From JMuhunthan at OneCommunications.com Wed Dec 1 20:22:26 2010 From: JMuhunthan at OneCommunications.com (Muhunthan, Jay) Date: Wed, 1 Dec 2010 15:22:26 -0500 Subject: [tac_plus] shrubbery tacacs+-F4.0.4.15 Message-ID: <361401D5435C644B8D7BFAFC1538EBC8044AC8E3@walma-exch01.ad.choiceonecom.com> Folks, Is it possible to have a user part of multiple groups? For example, user = tom { acl = ACL login = file /etc/tacacs/tacacs_passwd member = LEVEL-1 } The above shows the user is member of LEVEL-1 can we do some thing like this user = tom { acl = ACL login = file /etc/tacacs/tacacs_passwd member = LEVEL-1| LEVEL-2 } Any help will be greatly appreciated. Thanks Jay.... -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Dec 1 21:59:33 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 1 Dec 2010 23:59:33 +0200 Subject: [tac_plus] shrubbery tacacs+-F4.0.4.15 In-Reply-To: <361401D5435C644B8D7BFAFC1538EBC8044AC8E3@walma-exch01.ad.choiceonecom.com> References: <361401D5435C644B8D7BFAFC1538EBC8044AC8E3@walma-exch01.ad.choiceonecom.com> Message-ID: <201012012359.34959.alan.mckinnon@gmail.com> Apparently, though unproven, at 22:22 on Wednesday 01 December 2010, Muhunthan, Jay did opine thusly: > Folks, > > > > Is it possible to have a user part of multiple groups? No. > For example, This has been covered quite extensively in many threads just this past year, please check the mailing list archives as the current status has been documented here quite clearly several times. You can easily find with the help of Google a patch set written by Gabor that apparently works as long as one stays within reasonable bounds (such as avoiding conflicting command configs). That patchset is not wrong, the subject itself is vastly more complex than at first appears. The easiest solution is usually to run two instances of tac_plus. > > > > user = tom { > > acl = ACL > > login = file /etc/tacacs/tacacs_passwd > > member = LEVEL-1 > > } > > The above shows the user is member of LEVEL-1 can we do some thing like > this > > > > user = tom { > > acl = ACL > > login = file /etc/tacacs/tacacs_passwd > > member = LEVEL-1| LEVEL-2 > > } > > > > > > Any help will be greatly appreciated. > > > > > > Thanks > > > > Jay.... > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > /attachment.html> _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- alan dot mckinnon at gmail dot com From heas at shrubbery.net Wed Dec 1 22:03:00 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 1 Dec 2010 22:03:00 +0000 Subject: [tac_plus] shrubbery tacacs+-F4.0.4.15 In-Reply-To: <201012012359.34959.alan.mckinnon@gmail.com> References: <361401D5435C644B8D7BFAFC1538EBC8044AC8E3@walma-exch01.ad.choiceonecom.com> <201012012359.34959.alan.mckinnon@gmail.com> Message-ID: <20101201220300.GE26797@shrubbery.net> Wed, Dec 01, 2010 at 11:59:33PM +0200, Alan McKinnon: > Apparently, though unproven, at 22:22 on Wednesday 01 December 2010, > Muhunthan, Jay did opine thusly: > > > Folks, > > > > > > > > Is it possible to have a user part of multiple groups? > > No. > > > For example, > > This has been covered quite extensively in many threads just this past year, > please check the mailing list archives as the current status has been > documented here quite clearly several times. > > You can easily find with the help of Google a patch set written by Gabor that > apparently works as long as one stays within reasonable bounds (such as try Gabor's patch. i'm working to rewrite the config parser (made progress over the US holiday); once that is done, i'll merge some form of Gabor's hack. > avoiding conflicting command configs). That patchset is not wrong, the subject > itself is vastly more complex than at first appears. > > The easiest solution is usually to run two instances of tac_plus. > > > > > > > > > user = tom { > > > > acl = ACL > > > > login = file /etc/tacacs/tacacs_passwd > > > > member = LEVEL-1 > > > > } > > > > The above shows the user is member of LEVEL-1 can we do some thing like > > this > > > > > > > > user = tom { > > > > acl = ACL > > > > login = file /etc/tacacs/tacacs_passwd > > > > member = LEVEL-1| LEVEL-2 > > > > } > > > > > > > > > > > > Any help will be greatly appreciated. > > > > > > > > > > > > Thanks > > > > > > > > Jay.... > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > > /attachment.html> _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From gary at gallan.co.uk Sat Dec 11 13:26:37 2010 From: gary at gallan.co.uk (Gary Allan) Date: Sat, 11 Dec 2010 13:26:37 +0000 Subject: [tac_plus] patch to log the rem_addr of failed connection attempts Message-ID: <4D037C0D.5080408@gallan.co.uk> Hello, I've attached a patch to log the rem_addr details of failed connection attempts. The patch is against tacacs+-F4.0.4.19.tar.gz. Please feel free to include in tacacs+. connect from 10.100.0.254 [10.100.0.254] login failure: baduser 10.100.0.254 (10.100.0.254) tty2 (192.168.1.1) Regards Gary -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log_rem_addr.diff URL: From gary at gallan.co.uk Sat Dec 11 20:55:56 2010 From: gary at gallan.co.uk (Gary Allan) Date: Sat, 11 Dec 2010 20:55:56 +0000 Subject: [tac_plus] Patch to add crypt_md5 password support to tac_plus Message-ID: <4D03E55C.2010403@gallan.co.uk> Hello, The attached patch adds crypt_md5 support to tacacs+-F4.0.4.19. Please feel free to review, test and include in tac_plus. Any feedback would be welcome. A ./configure is required after applying the patch. Gary # # Example config # All passwords are "1234" # # md5 hashes can be generated by tac_pwd -m # or copied from Cisco configs. # key = 1234 user = testuser { login = md5 $1$p2KX$UDm4AQrvrq9ockzoQ6h0o1 enable = md5 $1$p2KX$UDm4AQrvrq9ockzoQ6h0o1 } -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: crypt_md5_support.diff URL: From kissg at ssg.ki.iif.hu Sun Dec 12 06:25:53 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sun, 12 Dec 2010 07:25:53 +0100 (CET) Subject: [tac_plus] Patch to add crypt_md5 password support to tac_plus In-Reply-To: <4D03E55C.2010403@gallan.co.uk> References: <4D03E55C.2010403@gallan.co.uk> Message-ID: > The attached patch adds crypt_md5 support to tacacs+-F4.0.4.19. Please feel > free to review, test and include in tac_plus. Any feedback would be welcome. A > ./configure is required after applying the patch. > user = testuser { > login = md5 $1$p2KX$UDm4AQrvrq9ockzoQ6h0o1 > enable = md5 $1$p2KX$UDm4AQrvrq9ockzoQ6h0o1 > } > -------------- next part -------------- Note: this unnecessary on Linux systems because OpenSSL libcrypt transparently supports MD5 too. We use config like this: login = des $1$aXXM6UaV$g.p5Yzi6mkLfmGhKKoo7z3 Blowfish is not tested but plausible. ($2$ prefix) Gabor -- No smoke, no drugs, no vindoze. From alan.mckinnon at gmail.com Sun Dec 12 07:49:44 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Sun, 12 Dec 2010 09:49:44 +0200 Subject: [tac_plus] Patch to add crypt_md5 password support to tac_plus In-Reply-To: References: <4D03E55C.2010403@gallan.co.uk> Message-ID: <201012120949.45144.alan.mckinnon@gmail.com> Apparently, though unproven, at 08:25 on Sunday 12 December 2010, Kiss Gabor (Bitman) did opine thusly: > > The attached patch adds crypt_md5 support to tacacs+-F4.0.4.19. Please > > feel free to review, test and include in tac_plus. Any feedback would be > > welcome. A ./configure is required after applying the patch. > > > > user = testuser { > > > > login = md5 $1$p2KX$UDm4AQrvrq9ockzoQ6h0o1 > > enable = md5 $1$p2KX$UDm4AQrvrq9ockzoQ6h0o1 > > > > } > > -------------- next part -------------- > > Note: this unnecessary on Linux