From aczutka at brocade.com Tue Feb 3 07:23:27 2009 From: aczutka at brocade.com (Alexander Czutka) Date: Mon, 2 Feb 2009 23:23:27 -0800 Subject: [tac_plus] Re: How can I deny/permit ? In-Reply-To: <6121a88b0901301356u9f9f612t6b92c99b45573f01@mail.gmail.com> References: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> <6121a88b0901301356u9f9f612t6b92c99b45573f01@mail.gmail.com> Message-ID: Hello Nathan, Sorry for the delay. I have tried this: # tacacs configuration file # Pierre-Yves Maunier - 20060713 # /etc/tac_plus.conf # set the key key = foundry accounting file = /var/log/tac_plus.acct # Group definition group = group2 { default service = deny cmd = show { permit "ip " deny .* } # users accounts user = test { default service = permit login = cleartext "test" enable = cleartext "test" name = "test" } user = user2 { member = group2 login = cleartext "user2" enable = cleartext "user2" } # END Now I?m not able to execute any command: telnet at BigIron Router# telnet at BigIron Router#show ip Not authorized to execute this command. telnet at BigIron Router# telnet at BigIron Router# telnet at BigIron Router#show ip route Not authorized to execute this command. telnet at BigIron Router# telnet at BigIron Router# telnet at BigIron Router# Regards, Alexander ________________________________ Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk Gesendet: Freitag, 30. Januar 2009 22:57 An: Alexander Czutka Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] How can I deny/permit ? On 1/30/09, Alexander Czutka wrote: Hello Nathan, it doesn?t work. What doesn't work? tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it? I normally use a group and deny everything that is not explicitly allowed (a command blacklist): group = mygroup { default service = deny cmd = show { permit "ip " deny .* } } user = myuser { member = mygroup login = cleartext "mypassword" } Nathan user = user2 { # member = group2 # debug = REGEX login = cleartext "user2" enable = cleartext "user2" cmd = show { permit ip deny "ip ospf" } # END Regards, Alexander ________________________________ Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk Gesendet: Freitag, 30. Januar 2009 21:14 An: Alexander Czutka Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] How can I deny/permit ? On 1/30/09, Alexander Czutka wrote: Hello, I?m trying to setup an authorization for a user. The user should be allowed to do a: - Show ip - show ip route But he shouldn?t execute the commands, which starts with: - Show ip ospf - Show ip pim I tried this, but it didn?t work: cmd = show { permit ip deny ip ospf } root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf Error: expecting '}' but found 'ospf' on line 40 root at ubuntu-fdry:/# Is this possible ? Try putting quotes around the tokens: cmd = show { permit ip deny "ip ospf" } Nathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090202/d4f12ada/attachment.html From aczutka at brocade.com Tue Feb 3 07:50:05 2009 From: aczutka at brocade.com (Alexander Czutka) Date: Mon, 2 Feb 2009 23:50:05 -0800 Subject: [tac_plus] Using debug = REGEX Message-ID: Hello, I want to debug authorization on my TACACS-Server When I enter "debug = REGEX" , I?ve got the message back root at ubuntu-fdry:/etc# tac_plus -C /etc/tac_plus.conf Error: Unrecognised token debug on line 9 I?ve tried it under a user, too. # tacacs configuration file # Pierre-Yves Maunier - 20060713 # /etc/tac_plus.conf # set the key key = test debug = REGEX Regards, Alexander -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090202/6515619a/attachment.html From chlastak at fialka.cz Tue Feb 3 10:48:40 2009 From: chlastak at fialka.cz (Miroslav Chlastak) Date: Tue, 03 Feb 2009 11:48:40 +0100 Subject: [tac_plus] NAS host based authorization Message-ID: <49882108.9070506@fialka.cz> Hi, It's possible "NAS host based authorization"? I would like permit/deny command based on ip address of NAS. I found this patch, but it's 7 year old :( : http://www.jankratochvil.net/project/tac_plus/ Thanks, Mira From nathan at schrenk.org Tue Feb 3 16:20:21 2009 From: nathan at schrenk.org (Nathan Schrenk) Date: Tue, 3 Feb 2009 08:20:21 -0800 Subject: [tac_plus] Re: How can I deny/permit ? In-Reply-To: References: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> <6121a88b0901301356u9f9f612t6b92c99b45573f01@mail.gmail.com> Message-ID: <6121a88b0902030820n28edea0el9ac58e4ff89111e5@mail.gmail.com> I don't know why that's not working. I would try to increase the debug logging and then try to authorize the commands again and see if there are any log messages that help explain why authorization is being denied. Passing the command-line argument "-d 4088" should enable lots of debugging log messages. Nathan On 2/2/09, Alexander Czutka wrote: > > Hello Nathan, > > > > Sorry for the delay. > > > > I have tried this: > > > > # tacacs configuration file > > # Pierre-Yves Maunier - 20060713 > > # /etc/tac_plus.conf > > > > # set the key > > key = foundry > > > > > > accounting file = /var/log/tac_plus.acct > > > > # Group definition > > > > group = group2 { > > default service = deny > > > > cmd = show { > > permit "ip " > > deny .* > > } > > > > # users accounts > > > > user = test { > > default service = permit > > login = cleartext "test" > > enable = cleartext "test" > > name = "test" > > } > > > > user = user2 { > > member = group2 > > login = cleartext "user2" > > enable = cleartext "user2" > > } > > > > # END > > > > Now I?m not able to execute any command: > > > > telnet at BigIron Router# > > telnet at BigIron Router#show ip > > Not authorized to execute this command. > > telnet at BigIron Router# > > telnet at BigIron Router# > > telnet at BigIron Router#show ip route > > Not authorized to execute this command. > > telnet at BigIron Router# > > telnet at BigIron Router# > > telnet at BigIron Router# > > > > Regards, > > > > Alexander > ------------------------------ > > *Von:* nschrenk at gmail.com [mailto:nschrenk at gmail.com] *Im Auftrag von *Nathan > Schrenk > *Gesendet:* Freitag, 30. Januar 2009 22:57 > *An:* Alexander Czutka > *Cc:* tac_plus at shrubbery.net > *Betreff:* Re: [tac_plus] How can I deny/permit ? > > > > On 1/30/09, *Alexander Czutka* wrote: > > Hello Nathan, > > > > it doesn?t work. > > > What doesn't work? tac_plus doesn't print the same error message while > parsing the config file as it does without the quotes, does it? > > I normally use a group and deny everything that is not explicitly allowed > (a command blacklist): > > group = mygroup { > default service = deny > cmd = show { > permit "ip " > deny .* > } > } > user = myuser { > member = mygroup > login = cleartext "mypassword" > } > > Nathan > > > > user = user2 { > > # member = group2 > > # debug = REGEX > > login = cleartext "user2" > > enable = cleartext "user2" > > > > cmd = show { > > permit ip > > deny "ip ospf" > > } > > > > # END > > > > Regards, > > > > Alexander > > > ------------------------------ > > *Von:* nschrenk at gmail.com [mailto:nschrenk at gmail.com] *Im Auftrag von *Nathan > Schrenk > *Gesendet:* Freitag, 30. Januar 2009 21:14 > *An:* Alexander Czutka > *Cc:* tac_plus at shrubbery.net > *Betreff:* Re: [tac_plus] How can I deny/permit ? > > > > On 1/30/09, *Alexander Czutka* wrote: > > Hello, > > I?m trying to setup an authorization for a user. > > The user should be allowed to do a: > > - Show ip > - show ip route > > But he shouldn?t execute the commands, which starts with: > > - Show ip ospf > - Show ip pim > > I tried this, but it didn?t work: > > cmd = show { > permit ip > deny ip ospf > } > > root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf > Error: expecting '}' but found 'ospf' on line 40 > root at ubuntu-fdry:/# > > Is this possible ? > > > Try putting quotes around the tokens: > > cmd = show { > permit ip > deny "ip ospf" > } > > Nathan > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090203/bbee3b72/attachment.html From heas at shrubbery.net Thu Feb 5 02:46:43 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 4 Feb 2009 18:46:43 -0800 Subject: [tac_plus] Re: NAS host