From wieland at purdue.edu Wed Sep 2 18:25:42 2009 From: wieland at purdue.edu (Jeff Wieland) Date: Wed, 02 Sep 2009 14:25:42 -0400 Subject: [tac_plus] Configuring tac_plus for Foundry BI-RX-16 Message-ID: <4A9EB8A6.6030000@purdue.edu> Our engineer reports that these switches use the privilege level backwards from Cisco -- 0 is for enable/superuser, 15 is the default for user logins. So, I'm thinking that I need a way to specify the priv-lvl on a per-device basis, or on an "service" basis assuming that I can figure out what service to use. Has anybody got one of these working? -- Jeff Wieland | Purdue University Network Systems Administrator | ITN&S Data Networks Voice: (765)496-8234 | 501 Harrison Street FAX: (765)494-6620 | West Lafayette, IN 47907-2025 From jathan at gmail.com Thu Sep 3 18:47:44 2009 From: jathan at gmail.com (jathan.) Date: Thu, 3 Sep 2009 11:47:44 -0700 Subject: [tac_plus] Re: Configuring tac_plus for Foundry BI-RX-16 In-Reply-To: <4A9EB8A6.6030000@purdue.edu> References: <4A9EB8A6.6030000@purdue.edu> Message-ID: <4e0e47490909031147w24a99e6fh7d42bc8822fcc79c@mail.gmail.com> Indeed super-user priv on Foundry devices is 0 instead of 15 but that is only as far as the CLI input goes. On the server, it is still considered to be priv-lvl 15. Yes, it's counter-intuitive. For all other intents and purposes, they fully emulate Cisco devices. One thing you'll have to add to the device is this: aaa authentication login privilege-mode This tells the Foundry device to honor the enable-request for privilege escalation sent from the TACACS+ server. Example of setting priv-lvl in service block: group = admin { default service = permit service = exec { privl-lvl = 15 } } user = joe { login = cleartext joe member = admin } Full example Foundry AAA template: aaa authentication login default tacacs+ enable none aaa authentication login privilege-mode aaa authorization commands 0 default tacacs+ none aaa authorization exec default tacacs+ none aaa accounting commands 0 default start-stop tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting system default start-stop tacacs+ tacacs-server host 1.2.3.4 tacacs-server host 2.4.6.8 tacacs-server key abc123 tacacs-server timeout 1 enable telnet authentication Good luck! On Wed, Sep 2, 2009 at 11:25 AM, Jeff Wieland wrote: > Our engineer reports that these switches use the privilege level > backwards from Cisco -- 0 is for enable/superuser, 15 is the > default for user logins. So, I'm thinking that I need a way to > specify the priv-lvl on a per-device basis, or on an "service" > basis assuming that I can figure out what service to use. Has > anybody got one of these working? > -- > Jeff Wieland | Purdue University > Network Systems Administrator | ITN&S Data Networks > Voice: (765)496-8234 | 501 Harrison Street > FAX: (765)494-6620 | West Lafayette, IN 47907-2025 > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Jathan. - -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090903/0bac4559/attachment.html From dan.schmidt at uplinkdata.com Wed Sep 2 18:49:39 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 2 Sep 2009 12:49:39 -0600 Subject: [tac_plus] Re: Configuring tac_plus for Foundry BI-RX-16 In-Reply-To: <4A9EB8A6.6030000@purdue.edu> References: <4A9EB8A6.6030000@purdue.edu> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DD13@che-exch-003.uplinkdata.com> I never had a need to set levels at a per device basis, as the levels don't provide much control. But, I did have a need to set command access on per device basis which can accomplish the same thing. See www.tacacs.org. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Jeff Wieland Sent: Wednesday, September 02, 2009 12:26 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Configuring tac_plus for Foundry BI-RX-16 Our engineer reports that these switches use the privilege level backwards from Cisco -- 0 is for enable/superuser, 15 is the default for user logins. So, I'm thinking that I need a way to specify the priv-lvl on a per-device basis, or on an "service" basis assuming that I can figure out what service to use. Has anybody got one of these working? -- Jeff Wieland | Purdue University Network Systems Administrator | ITN&S Data Networks Voice: (765)496-8234 | 501 Harrison Street FAX: (765)494-6620 | West Lafayette, IN 47907-2025 _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Mon Sep 7 00:01:14 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 7 Sep 2009 00:01:14 +0000 Subject: [tac_plus] Re: Configuring tac_plus for Foundry BI-RX-16 In-Reply-To: <4e0e47490909031147w24a99e6fh7d42bc8822fcc79c@mail.gmail.com> References: <4A9EB8A6.6030000@purdue.edu> <4e0e47490909031147w24a99e6fh7d42bc8822fcc79c@mail.gmail.com> Message-ID: <20090907000114.GE2287@shrubbery.net> Thu, Sep 03, 2009 at 11:47:44AM -0700, jathan.: > Indeed super-user priv on Foundry devices is 0 instead of 15 but that is > only as far as the CLI input goes. On the server, it is still considered to > be priv-lvl 15. Yes, it's counter-intuitive. For all other intents and > purposes, they fully emulate Cisco devices. One thing you'll have to add to > the device is this: I'd say its down-right stupid and you should tell your sales rep how moronic it is. From jathan at gmail.com Mon Sep 7 02:03:58 2009 From: jathan at gmail.com (jathan.) Date: Sun, 6 Sep 2009 19:03:58 -0700 Subject: [tac_plus] Re: Configuring tac_plus for Foundry BI-RX-16 In-Reply-To: <20090907000114.GE2287@shrubbery.net> References: <4A9EB8A6.6030000@purdue.edu> <4e0e47490909031147w24a99e6fh7d42bc8822fcc79c@mail.gmail.com> <20090907000114.GE2287@shrubbery.net> Message-ID: <4e0e47490909061903l420327d3ndfd45f1c5699d28e@mail.gmail.com> Hah I'm with you there... Doesn't matter much anymore since we haven't actually purchased a new piece of Foundry gear in years. They're all end-of-life but still being used until they get cycled out. Good times! On Sun, Sep 6, 2009 at 5:01 PM, john heasley wrote: > Thu, Sep 03, 2009 at 11:47:44AM -0700, jathan.: > > Indeed super-user priv on Foundry devices is 0 instead of 15 but that is > > only as far as the CLI input goes. On the server, it is still considered > to > > be priv-lvl 15. Yes, it's counter-intuitive. For all other intents and > > purposes, they fully emulate Cisco devices. One thing you'll have to add > to > > the device is this: > > I'd say its down-right stupid and you should tell your sales rep how > moronic it is. > -- Jathan. - -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090906/3abae7c0/attachment.html From erik at eptx.org Thu Sep 10 19:08:56 2009 From: erik at eptx.org (erik at eptx.org) Date: Thu, 10 Sep 2009 12:08:56 -0700 Subject: [tac_plus] Tacacs+ download Message-ID: <20090910120856.b391cd810aba201db5e3f4f47955f5a6.0e7f342d90.wbe@email.secureserver.net> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090910/3f1ba3e1/attachment.html From mark.thomas at corp.aol.com Tue Sep 15 21:22:06 2009 From: mark.thomas at corp.aol.com (Mark Ellzey Thomas) Date: Tue, 15 Sep 2009 17:22:06 -0400 Subject: [tac_plus] tacacs+-F4.0.4.19 Auth Fail Lock (AFL) patch Message-ID: <7661C4E5-C064-4933-BC37-65B9D3C677BC@corp.aol.com> Greetings all, I have patched the current release with AFL. Usage: cd tacacs+-F4.0.4.19 patch -p0 < ../tacacs+-F4.0.4.19.afl.patch autoconf ./configure --enable-afl ... (from http://www.shrubbery.net/pipermail/tac_plus/2008-June/000248.html) Recently we have had the need for tac_plus to temporarily disable user accounts based on the number of authentication failures the user has had in a defined window of time. The following global configuration parameter has been added: auth-fail-lock $int1 $int2 $int3 Where $int1 is the number of authentication failures Where $int2 is the window (in seconds) in which to watch for auth fails Where $int3 is the number of seconds to disable the user. An example would be: # Watch for 10 authentication failures within 60 seconds, if triggered # disable user for 120 seconds. auth-fail-lock 10 60 120 The tac_plus daemon will log when a trigger is hit, and when the account has been re-enabled: Jun 23 14:51:36 192.168.0.1 tac_plus[27731]: User mark has been disabled for 120 seconds Jun 23 14:53:46 192.168.0.1 tac_plus[28244]: Re-enabling account: mark Unfortunately since tac_plus is a forked architecture, I had to achieve persistence of data via IPC. I understand that some may be weary of this mechanism so they can turn the feature off at compile time by passing the --disable-afl flag to configure. -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+-F4.0.4.19.afl.patch Type: application/octet-stream Size: 14897 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20090915/9cf43054/attachment.obj -------------- next part -------------- From dan.schmidt at uplinkdata.com Wed Sep 16 17:22:12 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 16 Sep 2009 11:22:12 -0600 Subject: [tac_plus] libtacacs.so.1 Error Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> Anybody else getting this on the new version? 18 works fine. tac_plus: error while loading shared libraries: libtacacs.so.1: cannot open shared object file: No such file or directory From heas at shrubbery.net Wed Sep 16 17:47:48 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 16 Sep 2009 17:47:48 +0000 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> Message-ID: <20090916174748.GB3302@shrubbery.net> Wed, Sep 16, 2009 at 11:22:12AM -0600, Schmidt, Daniel: > Anybody else getting this on the new version? 18 works fine. > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > open shared object file: No such file or directory I must be missing something with the libtool set-up. Please post the link lines from the make and include o/s info. From heas at shrubbery.net Wed Sep 16 17:55:14 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 16 Sep 2009 17:55:14 +0000 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDE@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> <20090916174748.GB3302@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDE@che-exch-003.uplinkdata.com> Message-ID: <20090916175514.GE3302@shrubbery.net> Wed, Sep 16, 2009 at 11:53:43AM -0600, Schmidt, Daniel: > Ubuntu Hardy, thanks. > > dans at dan-laptop:~/tacacs+-F4.0.4.19$ uname -a > Linux dan-laptop 2.6.24-24-generic #1 SMP Sat Aug 22 01:06:14 UTC 2009 > i686 GNU/Linux > > /bin/bash ./libtool --tag=CC --mode=link gcc -g -O2 -pthread -L. > -L/usr/local/lib -L/lib -o tac_plus acct.o authen.o author.o -R is missing. I dont understand why that isnt automatic. > choose_authen.o config.o default_fn.o default_v0_fn.o do_acct.o > do_author.o dump.o enable.o encrypt.o expire.o hash.o maxsess.o parse.o > programs.o pw.o pwlib.o regexp.o report.o sendauth.o sendpass.o > tac_plus.o utils.o -lwrap -ltacacs -lnsl -lcrypt > > gcc -g -O2 -pthread -o .libs/tac_plus acct.o authen.o author.o > choose_authen.o config.o default_fn.o default_v0_fn.o do_acct.o > do_author.o dump.o enable.o encrypt.o expire.o hash.o maxsess.o parse.o > programs.o pw.o pwlib.o regexp.o report.o sendauth.o sendpass.o > tac_plus.o utils.o -L/home/dan/tacacs+-F4.0.4.19 -L/usr/local/lib > -L/lib -lwrap /home/dan/tacacs+-F4.0.4.19/.libs/libtacacs.so -lnsl > -lcrypt > > creating tac_plus > > rm -f tac_convert tac_convert.tmp; \ > > sed -e 's, at bindir\@,/usr/local/bin,g' -e > 's, at prefix\@,/usr/local,g' -e 's, at libexecdir\@,/usr/local/libexec,g' -e > 's, at localstatedir\@,/usr/local/var,g' -e 's, at libdir\@,/usr/local/lib,g' > -e 's, at pkglibdir\@,/usr/local/lib/tacacs+,g' -e > 's, at sysconfdir\@,/usr/local/etc,g' -e 's, at PERLV_PATH\@,/usr/bin/perl,g' > -e 's, at TACPLUS_PIDFILE\@,/var/run/tac_plus.pid,g' -e > 's, at TACPLUS_LOGFILE\@,/var/log/tac_plus.log,g' ./tac_convert.in > >tac_convert.tmp; \ > > mv tac_convert.tmp tac_convert; \ > > chmod 755 tac_convert > > rm -f users_guide users_guide.tmp; \ > > sed -e 's, at bindir\@,/usr/local/bin,g' -e > 's, at prefix\@,/usr/local,g' -e 's, at libexecdir\@,/usr/local/libexec,g' -e > 's, at localstatedir\@,/usr/local/var,g' -e 's, at libdir\@,/usr/local/lib,g' > -e 's, at pkglibdir\@,/usr/local/lib/tacacs+,g' -e > 's, at sysconfdir\@,/usr/local/etc,g' -e 's, at PERLV_PATH\@,/usr/bin/perl,g' > -e 's, at TACPLUS_PIDFILE\@,/var/run/tac_plus.pid,g' -e > 's, at TACPLUS_LOGFILE\@,/var/log/tac_plus.log,g' ./users_guide.in > >users_guide.tmp; \ > > mv users_guide.tmp users_guide > > make[1]: Leaving directory `/home/dan/tacacs+-F4.0.4.19' > > dans at dan-laptop:~/tacacs+-F4.0.4.19$ > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Wednesday, September 16, 2009 11:48 AM > To: Schmidt, Daniel > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] libtacacs.so.1 Error > > Wed, Sep 16, 2009 at 11:22:12AM -0600, Schmidt, Daniel: > > Anybody else getting this on the new version? 18 works fine. > > > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > > open shared object file: No such file or directory > > I must be missing something with the libtool set-up. Please post the > link lines from the make and include o/s info. From dan.schmidt at uplinkdata.com Wed Sep 16 17:53:43 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 16 Sep 2009 11:53:43 -0600 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <20090916174748.GB3302@shrubbery.net> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> <20090916174748.GB3302@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDE@che-exch-003.uplinkdata.com> Ubuntu Hardy, thanks. dans at dan-laptop:~/tacacs+-F4.0.4.19$ uname -a Linux dan-laptop 2.6.24-24-generic #1 SMP Sat Aug 22 01:06:14 UTC 2009 i686 GNU/Linux /bin/bash ./libtool --tag=CC --mode=link gcc -g -O2 -pthread -L. -L/usr/local/lib -L/lib -o tac_plus acct.o authen.o author.o choose_authen.o config.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o maxsess.o parse.o programs.o pw.o pwlib.o regexp.o report.o sendauth.o sendpass.o tac_plus.o utils.o -lwrap -ltacacs -lnsl -lcrypt gcc -g -O2 -pthread -o .libs/tac_plus acct.o authen.o author.o choose_authen.o config.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o maxsess.o parse.o programs.o pw.o pwlib.o regexp.o report.o sendauth.o sendpass.o tac_plus.o utils.o -L/home/dan/tacacs+-F4.0.4.19 -L/usr/local/lib -L/lib -lwrap /home/dan/tacacs+-F4.0.4.19/.libs/libtacacs.so -lnsl -lcrypt creating tac_plus rm -f tac_convert tac_convert.tmp; \ sed -e 's, at bindir\@,/usr/local/bin,g' -e 's, at prefix\@,/usr/local,g' -e 's, at libexecdir\@,/usr/local/libexec,g' -e 's, at localstatedir\@,/usr/local/var,g' -e 's, at libdir\@,/usr/local/lib,g' -e 's, at pkglibdir\@,/usr/local/lib/tacacs+,g' -e 's, at sysconfdir\@,/usr/local/etc,g' -e 's, at PERLV_PATH\@,/usr/bin/perl,g' -e 's, at TACPLUS_PIDFILE\@,/var/run/tac_plus.pid,g' -e 's, at TACPLUS_LOGFILE\@,/var/log/tac_plus.log,g' ./tac_convert.in >tac_convert.tmp; \ mv tac_convert.tmp tac_convert; \ chmod 755 tac_convert rm -f users_guide users_guide.tmp; \ sed -e 's, at bindir\@,/usr/local/bin,g' -e 's, at prefix\@,/usr/local,g' -e 's, at libexecdir\@,/usr/local/libexec,g' -e 's, at localstatedir\@,/usr/local/var,g' -e 's, at libdir\@,/usr/local/lib,g' -e 's, at pkglibdir\@,/usr/local/lib/tacacs+,g' -e 's, at sysconfdir\@,/usr/local/etc,g' -e 's, at PERLV_PATH\@,/usr/bin/perl,g' -e 's, at TACPLUS_PIDFILE\@,/var/run/tac_plus.pid,g' -e 's, at TACPLUS_LOGFILE\@,/var/log/tac_plus.log,g' ./users_guide.in >users_guide.tmp; \ mv users_guide.tmp users_guide make[1]: Leaving directory `/home/dan/tacacs+-F4.0.4.19' dans at dan-laptop:~/tacacs+-F4.0.4.19$ -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, September 16, 2009 11:48 AM To: Schmidt, Daniel Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] libtacacs.so.1 Error Wed, Sep 16, 2009 at 11:22:12AM -0600, Schmidt, Daniel: > Anybody else getting this on the new version? 18 works fine. > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > open shared object file: No such file or directory I must be missing something with the libtool set-up. Please post the link lines from the make and include o/s info. From mark.thomas at corp.aol.com Wed Sep 16 17:55:10 2009 From: mark.thomas at corp.aol.com (Mark Ellzey Thomas) Date: Wed, 16 Sep 2009 13:55:10 -0400 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> Message-ID: <8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> By default libtacacs is installed in /usr/local/lib If on linux just add the following to /etc/ld.so.conf: /usr/local/lib and run: sudo ldconfig On Sep 16, 2009, at 1:22 PM, Schmidt, Daniel wrote: > Anybody else getting this on the new version? 18 works fine. > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > open shared object file: No such file or directory > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Sep 16 17:58:44 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 16 Sep 2009 17:58:44 +0000 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> <8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> Message-ID: <20090916175844.GF3302@shrubbery.net> Wed, Sep 16, 2009 at 01:55:10PM -0400, Mark Ellzey Thomas: > By default libtacacs is installed in /usr/local/lib > > If on linux just add the following to /etc/ld.so.conf: > /usr/local/lib in my not so humble opinion, you should not do that. stuff should be built with the correct linker paths. global configuration like ld.so.conf can have unintended effects. > and run: sudo ldconfig > > On Sep 16, 2009, at 1:22 PM, Schmidt, Daniel wrote: > > > Anybody else getting this on the new version? 18 works fine. > > > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > > open shared object file: No such file or directory > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Wed Sep 16 18:02:19 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 16 Sep 2009 12:02:19 -0600 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> <8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDE1@che-exch-003.uplinkdata.com> Already there, it appears. dans at dan-laptop:/etc/ld.so.conf.d$ cat /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf dans at dan-laptop:/etc/ld.so.conf.d$ cat /etc/ld.so.conf.d/libc.conf # libc default configuration /usr/local/lib dans at dan-laptop:/etc/ld.so.conf.d$ -----Original Message----- From: Mark Ellzey Thomas [mailto:mark.thomas at corp.aol.com] Sent: Wednesday, September 16, 2009 11:55 AM To: Schmidt, Daniel Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] libtacacs.so.1 Error By default libtacacs is installed in /usr/local/lib If on linux just add the following to /etc/ld.so.conf: /usr/local/lib and run: sudo ldconfig On Sep 16, 2009, at 1:22 PM, Schmidt, Daniel wrote: > Anybody else getting this on the new version? 18 works fine. > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > open shared object file: No such file or directory > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From jasonj at uui-alaska.com Tue Sep 22 23:26:34 2009 From: jasonj at uui-alaska.com (Jason Jeremias) Date: Tue, 22 Sep 2009 15:26:34 -0800 Subject: [tac_plus] PAM support via PAP?? Message-ID: <4AB95D2A.2070600@uui-alaska.com> I downloaded the latest tac_plus software but I can't seem to get pap = PAM to work is this possible? I need to authenticate ppp uses against pam. From heas at shrubbery.net Wed Sep 23 00:20:35 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 22 Sep 2009 17:20:35 -0700 Subject: [tac_plus] Re: PAM support via PAP?? In-Reply-To: <4AB95D2A.2070600@uui-alaska.com> References: <4AB95D2A.2070600@uui-alaska.com> Message-ID: <20090923002035.GS8353@shrubbery.net> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: > I downloaded the latest tac_plus software but I can't seem to get pap = > PAM to work is this possible? I need to authenticate ppp uses against pam. did you make any effort to use daemon debugging options to debug the problem that you'd like to mention? From jasonj at uui-alaska.com Wed Sep 23 00:26:46 2009 From: jasonj at uui-alaska.com (Jason Jeremias) Date: Tue, 22 Sep 2009 16:26:46 -0800 Subject: [tac_plus] Re: PAM support via PAP?? In-Reply-To: <20090923002035.GS8353@shrubbery.net> References: <4AB95D2A.2070600@uui-alaska.com> <20090923002035.GS8353@shrubbery.net> Message-ID: <4AB96B46.3090502@uui-alaska.com> When I run it I get. root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C /etc/tacacs/tac_plus.cfg -d 16 Error: expecting 'cleartext', or 'des' keyword after 'pap =' on line 50 So to check that I have pam I did a: root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v tac_plus version F4.0.4.19 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ This told me that I do indeed have PAM compiled in. Here's my config file. root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg key = testing12345 # Now tacacs+ also use default PAM authentication #default authentication = pap PAM # Accounting records log file accounting file = /var/log/tac_acc.log user = DEFAULT { #service = ppp protocol = lcp { idletime = 15 } #service = ppp protocol = ip {} #pap = PAM #maxsess = 2 member = DEFAULT } group = DEFAULT { service = ppp protocol = ip {} pap = PAM #maxsess = 2 } root at ns02:/usr/local/src/tac_plus_v9a# john heasley wrote: > Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: > >> I downloaded the latest tac_plus software but I can't seem to get pap = >> PAM to work is this possible? I need to authenticate ppp uses against pam. >> > > did you make any effort to use daemon debugging options to debug the > problem that you'd like to mention? > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090922/c220b3d1/attachment.html From jasonj at uui-alaska.com Wed Sep 23 00:28:31 2009 From: jasonj at uui-alaska.com (Jason Jeremias) Date: Tue, 22 Sep 2009 16:28:31 -0800 Subject: [tac_plus] Re: PAM support via PAP?? In-Reply-To: <4AB96B46.3090502@uui-alaska.com> References: <4AB95D2A.2070600@uui-alaska.com> <20090923002035.GS8353@shrubbery.net> <4AB96B46.3090502@uui-alaska.com> Message-ID: <4AB96BAF.8080809@uui-alaska.com> Oh also I removed all the comments from the config file that's why its referencing line 50. It looks to me like it just doesn't like the pap = PAM, if I switch to login = PAM it works fine. -J Jason Jeremias wrote: > When I run it I get. > root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C > /etc/tacacs/tac_plus.cfg -d 16 > Error: expecting 'cleartext', or 'des' keyword after 'pap =' on line 50 > > So to check that I have pam I did a: > root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v > tac_plus version F4.0.4.19 > ACLS > FIONBIO > LIBWRAP > LINUX > LITTLE_ENDIAN > LOG_DAEMON > PAM > NO_PWAGE > REAPCHILD > RETSIGTYPE RETSIGTYPE > SHADOW_PASSWORDS > SIGTSTP > SIGTTIN > SIGTTOU > SO_REUSEADDR > STRERROR > TAC_PLUS_PORT > UENABLE > __STDC__ > > This told me that I do indeed have PAM compiled in. > > > Here's my config file. > root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg > > key = testing12345 > > # Now tacacs+ also use default PAM authentication > #default authentication = pap PAM > > # Accounting records log file > > accounting file = /var/log/tac_acc.log > > user = DEFAULT { > #service = ppp protocol = lcp { idletime = 15 } > #service = ppp protocol = ip {} > #pap = PAM > #maxsess = 2 > member = DEFAULT > } > > group = DEFAULT { > service = ppp protocol = ip {} > pap = PAM > #maxsess = 2 > } > > > root at ns02:/usr/local/src/tac_plus_v9a# > > > > john heasley wrote: >> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: >> >>> I downloaded the latest tac_plus software but I can't seem to get pap = >>> PAM to work is this possible? I need to authenticate ppp uses against pam. >>> >> >> did you make any effort to use daemon debugging options to debug the >> problem that you'd like to mention? >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090922/f6288443/attachment.html From mlevy at mrv.com Wed Sep 23 14:49:55 2009 From: mlevy at mrv.com (Moran Levy) Date: Wed, 23 Sep 2009 17:49:55 +0300 Subject: [tac_plus] tac_plus ascii authentication In-Reply-To: <4AB96BAF.8080809@uui-alaska.com> References: <4AB95D2A.2070600@uui-alaska.com><20090923002035.GS8353@shrubbery.net><4AB96B46.3090502@uui-alaska.com> <4AB96BAF.8080809@uui-alaska.com> Message-ID: <685D66DF6DB563459D23ECD8B30C73A401BF87E1@zeus.yok.int.mrv.com> Hi, I'm trying to establish the ASCII type authentication (rather than the PAP one...). How can it be done? Ps I, too, use the latest tac_plus ver... Thanks, Moran. From heas at shrubbery.net Wed Sep 23 15:04:38 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Sep 2009 15:04:38 +0000 Subject: [tac_plus] Re: PAM support via PAP?? In-Reply-To: <4AB96BAF.8080809@uui-alaska.com> References: <4AB95D2A.2070600@uui-alaska.com> <20090923002035.GS8353@shrubbery.net> <4AB96B46.3090502@uui-alaska.com> <4AB96BAF.8080809@uui-alaska.com> Message-ID: <20090923150438.GC29687@shrubbery.net> Tue, Sep 22, 2009 at 04:28:31PM -0800, Jason Jeremias: > Oh also I removed all the comments from the config file that's why its > referencing line 50. It looks to me like it just doesn't like the pap > = PAM, if I switch to login = PAM it works fine. Bad memory; pap auth currently only supports cleartext. glancing at the code, there is no reason it couldnt be added, just has to be coded. > -J > > Jason Jeremias wrote: >> When I run it I get. >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C >> /etc/tacacs/tac_plus.cfg -d 16 >> Error: expecting 'cleartext', or 'des' keyword after 'pap =' on line 50 >> >> So to check that I have pam I did a: >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v >> tac_plus version F4.0.4.19 >> ACLS >> FIONBIO >> LIBWRAP >> LINUX >> LITTLE_ENDIAN >> LOG_DAEMON >> PAM >> NO_PWAGE >> REAPCHILD >> RETSIGTYPE RETSIGTYPE >> SHADOW_PASSWORDS >> SIGTSTP >> SIGTTIN >> SIGTTOU >> SO_REUSEADDR >> STRERROR >> TAC_PLUS_PORT >> UENABLE >> __STDC__ >> >> This told me that I do indeed have PAM compiled in. >> >> >> Here's my config file. >> root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg >> >> key = testing12345 >> >> # Now tacacs+ also use default PAM authentication >> #default authentication = pap PAM >> >> # Accounting records log file >> >> accounting file = /var/log/tac_acc.log >> >> user = DEFAULT { >> #service = ppp protocol = lcp { idletime = 15 } >> #service = ppp protocol = ip {} >> #pap = PAM >> #maxsess = 2 >> member = DEFAULT >> } >> >> group = DEFAULT { >> service = ppp protocol = ip {} >> pap = PAM >> #maxsess = 2 >> } >> >> >> root at ns02:/usr/local/src/tac_plus_v9a# >> >> >> >> john heasley wrote: >>> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: >>> >>>> I downloaded the latest tac_plus software but I can't seem to get >>>> pap = PAM to work is this possible? I need to authenticate ppp >>>> uses against pam. >>>> >>> >>> did you make any effort to use daemon debugging options to debug the >>> problem that you'd like to mention? >>> >> > From heas at shrubbery.net Wed Sep 23 15:05:15 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Sep 2009 15:05:15 +0000 Subject: [tac_plus] Re: tac_plus ascii authentication In-Reply-To: <685D66DF6DB563459D23ECD8B30C73A401BF87E1@zeus.yok.int.mrv.com> References: <4AB95D2A.2070600@uui-alaska.com> <20090923002035.GS8353@shrubbery.net> <4AB96B46.3090502@uui-alaska.com> <4AB96BAF.8080809@uui-alaska.com> <685D66DF6DB563459D23ECD8B30C73A401BF87E1@zeus.yok.int.mrv.com> Message-ID: <20090923150515.GD29687@shrubbery.net> Wed, Sep 23, 2009 at 05:49:55PM +0300, Moran Levy: > Hi, > I'm trying to establish the ASCII type authentication (rather than the > PAP one...). > How can it be done? that called cleartext. see tac_plus.conf(5) > Ps > I, too, use the latest tac_plus ver... > > Thanks, Moran. From dan.schmidt at uplinkdata.com Wed Sep 23 14:42:57 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 23 Sep 2009 08:42:57 -0600 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDE1@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com><8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> <05CC562AFB5A9446A1BC3F66AD04A3BC70DDE1@che-exch-003.uplinkdata.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DE40@che-exch-003.uplinkdata.com> ldconfig -v worked without any modifications. However, I'm also curious why it doesn't link right. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Schmidt, Daniel Sent: Wednesday, September 16, 2009 12:02 PM To: Mark Ellzey Thomas Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: libtacacs.so.1 Error Already there, it appears. dans at dan-laptop:/etc/ld.so.conf.d$ cat /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf dans at dan-laptop:/etc/ld.so.conf.d$ cat /etc/ld.so.conf.d/libc.conf # libc default configuration /usr/local/lib dans at dan-laptop:/etc/ld.so.conf.d$ -----Original Message----- From: Mark Ellzey Thomas [mailto:mark.thomas at corp.aol.com] Sent: Wednesday, September 16, 2009 11:55 AM To: Schmidt, Daniel Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] libtacacs.so.1 Error By default libtacacs is installed in /usr/local/lib If on linux just add the following to /etc/ld.so.conf: /usr/local/lib and run: sudo ldconfig On Sep 16, 2009, at 1:22 PM, Schmidt, Daniel wrote: > Anybody else getting this on the new version? 18 works fine. > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > open shared object file: No such file or directory > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Sep 23 15:08:41 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Sep 2009 15:08:41 +0000 Subject: [tac_plus] Re: libtacacs.so.1 Error In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DE40@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC70DDDC@che-exch-003.uplinkdata.com> <8880F107-6145-4A5C-96E1-E581D8B92966@corp.aol.com> <05CC562AFB5A9446A1BC3F66AD04A3BC70DDE1@che-exch-003.uplinkdata.com> <05CC562AFB5A9446A1BC3F66AD04A3BC70DE40@che-exch-003.uplinkdata.com> Message-ID: <20090923150840.GF29687@shrubbery.net> Wed, Sep 23, 2009 at 08:42:57AM -0600, Schmidt, Daniel: > ldconfig -v worked without any modifications. However, I'm also curious > why it doesn't link right. i dont know; maybe there is something funny with ld.so. anyway, the autoconf/libtool bits need adjusting. next week. > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Schmidt, Daniel > Sent: Wednesday, September 16, 2009 12:02 PM > To: Mark Ellzey Thomas > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: libtacacs.so.1 Error > > Already there, it appears. > > dans at dan-laptop:/etc/ld.so.conf.d$ cat /etc/ld.so.conf > include /etc/ld.so.conf.d/*.conf > > dans at dan-laptop:/etc/ld.so.conf.d$ cat /etc/ld.so.conf.d/libc.conf > # libc default configuration > /usr/local/lib > dans at dan-laptop:/etc/ld.so.conf.d$ > > -----Original Message----- > From: Mark Ellzey Thomas [mailto:mark.thomas at corp.aol.com] > Sent: Wednesday, September 16, 2009 11:55 AM > To: Schmidt, Daniel > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] libtacacs.so.1 Error > > By default libtacacs is installed in /usr/local/lib > > If on linux just add the following to /etc/ld.so.conf: > /usr/local/lib > > and run: sudo ldconfig > > On Sep 16, 2009, at 1:22 PM, Schmidt, Daniel wrote: > > > Anybody else getting this on the new version? 