers, Guy -- Guy Morrell Network and Telecommunications Group Oxford University Computing Services From heas at shrubbery.net Mon Nov 24 18:09:18 2008 From: heas at shrubbery.net (john heasley) Date: Mon, 24 Nov 2008 18:09:18 +0000 Subject: [tac_plus] Re: pam and tacacs In-Reply-To: <492A572F.5080105@subisu.net.np> References: <49266A9E.9000704@subisu.net.np> <492A572F.5080105@subisu.net.np> Message-ID: <20081124180918.GC11198@shrubbery.net> Mon, Nov 24, 2008 at 01:11:39PM +0545, pritam: > Hi All, > > I have tried around many option to use PAM with tacac+. But I couldn't. > > I couldn't figure out actually does the tacacs+ ( from shrubbery ) has a > pam plugin inbuilt or we need to have third party module plugged ? > > It would be glad to get help from you all. it can USE pam, it does not offer a TACACS pam module. From pritam at subisu.net.np Mon Nov 24 20:07:23 2008 From: pritam at subisu.net.np (pritam) Date: Tue, 25 Nov 2008 01:52:23 +0545 Subject: [tac_plus] Re: FW: Re: pam and tacacs In-Reply-To: <21AF5C86B8DBA2489D136BD3AF5801901EE05F@lhmail03.xDerwentSharedServices.nhs.uk> References: <21AF5C86B8DBA2489D136BD3AF5801901EE05F@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: <492B097B.9090202@subisu.net.np> The platform is Linux ( CentOS 5). Actually my requirement is to authenticate users from LDAP. In my system I call LADP through PAM and if I can configure tacacs to use PAM rather than /etc/password my requirement will be done. Sorry..! I have another question too. Is their any option that I could map the tacacs-groups to groups in /etc/groups or to LDAP-Groups. Regards, Pritam Barry Stephen (YDD08) Derwent Shared Services wrote: > what platform are you using? > > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley > Sent: 24 November 2008 18:09 > To: pritam > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: pam and tacacs > > Mon, Nov 24, 2008 at 01:11:39PM +0545, pritam: > >> Hi All, >> >> I have tried around many option to use PAM with tacac+. But I >> > couldn't. > >> I couldn't figure out actually does the tacacs+ ( from shrubbery ) has >> > a pam plugin inbuilt or we need to have third party module plugged ? > > It would be glad to get help from you all. > > > it can USE pam, it does not offer a TACACS pam module. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > DISCLAIMER - This email and any file transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are those of the author and do not represent the views of Derwent Shared Services, unless otherwise explicitly stated. The information contained in this email may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this email cannot be guaranteed. > > Derwent Shared Services is an NHS Shared Services Organisation. > > ------------------------------------------------------------------------ > > > Internal Virus Database is out of date. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.8.2/1741 - Release Date: 10/23/2008 7:54 AM > > From heas at shrubbery.net Mon Nov 24 22:04:15 2008 From: heas at shrubbery.net (john heasley) Date: Mon, 24 Nov 2008 22:04:15 +0000 Subject: [tac_plus] Re: FW: Re: pam and tacacs In-Reply-To: <492B097B.9090202@subisu.net.np> References: <21AF5C86B8DBA2489D136BD3AF5801901EE05F@lhmail03.xDerwentSharedServices.nhs.uk> <492B097B.9090202@subisu.net.np> Message-ID: <20081124220415.GD9096@shrubbery.net> Tue, Nov 25, 2008 at 01:52:23AM +0545, pritam: > > The platform is Linux ( CentOS 5). > > Actually my requirement is to authenticate users from LDAP. In my system > I call LADP through PAM and if I can configure tacacs to use PAM rather > than /etc/password my requirement will be done. you configure tacacs to use pam and pam to use ldap for tacacs. > Sorry..! I have another question too. Is their any option that I could > map the tacacs-groups to groups in /etc/groups or to LDAP-Groups. no. From heas at shrubbery.net Tue Nov 25 04:57:22 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 25 Nov 2008 04:57:22 +0000 Subject: [tac_plus] Re: Suggestion/feature-idea/whatever In-Reply-To: References: Message-ID: <20081125045722.GB4396@shrubbery.net> Sat, Nov 22, 2008 at 03:44:07PM -0500, Michael Reynolds: > On Sat, Nov 22, 2008 at 1:09 PM, Kiss Gabor (Bitman) > wrote: > > Under Linux MD5 is supported. > > Actually it depends on libcrypt that handles MD5 passwords > > in transparent way. > > However, it's not guaranteed that one system has X and another has Y. > I am currently working on bastardizing the sha256_crypt function by > drepper at redhat.com, and can submit a diff, but there might be a > licensing conflict (absorbing GPL into BSD vs BSD into GPL). It would > probably be trivial to add in guaranteed support for MD5 ($1$), so > I'll work on that after I've finished with or given up on sha256. Sorry, no GPL. There are BSD implemenations, such as openssl. > On Sat, Nov 22, 2008 at 1:17 PM, Kiss Gabor (Bitman) > wrote: > > Cisco routers can connect more than TACACS+ server. So if one of > > them is unreachable or busy an other server can authorize/authenticate well. > > > > Actually we use two AAA servers. According to its logs the second > > one is not idle. It has also jobs even if the first server is always > > reachable. So it can occur easily that two consecutive authorization > > request are served by different TACACS. > > Completely forgot about that. Shame Cisco never considered hosting > companies with clients having router access, nor large companies where > the IT guy in LA can only mess with LA's settings. Seems like the only > way this could work is if a new tacacs protocol is rolled out to > support contexts, the operator uses only one tacacs server, or if > tacacs servers could somehow sync. Bah, looks like I'm stuck using > TCL. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus