[tac_plus] Re: Suggestion/feature-idea/whatever

[Michael Reynolds]

On Sat, Nov 22, 2008 at 1:09 PM, Kiss Gabor (Bitman)
<kissg at ssg.ki.iif.hu> wrote:
> Under Linux MD5 is supported.
> Actually it depends on libcrypt that handles MD5 passwords
> in transparent way.

However, it's not guaranteed that one system has X and another has Y.
I am currently working on bastardizing the sha256_crypt function by
drepper at redhat.com, and can submit a diff, but there might be a
licensing conflict (absorbing GPL into BSD vs BSD into GPL). It would
probably be trivial to add in guaranteed support for MD5 ($1$), so
I'll work on that after I've finished with or given up on sha256.

On Sat, Nov 22, 2008 at 1:17 PM, Kiss Gabor (Bitman)
<kissg at ssg.ki.iif.hu> wrote:
> Cisco routers can connect more than TACACS+ server. So if one of
> them is unreachable or busy an other server can authorize/authenticate well.
>
> Actually we use two AAA servers. According to its logs the second
> one is not idle. It has also jobs even if the first server is always
> reachable. So it can occur easily that two consecutive authorization
> request are served by different TACACS.

Completely forgot about that. Shame Cisco never considered hosting
companies with clients having router access, nor large companies where
the IT guy in LA can only mess with LA's settings. Seems like the only
way this could work is if a new tacacs protocol is rolled out to
support contexts, the operator uses only one tacacs server, or if
tacacs servers could somehow sync. Bah, looks like I'm stuck using
TCL.