[tac_plus] Re: Suggestion/feature-idea/whatever

[john heasley]

Sat, Nov 22, 2008 at 03:44:07PM -0500, Michael Reynolds:
> On Sat, Nov 22, 2008 at 1:09 PM, Kiss Gabor (Bitman)
> <kissg at ssg.ki.iif.hu> wrote:
> > Under Linux MD5 is supported.
> > Actually it depends on libcrypt that handles MD5 passwords
> > in transparent way.
> 
> However, it's not guaranteed that one system has X and another has Y.
> I am currently working on bastardizing the sha256_crypt function by
> drepper at redhat.com, and can submit a diff, but there might be a
> licensing conflict (absorbing GPL into BSD vs BSD into GPL). It would
> probably be trivial to add in guaranteed support for MD5 ($1$), so
> I'll work on that after I've finished with or given up on sha256.

Sorry, no GPL.  There are BSD implemenations, such as openssl.

> On Sat, Nov 22, 2008 at 1:17 PM, Kiss Gabor (Bitman)
> <kissg at ssg.ki.iif.hu> wrote:
> > Cisco routers can connect more than TACACS+ server. So if one of
> > them is unreachable or busy an other server can authorize/authenticate well.
> >
> > Actually we use two AAA servers. According to its logs the second
> > one is not idle. It has also jobs even if the first server is always
> > reachable. So it can occur easily that two consecutive authorization
> > request are served by different TACACS.
> 
> Completely forgot about that. Shame Cisco never considered hosting
> companies with clients having router access, nor large companies where
> the IT guy in LA can only mess with LA's settings. Seems like the only
> way this could work is if a new tacacs protocol is rolled out to
> support contexts, the operator uses only one tacacs server, or if
> tacacs servers could somehow sync. Bah, looks like I'm stuck using
> TCL.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus