[tac_plus] Re: single connection

Schmidt, Daniel dan.schmidt at uplinkdata.com
Mon Apr 20 22:01:34 UTC 2009


This lousy bug caused triggered another ssh/tty lockup bug.... long
story.  

I have to wonder if it works right on ANY Tacacs server.  How could it,
if the flag isn't set and it has to be defined on the server? 

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Thursday, March 19, 2009 3:17 PM
To: Schmidt, Daniel
Cc: john heasley; tac_plus at shrubbery.net
Subject: Re: [tac_plus] single connection

Thu, Mar 19, 2009 at 09:03:21AM -0600, Schmidt, Daniel:
> Thank you kindly for your reply again. 
> 
> I have hundreds of devices that I put it on.  Are we to understand
that
> Cisco recommends single-connection on one hand, and then on the other
> hand tells us that single-connection does not work and they won't fix
> it?  I suppose I had better start work on removing it.  
> 
> Rather than removing your debug code, perhaps a warning would be in
> order?  It would be a shame to have an upgrade break tacacs for those

i think it *appears* to work.  for starters, the client does not set the
single-connection flag in the header, so either the daemon would refuse
single-connection behavior or not be able to concurrently support both
clients that had the support and those that didnt.  secondly, afaict, it
always closes the connection, which may be why it appears to work.

the daemon does not support it, but I was going to add support.  The
code
was simply to figure out how it worked.

> who have been following their lousy CCNP book.  As I mentioned,
> single-connection does work, just not well.  If you check tacacs, you
> will note aborts and errors.  
> 
> Funny that it seems to work right in IOS-XR yet they did such a
terrible
> job of implementing SSH in IOS-XR.  
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Wednesday, March 18, 2009 5:34 PM
> To: Schmidt, Daniel
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] single connection
> 
> Thu, May 29, 2008 at 03:32:18PM -0600, Dan Schmidt:
> > Thanks for kindly for your reply.
> > 
> > The symptoms are that, if multiple sessions are opened - one right
> after
> > the other, exactly every other session fails to contact the tacacs
> > server (defaults to local authentication) spitting out that debug
> > message.  Perhaps it is a bug on the 7600's, as the 6500's in that
> city
> > are completely fine.  (And 3750's, ect.)
> > 
> > Single-connection was implemented in CiscoSecure Release 1.0.1 - is
it
> > fully supported in tac_plus?  
> > 
> > Obviously, the work around is to disable single connection, but that
> > creates more connections to the tacacs server. 
> 
> I FINALLY researched this extensively.  The problem is that, except
for
> IOS-XR, single-connection does not work, period.  And, Cisco told me
> that
> they would not fix it.
> 
> Note that the tac_plus daemon does not support it anyway; I'd just
> jammed
> basic debugging code into it.  I don't know if I'll add it in the
> future.


More information about the tac_plus mailing list