based authorization In-Reply-To: <49882108.9070506@fialka.cz> References: <49882108.9070506@fialka.cz> Message-ID: <20090205024643.GC6081@shrubbery.net> Tue, Feb 03, 2009 at 11:48:40AM +0100, Miroslav Chlastak: > Hi, > > It's possible "NAS host based authorization"? > > I would like permit/deny command based on ip address of NAS. > I found this patch, but it's 7 year old :( : > http://www.jankratochvil.net/project/tac_plus/ sorry, i'm not going to try to wedge that mess into my branch. Can you just define the feature that you want? From aczutka at brocade.com Thu Feb 5 15:46:37 2009 From: aczutka at brocade.com (Alexander Czutka) Date: Thu, 5 Feb 2009 07:46:37 -0800 Subject: [tac_plus] Re: How can I deny/permit ? In-Reply-To: <6121a88b0902030820n28edea0el9ac58e4ff89111e5@mail.gmail.com> References: <6121a88b0901301213j3c39bdfeme7dd695c5be93965@mail.gmail.com> <6121a88b0901301356u9f9f612t6b92c99b45573f01@mail.gmail.com> <6121a88b0902030820n28edea0el9ac58e4ff89111e5@mail.gmail.com> Message-ID: Thanks. It works, Alexander ________________________________ Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk Gesendet: Dienstag, 3. Februar 2009 17:20 An: Alexander Czutka Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] How can I deny/permit ? I don't know why that's not working. I would try to increase the debug logging and then try to authorize the commands again and see if there are any log messages that help explain why authorization is being denied. Passing the command-line argument "-d 4088" should enable lots of debugging log messages. Nathan On 2/2/09, Alexander Czutka wrote: Hello Nathan, Sorry for the delay. I have tried this: # tacacs configuration file # Pierre-Yves Maunier - 20060713 # /etc/tac_plus.conf # set the key key = foundry accounting file = /var/log/tac_plus.acct # Group definition group = group2 { default service = deny cmd = show { permit "ip " deny .* } # users accounts user = test { default service = permit login = cleartext "test" enable = cleartext "test" name = "test" } user = user2 { member = group2 login = cleartext "user2" enable = cleartext "user2" } # END Now I?m not able to execute any command: telnet at BigIron Router# telnet at BigIron Router#show ip Not authorized to execute this command. telnet at BigIron Router# telnet at BigIron Router# telnet at BigIron Router#show ip route Not authorized to execute this command. telnet at BigIron Router# telnet at BigIron Router# telnet at BigIron Router# Regards, Alexander ________________________________ Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk Gesendet: Freitag, 30. Januar 2009 22:57 An: Alexander Czutka Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] How can I deny/permit ? On 1/30/09, Alexander Czutka wrote: Hello Nathan, it doesn?t work. What doesn't work? tac_plus doesn't print the same error message while parsing the config file as it does without the quotes, does it? I normally use a group and deny everything that is not explicitly allowed (a command blacklist): group = mygroup { default service = deny cmd = show { permit "ip " deny .* } } user = myuser { member = mygroup login = cleartext "mypassword" } Nathan user = user2 { # member = group2 # debug = REGEX login = cleartext "user2" enable = cleartext "user2" cmd = show { permit ip deny "ip ospf" } # END Regards, Alexander ________________________________ Von: nschrenk at gmail.com [mailto:nschrenk at gmail.com] Im Auftrag von Nathan Schrenk Gesendet: Freitag, 30. Januar 2009 21:14 An: Alexander Czutka Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] How can I deny/permit ? On 1/30/09, Alexander Czutka wrote: Hello, I?m trying to setup an authorization for a user. The user should be allowed to do a: - Show ip - show ip route But he shouldn?t execute the commands, which starts with: - Show ip ospf - Show ip pim I tried this, but it didn?t work: cmd = show { permit ip deny ip ospf } root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf Error: expecting '}' but found 'ospf' on line 40 root at ubuntu-fdry:/# Is this possible ? Try putting quotes around the tokens: cmd = show { permit ip deny "ip ospf" } Nathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090205/f947fb23/attachment.html From f.niedernolte at web.de Tue Feb 17 14:33:04 2009 From: f.niedernolte at web.de (Frederik Niedernolte) Date: Tue, 17 Feb 2009 15:33:04 +0100 Subject: [tac_plus] TACACS+ and Debian Lenny Message-ID: <1518160470@web.de> Hi there, I have just installed your current version of TACACS+ on Debian Lenny and it runs well but I don't know how to add it to /etc/init.d/ as a daemon init script. Can you please help me? Thanks in advance. Best regards, F. Niedernolte _______________________________________________________________________ Jetzt 1 Monat kostenlos! WEB.DE FreeDSL - Telefonanschluss + DSL f?r nur 17,95 EURO/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a From heas at shrubbery.net Tue Feb 17 18:23:40 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 17 Feb 2009 18:23:40 +0000 Subject: [tac_plus] Re: TACACS+ and Debian Lenny In-Reply-To: <1518160470@web.de> References: <1518160470@web.de> Message-ID: <20090217182340.GB449@shrubbery.net> Tue, Feb 17, 2009 at 03:33:04PM +0100, Frederik Niedernolte: > Hi there, > > I have just installed your current version of TACACS+ on Debian Lenny and it runs well but I don't know how to add it to /etc/init.d/ as a daemon init script. > Can you please help me? > Thanks in advance. Start with an existing script, such as ntpd, and alter it for tacacs. From venkata.raghavan.c at gmail.com Wed Feb 18 05:12:27 2009 From: venkata.raghavan.c at gmail.com (venkat c) Date: Wed, 18 Feb 2009 10:42:27 +0530 Subject: [tac_plus] TACACS+ Java client libraries Message-ID: <93c5bd240902172112v62c5b8e6icc274d42e10381ef@mail.gmail.com> Hi All, Can any one let me know where i can download TACACS+ java client libraries. Kind Regards venkat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090218/0e930ad0/attachment.html From heas at shrubbery.net Wed Feb 18 18:48:38 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 18 Feb 2009 18:48:38 +0000 Subject: [tac_plus] Re: TACACS+ Java client libraries In-Reply-To: <93c5bd240902172112v62c5b8e6icc274d42e10381ef@mail.gmail.com> References: <93c5bd240902172112v62c5b8e6icc274d42e10381ef@mail.gmail.com> Message-ID: <20090218184838.GA27133@shrubbery.net> google Wed, Feb 18, 2009 at 10:42:27AM +0530, venkat c: > Hi All, > Can any one let me know where i can download TACACS+ java client > libraries. > > Kind Regards > venkat > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090218/0e930ad0/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From frisvolj at lafayette.edu Wed Feb 25 17:46:46 2009 From: frisvolj at lafayette.edu (Jason Frisvold) Date: Wed, 25 Feb 2009 12:46:46 -0500 Subject: [tac_plus] Unified passwords? Message-ID: <49A58406.7040807@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, I have tac_plus up and running, but I'd like to set it up so the same password is used for login and enable. We currently have it running this way with ACS, but we'd like to ditch ACS and go with tac_plus. Is this possible? Thanks, - -- - --------------------------- Jason Frisvold Network Engineer frisvolj at lafayette.edu - --------------------------- "What I cannot create, I do not understand" - Richard Feynman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFJpYQGO80o6DJ8UvkRAny8AJ9VqXTRpawCqkWfYSTsD40H1TTEIACeNQMd VdUww8MXKUQ/GPAYJ4L606U= =hOTs -----END PGP SIGNATURE----- From heas at shrubbery.net Wed Feb 25 21:41:34 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 25 Feb 2009 13:41:34 -0800 Subject: [tac_plus] Re: Unified passwords? In-Reply-To: <49A58406.7040807@lafayette.edu> References: <49A58406.7040807@lafayette.edu> Message-ID: <20090225214132.GO13893@shrubbery.net> Wed, Feb 25, 2009 at 12:46:46PM -0500, Jason Frisvold: > Hi there, > > I have tac_plus up and running, but I'd like to set it up so the same > password is used for login and enable. We currently have it running > this way with ACS, but we'd