18 works fine. > > > > tac_plus: error while loading shared libraries: libtacacs.so.1: cannot > > open shared object file: No such file or directory > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From pvdovets at gmail.com Wed Sep 23 15:28:02 2009 From: pvdovets at gmail.com (Paul Vdovets) Date: Wed, 23 Sep 2009 11:28:02 -0400 Subject: [tac_plus] Re: PAM support via PAP?? In-Reply-To: <20090923150438.GC29687@shrubbery.net> References: <4AB95D2A.2070600@uui-alaska.com> <20090923002035.GS8353@shrubbery.net> <4AB96B46.3090502@uui-alaska.com> <4AB96BAF.8080809@uui-alaska.com> <20090923150438.GC29687@shrubbery.net> Message-ID: <8f9b69300909230828m1c09da07vae3d8242d0362df6@mail.gmail.com> It also does support pap = des so if you have to use pap you can at least crypt the config hardcoded password On Wed, Sep 23, 2009 at 11:04 AM, john heasley wrote: > Tue, Sep 22, 2009 at 04:28:31PM -0800, Jason Jeremias: > > Oh also I removed all the comments from the config file that's why its > > referencing line 50. It looks to me like it just doesn't like the pap > > = PAM, if I switch to login = PAM it works fine. > > Bad memory; pap auth currently only supports cleartext. glancing at the > code, there is no reason it couldnt be added, just has to be coded. > > > -J > > > > Jason Jeremias wrote: > >> When I run it I get. > >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C > >> /etc/tacacs/tac_plus.cfg -d 16 > >> Error: expecting 'cleartext', or 'des' keyword after 'pap =' on line 50 > >> > >> So to check that I have pam I did a: > >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v > >> tac_plus version F4.0.4.19 > >> ACLS > >> FIONBIO > >> LIBWRAP > >> LINUX > >> LITTLE_ENDIAN > >> LOG_DAEMON > >> PAM > >> NO_PWAGE > >> REAPCHILD > >> RETSIGTYPE RETSIGTYPE > >> SHADOW_PASSWORDS > >> SIGTSTP > >> SIGTTIN > >> SIGTTOU > >> SO_REUSEADDR > >> STRERROR > >> TAC_PLUS_PORT > >> UENABLE > >> __STDC__ > >> > >> This told me that I do indeed have PAM compiled in. > >> > >> > >> Here's my config file. > >> root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg > >> > >> key = testing12345 > >> > >> # Now tacacs+ also use default PAM authentication > >> #default authentication = pap PAM > >> > >> # Accounting records log file > >> > >> accounting file = /var/log/tac_acc.log > >> > >> user = DEFAULT { > >> #service = ppp protocol = lcp { idletime = 15 } > >> #service = ppp protocol = ip {} > >> #pap = PAM > >> #maxsess = 2 > >> member = DEFAULT > >> } > >> > >> group = DEFAULT { > >> service = ppp protocol = ip {} > >> pap = PAM > >> #maxsess = 2 > >> } > >> > >> > >> root at ns02:/usr/local/src/tac_plus_v9a# > >> > >> > >> > >> john heasley wrote: > >>> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: > >>> > >>>> I downloaded the latest tac_plus software but I can't seem to get > >>>> pap = PAM to work is this possible? I need to authenticate ppp > >>>> uses against pam. > >>>> > >>> > >>> did you make any effort to use daemon debugging options to debug the > >>> problem that you'd like to mention? > >>> > >> > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Paul Vdovets -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090923/45d53539/attachment.html From dan.schmidt at uplinkdata.com Fri Sep 25 16:29:50 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Fri, 25 Sep 2009 10:29:50 -0600 Subject: [tac_plus] Re: PAM support via PAP?? In-Reply-To: <8f9b69300909230828m1c09da07vae3d8242d0362df6@mail.gmail.com> References: <4AB95D2A.2070600@uui-alaska.com><20090923002035.GS8353@shrubbery.net><4AB96B46.3090502@uui-alaska.com> <4AB96BAF.8080809@uui-alaska.com><20090923150438.GC29687@shrubbery.net> <8f9b69300909230828m1c09da07vae3d8242d0362df6@mail.gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DE57@che-exch-003.uplinkdata.com> Yes, because it makes perfect sense to encrypt the password in your config when you are using an insecure, clear text protocol like Pam instead of Chap. :-P -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Paul Vdovets Sent: Wednesday, September 23, 2009 9:28 AM To: john heasley Cc: Jason Jeremias; tac_plus at shrubbery.net Subject: [tac_plus] Re: PAM support via PAP?? It also does support pap = des so if you have to use pap you can at least crypt the config hardcoded password On Wed, Sep 23, 2009 at 11:04 AM, john heasley wrote: > Tue, Sep 22, 2009 at 04:28:31PM -0800, Jason Jeremias: > > Oh also I removed all the comments from the config file that's why its > > referencing line 50. It looks to me like it just doesn't like the pap > > = PAM, if I switch to login = PAM it works fine. > > Bad memory; pap auth currently only supports cleartext. glancing at the > code, there is no reason it couldnt be added, just has to be coded. > > > -J > > > > Jason Jeremias wrote: > >> When I run it I get. > >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C > >> /etc/tacacs/tac_plus.cfg -d 16 > >> Error: expecting 'cleartext', or 'des' keyword after 'pap =' on line 50 > >> > >> So to check that I have pam I did a: > >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v > >> tac_plus version F4.0.4.19 > >> ACLS > >> FIONBIO > >> LIBWRAP > >> LINUX > >> LITTLE_ENDIAN > >> LOG_DAEMON > >> PAM > >> NO_PWAGE > >> REAPCHILD > >> RETSIGTYPE RETSIGTYPE > >> SHADOW_PASSWORDS > >> SIGTSTP > >> SIGTTIN > >> SIGTTOU > >> SO_REUSEADDR > >> STRERROR > >> TAC_PLUS_PORT > >> UENABLE > >> __STDC__ > >> > >> This told me that I do indeed have PAM compiled in. > >> > >> > >> Here's my config file. > >> root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg > >> > >> key = testing12345 > >> > >> # Now tacacs+ also use default PAM authentication > >> #default authentication = pap PAM > >> > >> # Accounting records log file > >> > >> accounting file = /var/log/tac_acc.log > >> > >> user = DEFAULT { > >> #service = ppp protocol = lcp { idletime = 15 } > >> #service = ppp protocol = ip {} > >> #pap = PAM > >> #maxsess = 2 > >> member = DEFAULT > >> } > >> > >> group = DEFAULT { > >> service = ppp protocol = ip {} > >> pap = PAM > >> #maxsess = 2 > >> } > >> > >> > >> root at ns02:/usr/local/src/tac_plus_v9a# > >> > >> > >> > >> john heasley wrote: > >>> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: > >>> > >>>> I downloaded the latest tac_plus software but I can't seem to get > >>>> pap = PAM to work is this possible? I need to authenticate ppp > >>>> uses against pam. > >>>> > >>> > >>> did you make any effort to use daemon debugging options to debug the > >>> problem that you'd like to mention? > >>> > >> > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Paul Vdovets -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090923/45d5353 9/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Fri Sep 25 16:30:41 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Fri, 25 Sep 2009 10:30:41 -0600 Subject: [tac_plus] Re: PAM support via PAP?? References: <4AB95D2A.2070600@uui-alaska.com><20090923002035.GS8353@shrubbery.net><4AB96B46.3090502@uui-alaska.com> <4AB96BAF.8080809@uui-alaska.com><20090923150438.GC29687@shrubbery.net> <8f9b69300909230828m1c09da07vae3d8242d0362df6@mail.gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DE58@che-exch-003.uplinkdata.com> Whoops! pap instead of chap, I mean. -----Original Message----- From: Schmidt, Daniel Sent: Friday, September 25, 2009 10:30 AM To: 'Paul Vdovets'; john heasley Cc: Jason Jeremias; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: PAM support via PAP?? Yes, because it makes perfect sense to encrypt the password in your config when you are using an insecure, clear text protocol like Pam instead of Chap. :-P -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Paul Vdovets Sent: Wednesday, September 23, 2009 9:28 AM To: john heasley Cc: Jason Jeremias; tac_plus at shrubbery.net Subject: [tac_plus] Re: PAM support via PAP?? It also does support pap = des so if you have to use pap you can at least crypt the config hardcoded password On Wed, Sep 23, 2009 at 11:04 AM, john heasley wrote: > Tue, Sep 22, 2009 at 04:28:31PM -0800, Jason Jeremias: > > Oh also I removed all the comments from the config file that's why its > > referencing line 50. It looks to me like it just doesn't like the pap > > = PAM, if I switch to login = PAM it works fine. > > Bad memory; pap auth currently only supports cleartext. glancing at the > code, there is no reason it couldnt be added, just has to be coded. > > > -J > > > > Jason Jeremias wrote: > >> When I run it I get. > >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -C > >> /etc/tacacs/tac_plus.cfg -d 16 > >> Error: expecting 'cleartext', or 'des' keyword after 'pap =' on line 50 > >> > >> So to check that I have pam I did a: > >> root at ns02:/usr/local/src/tac_plus_v9a# /usr/local/bin/tac_plus -v > >> tac_plus version F4.0.4.19 > >> ACLS > >> FIONBIO > >> LIBWRAP > >> LINUX > >> LITTLE_ENDIAN > >> LOG_DAEMON > >> PAM > >> NO_PWAGE > >> REAPCHILD > >> RETSIGTYPE RETSIGTYPE > >> SHADOW_PASSWORDS > >> SIGTSTP > >> SIGTTIN > >> SIGTTOU > >> SO_REUSEADDR > >> STRERROR > >> TAC_PLUS_PORT > >> UENABLE > >> __STDC__ > >> > >> This told me that I do indeed have PAM compiled in. > >> > >> > >> Here's my config file. > >> root at ns02:/usr/local/src/tac_plus_v9a# cat /etc/tacacs/tac_plus.cfg > >> > >> key = testing12345 > >> > >> # Now tacacs+ also use default PAM authentication > >> #default authentication = pap PAM > >> > >> # Accounting records log file > >> > >> accounting file = /var/log/tac_acc.log > >> > >> user = DEFAULT { > >> #service = ppp protocol = lcp { idletime = 15 } > >> #service = ppp protocol = ip {} > >> #pap = PAM > >> #maxsess = 2 > >> member = DEFAULT > >> } > >> > >> group = DEFAULT { > >> service = ppp protocol = ip {} > >> pap = PAM > >> #maxsess = 2 > >> } > >> > >> > >> root at ns02:/usr/local/src/tac_plus_v9a# > >> > >> > >> > >> john heasley wrote: > >>> Tue, Sep 22, 2009 at 03:26:34PM -0800, Jason Jeremias: > >>> > >>>> I downloaded the latest tac_plus software but I can't seem to get > >>>> pap = PAM to work is this possible? I need to authenticate ppp > >>>> uses against pam. > >>>> > >>> > >>> did you make any effort to use daemon debugging options to debug the > >>> problem that you'd like to mention? > >>> > >> > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Paul Vdovets -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090923/45d5353 9/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus