[tac_plus] Re: Unified passwords?
john heasley
heas at shrubbery.net
Mon Mar 2 17:33:11 UTC 2009
Thu, Feb 26, 2009 at 01:54:57PM -0700, Schmidt, Daniel:
> I believe you require the enable patch. I'm not exactly sure why this
> was not integrated into the last release. My C skills are not nearly as
> good as John's as to allow me to say that it should go in. However, I
> use it and it works fine. Look at the code, it's a very small change.
I can't just commit something without investigating what side effects it
might have, updating comments, and updating manual pages. These things
take time that I dont always have.
anyway, this seems to be fine and I've committed it, except for the log
msg changes which I do not understand.
> diff -ruN tacacs+-F4.0.4.15/pwlib.c tacacs+-F4.0.4.15.new/pwlib.c
> --- tacacs+-F4.0.4.15/pwlib.c 2007-12-13 20:18:39.000000000 +0100
> +++ tacacs+-F4.0.4.15.new/pwlib.c 2008-04-22 11:05:11.000000000
> +0200
> @@ -206,7 +206,7 @@
> /* Oops. No idea what kind of password this is. This should never
> * happen as the parser should never create such passwords.
> */
> - report(LOG_ERR, "%s: Error cannot identify password type %s for
> %s",
> + report(LOG_ERR, "%s: Error cannot identify password type '%s' for
> '%s'",
> session.peer,
> cfg_passwd && cfg_passwd[0] ? cfg_passwd : "<NULL>",
> name ? name : "<unknown>");
> @@ -260,10 +260,22 @@
> return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS);
> }
>
> + p = tac_find_substring("file ", cfg_passwd);
> + if (p) {
> + if (!passwd_file_verify(name, passwd, data, p)) {
> + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
> + return(0);
> + } else {
> + data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
> + }
> +
> + return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS);
> + }
> +
> /* Oops. No idea what kind of password this is. This should never
> * happen as the parser should never create such passwords. */
>
> - report(LOG_ERR, "%s: Error cannot identify password type %s for
> %s",
> + report(LOG_ERR, "%s: Error cannot identify password type '%s' for
> '%s'",
> session.peer,
> cfg_passwd && cfg_passwd[0] ? cfg_passwd : "<NULL>",
> name ? name : "<unknown>");
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Jason Frisvold
> Sent: Thursday, February 26, 2009 12:25 PM
> To: john heasley
> Cc: tac_plus at shrubbery.net
> Subject: [tac_plus] Re: Unified passwords?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> john heasley wrote:
> > user = bart {
> > enable = <password_spec>
> > }
> >
> > enable specifies the enable password. The
> <password_spec> may
> > only be of type cleartext or des. If the daemon was
> compiled
> > with per-user enable support (--enable-uenable), the
> host enable
> > password will be evaluated iff the user does not have a
> personal
> > enable password.
>
> I was looking to use /etc/password for both login and enable passwords.
> If I understand your reply, you're saying that's not possible, correct?
>
> - --
> - ---------------------------
> Jason Frisvold
> Network Engineer
> frisvolj at lafayette.edu
> - ---------------------------
> "What I cannot create, I do not understand"
> - Richard Feynman
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
>
> iD8DBQFJpuykO80o6DJ8UvkRAjYJAJ0SDzbt80Y5rGuIVAFNJXSjlIsY6gCfZv7r
> zUWW6YDfvhIYdvE164K3O8g=
> =NAId
> -----END PGP SIGNATURE-----
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list