like to ditch ACS and go with tac_plus. > > Is this possible? user = bart { enable = } enable specifies the enable password. The may only be of type cleartext or des. If the daemon was compiled with per-user enable support (--enable-uenable), the host enable password will be evaluated iff the user does not have a personal enable password. > Thanks, > > -- > --------------------------- > Jason Frisvold > Network Engineer > frisvolj at lafayette.edu > --------------------------- > "What I cannot create, I do not understand" > - Richard Feynman From frisvolj at lafayette.edu Thu Feb 26 19:25:24 2009 From: frisvolj at lafayette.edu (Jason Frisvold) Date: Thu, 26 Feb 2009 14:25:24 -0500 Subject: [tac_plus] Re: Unified passwords? In-Reply-To: <20090225214132.GO13893@shrubbery.net> References: <49A58406.7040807@lafayette.edu> <20090225214132.GO13893@shrubbery.net> Message-ID: <49A6ECA4.8070607@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 john heasley wrote: > user = bart { > enable = > } > > enable specifies the enable password. The may > only be of type cleartext or des. If the daemon was compiled > with per-user enable support (--enable-uenable), the host enable > password will be evaluated iff the user does not have a personal > enable password. I was looking to use /etc/password for both login and enable passwords. If I understand your reply, you're saying that's not possible, correct? - -- - --------------------------- Jason Frisvold Network Engineer frisvolj at lafayette.edu - --------------------------- "What I cannot create, I do not understand" - Richard Feynman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFJpuykO80o6DJ8UvkRAjYJAJ0SDzbt80Y5rGuIVAFNJXSjlIsY6gCfZv7r zUWW6YDfvhIYdvE164K3O8g= =NAId -----END PGP SIGNATURE----- From kissg at ssg.ki.iif.hu Thu Feb 26 20:31:19 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Thu, 26 Feb 2009 21:31:19 +0100 (CET) Subject: [tac_plus] Re: Unified passwords? In-Reply-To: <49A6ECA4.8070607@lafayette.edu> References: <49A58406.7040807@lafayette.edu> <20090225214132.GO13893@shrubbery.net> <49A6ECA4.8070607@lafayette.edu> Message-ID: > I was looking to use /etc/password for both login and enable passwords. > If I understand your reply, you're saying that's not possible, correct? I had a patch in the mid 90-s that implemented this 'sudo like' feature. So it is possible but someone has to work with it. Regards Gabor From heas at shrubbery.net Thu Feb 26 20:34:53 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 26 Feb 2009 12:34:53 -0800 Subject: [tac_plus] Re: Unified passwords? In-Reply-To: <49A6ECA4.8070607@lafayette.edu> References: <49A58406.7040807@lafayette.edu> <20090225214132.GO13893@shrubbery.net> <49A6ECA4.8070607@lafayette.edu> Message-ID: <20090226203453.GD18980@shrubbery.net> Thu, Feb 26, 2009 at 02:25:24PM -0500, Jason Frisvold: > john heasley wrote: > > user = bart { > > enable = > > } > > > > enable specifies the enable password. The may > > only be of type cleartext or des. If the daemon was compiled > > with per-user enable support (--enable-uenable), the host enable > > password will be evaluated iff the user does not have a personal > > enable password. > > I was looking to use /etc/password for both login and enable passwords. > If I understand your reply, you're saying that's not possible, correct? its possible, but its not implemented. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20090226/5bb30d81/attachment.bin From dan.schmidt at uplinkdata.com Thu Feb 26 20:54:57 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Thu, 26 Feb 2009 13:54:57 -0700 Subject: [tac_plus] Re: Unified passwords? In-Reply-To: <49A6ECA4.8070607@lafayette.edu> References: <49A58406.7040807@lafayette.edu><20090225214132.GO13893@shrubbery.net> <49A6ECA4.8070607@lafayette.edu> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC3A2E4A@che-exch-003.uplinkdata.com> I believe you require the enable patch. I'm not exactly sure why this was not integrated into the last release. My C skills are not nearly as good as John's as to allow me to say that it should go in. However, I use it and it works fine. Look at the code, it's a very small change. diff -ruN tacacs+-F4.0.4.15/pwlib.c tacacs+-F4.0.4.15.new/pwlib.c --- tacacs+-F4.0.4.15/pwlib.c 2007-12-13 20:18:39.000000000 +0100 +++ tacacs+-F4.0.4.15.new/pwlib.c 2008-04-22 11:05:11.000000000 +0200 @@ -206,7 +206,7 @@ /* Oops. No idea what kind of password this is. This should never * happen as the parser should never create such passwords. */ - report(LOG_ERR, "%s: Error cannot identify password type %s for %s", + report(LOG_ERR, "%s: Error cannot identify password type '%s' for '%s'", session.peer, cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", name ? name : ""); @@ -260,10 +260,22 @@ return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); } + p = tac_find_substring("file ", cfg_passwd); + if (p) { + if (!passwd_file_verify(name, passwd, data, p)) { + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; + return(0); + } else { + data->status = TAC_PLUS_AUTHEN_STATUS_PASS; + } + + return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); + } + /* Oops. No idea what kind of password this is. This should never * happen as the parser should never create such passwords. */ - report(LOG_ERR, "%s: Error cannot identify password type %s for %s", + report(LOG_ERR, "%s: Error cannot identify password type '%s' for '%s'", session.peer, cfg_passwd && cfg_passwd[0] ? cfg_passwd : "", name ? name : ""); -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Jason Frisvold Sent: Thursday, February 26, 2009 12:25 PM To: john heasley Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Unified passwords? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 john heasley wrote: > user = bart { > enable = > } > > enable specifies the enable password. The may > only be of type cleartext or des. If the daemon was compiled > with per-user enable support (--enable-uenable), the host enable > password will be evaluated iff the user does not have a personal > enable password. I was looking to use /etc/password for both login and enable passwords. If I understand your reply, you're saying that's not possible, correct? - -- - --------------------------- Jason Frisvold Network Engineer frisvolj at lafayette.edu - --------------------------- "What I cannot create, I do not understand" - Richard Feynman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFJpuykO80o6DJ8UvkRAjYJAJ0SDzbt80Y5rGuIVAFNJXSjlIsY6gCfZv7r zUWW6YDfvhIYdvE164K3O8g= =NAId -----END PGP SIGNATURE----- _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- A non-text attachment was scrubbed... Name: tac_enab_new.patch Type: application/octet-stream Size: 1487 bytes Desc: tac_enab_new.patch Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20090226/344b2406/attachment.obj From frisvolj at lafayette.edu Thu Feb 26 21:38:01 2009 From: frisvolj at lafayette.edu (Jason Frisvold) Date: Thu, 26 Feb 2009 16:38:01 -0500 Subject: [tac_plus] Re: Unified passwords? In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC3A2E4A@che-exch-003.uplinkdata.com> References: <49A58406.7040807@lafayette.edu><20090225214132.GO13893@shrubbery.net> <49A6ECA4.8070607@lafayette.edu> <05CC562AFB5A9446A1BC3F66AD04A3BC3A2E4A@che-exch-003.uplinkdata.com> Message-ID: <49A70BB9.1090804@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Schmidt, Daniel wrote: > I believe you require the enable patch. I'm not exactly sure why this > was not integrated into the last release. My C skills are not nearly as > good as John's as to allow me to say that it should go in. However, I > use it and it works fine. Look at the code, it's a very small change. Excellent, thanks! - -- - --------------------------- Jason Frisvold Network Engineer frisvolj at lafayette.edu - --------------------------- "What I cannot create, I do not understand" - Richard Feynman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFJpwu5O80o6DJ8UvkRAlfEAJ93ar9CgTArIkPhkyWWDlSbtP245wCeILXB Gpsx6Klf0kpUGYDzrcva2Js= =kQCZ -----END PGP SIGNATURE-----