systems because OpenSSL libcrypt > transparently supports MD5 too. We use config like this: > > login = des $1$aXXM6UaV$g.p5Yzi6mkLfmGhKKoo7z3 It's supported in the same way on FreeBSD too if tac_plus was built correctly. I use "openssl passwd -1" to generate an md5 hash, paste it into tac_plus.conf, and it all just works. -- alan dot mckinnon at gmail dot com From yagneshdaveyagi at gmail.com Fri Dec 17 13:54:52 2010 From: yagneshdaveyagi at gmail.com (Yagnesh Dave) Date: Fri, 17 Dec 2010 08:54:52 -0500 Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM Message-ID: Hello, I am trying to configure tacacs+-F4.0.4.19 for using it with Juniper for authentication. I have done the configuration as given below for allow/deny commands. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- service = junos-exec { allow-configuration = "(interfaces .* ethernet-switching .*)|(protocols ospf area)|(protocols ospf backup-spf-options)|(protocols ospf export)|(protocols ospf import)|(protocols ospf external-preference)|(routing-options static route)" deny-configuration = "(.* traceoptions)|(system)|(chassis)|(interfaces lo0)|(firewall)|(routing-options router-id)|(routing-options nonstop-routing)|(protocols bgp local-as)|(protocols mstp .*)|(protocols ospf disable)|(protocols ospf database-protection)" allow-commands = "(clear interfaces statistics .*)|(ping .*)|(traceroute .*)|(show log messages .*)" deny-commands = "(request)|(restart)|(start.*)|(test)|(clear .*)|(file)|(op)|(set)|(start)|(show system .*)|(edit)|(configure)" } ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Now with this when i try to start the server it gives the bellow error, --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Starting TACACS+ Daemon: tac_plus*** buffer overflow detected ***: /opt/tac-plus/bin/tac_plus terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb76c0390] /lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0xb76bf2ca] /lib/tls/i686/cmov/libc.so.6(+0xe05fa)[0xb76be5fa] /opt/tac-plus/bin/tac_plus[0x804d287] /opt/tac-plus/bin/tac_plus[0x804d4e8] /opt/tac-plus/bin/tac_plus[0x804e886] /opt/tac-plus/bin/tac_plus[0x804e8e8] /opt/tac-plus/bin/tac_plus[0x8058f49] /opt/tac-plus/bin/tac_plus[0x805949a] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb75f4bd6] /opt/tac-plus/bin/tac_plus[0x8049ee1] ======= Memory map: ======== 08048000-0805f000 r-xp 00000000 08:01 2097163 /opt/tac-plus/bin/tac_plus 0805f000-08060000 r--p 00016000 08:01 2097163 /opt/tac-plus/bin/tac_plus 08060000-08061000 rw-p 00017000 08:01 2097163 /opt/tac-plus/bin/tac_plus 08061000-08063000 rw-p 00000000 00:00 0 087e0000-08801000 rw-p 00000000 00:00 0 [heap] b75b8000-b75d5000 r-xp 00000000 08:01 1572919 /lib/libgcc_s.so.1 b75d5000-b75d6000 r--p 0001c000 08:01 1572919 /lib/libgcc_s.so.1 b75d6000-b75d7000 rw-p 0001d000 08:01 1572919 /lib/libgcc_s.so.1 b75dc000-b75de000 rw-p 00000000 00:00 0 b75de000-b7731000 r-xp 00000000 08:01 1573227 /lib/tls/i686/cmov/ libc-2.11.1.so b7731000-b7732000 ---p 00153000 08:01 1573227 /lib/tls/i686/cmov/ libc-2.11.1.so b7732000-b7734000 r--p 00153000 08:01 1573227 /lib/tls/i686/cmov/ libc-2.11.1.so b7734000-b7735000 rw-p 00155000 08:01 1573227 /lib/tls/i686/cmov/ libc-2.11.1.so b7735000-b7738000 rw-p 00000000 00:00 0 b7738000-b774d000 r-xp 00000000 08:01 1573256 /lib/tls/i686/cmov/ libpthread-2.11.1.so b774d000-b774e000 r--p 00014000 08:01 1573256 /lib/tls/i686/cmov/ libpthread-2.11.1.so b774e000-b774f000 rw-p 00015000 08:01 1573256 /lib/tls/i686/cmov/ libpthread-2.11.1.so b774f000-b7751000 rw-p 00000000 00:00 0 b7751000-b775a000 r-xp 00000000 08:01 1573232 /lib/tls/i686/cmov/ libcrypt-2.11.1.so b775a000-b775b000 r--p 00008000 08:01 1573232 /lib/tls/i686/cmov/ libcrypt-2.11.1.so b775b000-b775c000 rw-p 00009000 08:01 1573232 /lib/tls/i686/cmov/ libcrypt-2.11.1.so b775c000-b7783000 rw-p 00000000 00:00 0 b7783000-b7796000 r-xp 00000000 08:01 1573241 /lib/tls/i686/cmov/ libnsl-2.11.1.so b7796000-b7797000 r--p 00012000 08:01 1573241 /lib/tls/i686/cmov/ libnsl-2.11.1.so b7797000-b7798000 rw-p 00013000 08:01 1573241 /lib/tls/i686/cmov/ libnsl-2.11.1.so b7798000-b779b000 rw-p 00000000 00:00 0 b779b000-b779f000 r-xp 00000000 08:01 2097156 /opt/tac-plus/lib/libtacacs.so.1.0.0 b779f000-b77a0000 r--p 00003000 08:01 2097156 /opt/tac-plus/lib/libtacacs.so.1.0.0 b77a0000-b77a1000 rw-p 00004000 08:01 2097156 /opt/tac-plus/lib/libtacacs.so.1.0.0 b77a1000-b77a8000 r-xp 00000000 08:01 1577063 /lib/libwrap.so.0.7.6 b77a8000-b77a9000 r--p 00006000 08:01 1577063 /lib/libwrap.so.0.7.6 b77a9000-b77aa000 rw-p 00007000 08:01 1577063 /lib/libwrap.so.0.7.6 b77ae000-b77b1000 rw-p 00000000 00:00 0 b77b1000-b77b2000 r-xp 00000000 00:00 0 [vdso] b77b2000-b77cd000 r-xp 00000000 08:01 1572959 /lib/ld-2.11.1.so b77cd000-b77ce000 r--p 0001a000 08:01 1572959 /lib/ld-2.11.1.so b77ce000-b77cf000 rw-p 0001b000 08:01 1572959 /lib/ld-2.11.1.so bffab000-bffc0000 rw-p 00000000 00:00 0 [stack] Aborted . ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Can anybody help me to overcome this problem? Thanks in advance. Yagnesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From my007ms at yahoo.com Sun Dec 26 07:24:11 2010 From: my007ms at yahoo.com (MSamir) Date: Sat, 25 Dec 2010 23:24:11 -0800 (PST) Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM Message-ID: <884592.94683.qm@web110610.mail.gq1.yahoo.com> hello Yagnesh, i face the same problem did you solve it ? it's happen when i have very long line i guess there is limit in config file parser did you find work around ?? Thanks From heas at shrubbery.net Sun Dec 26 18:06:20 2010 From: heas at shrubbery.net (john heasley) Date: Sun, 26 Dec 2010 18:06:20 +0000 Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM In-Reply-To: <884592.94683.qm@web110610.mail.gq1.yahoo.com> References: <884592.94683.qm@web110610.mail.gq1.yahoo.com> Message-ID: <20101226180620.GB5102@shrubbery.net> Sat, Dec 25, 2010 at 11:24:11PM -0800, MSamir: > hello Yagnesh, > i face the same problem did you solve it ? > it's happen when i have very long line i guess there is limit in config file parser the supplied config file works for me, so its something particular to your system or build. supply a backtrace from the core file. From heas at shrubbery.net Sun Dec 26 20:00:17 2010 From: heas at shrubbery.net (Heasley) Date: Sun, 26 Dec 2010 12:00:17 -0800 Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM In-Reply-To: <249741.67848.qm@web110603.mail.gq1.yahoo.com> References: <249741.67848.qm@web110603.mail.gq1.yahoo.com> Message-ID: <992F09AB-113D-4BDA-BFC0-2D3404275D4F@shrubbery.net> On Dec 26, 2010, at 10:56, MSamir wrote: > The problem happen when i try to give read access to one group in all task group Good info. Attach your full config to an email to me. And, provide the output of bt from gdb -c corefile tacplusbinary. Might need to rebuild tacplus with gcc -g to get a useful backtrace. Thd trace below looks like its in libx, but thats not very useful. > > optional task = "r:route-policy,r:sbc,r:snmp,r:sonet-sdh,r:static,r:sysmgr,r:system,r:transport,r:tty-access,r:tunnel,r:vlan,r:vrrp,r:acl,r:admin,r:ancp,r:atm,rwxd:basic-services,r:bcdl,r:bfd,r:bgp,r:boot,r:bundle,r:cdp,r:cef,r:cgn,r:config-mgmt,r:config-services,r:crypto,r:diag,r:drivers,r:dwdm,r:eem,r:eigrp,r:ethernet-services,r:fabric,r:fault-mgr,r:filesystem,r:firewall,r:fr,r:hdlc,r:host-services,r:hsrp,r:interface,r:inventory,r:ip-services,r:ipv4,r:ipv6,r:isis,r:l2vpn,r:li,r:logging,r:lpts,r:monitor,r:mpls-ldp,r:mpls-static,r:mpls-te,r:multicast,r:netflow,r:network,r:ospf,r:ouni,r:pkg-mgmt,r:pos-dpt,r:ppp,r:qos,r:rib,r:rip,r:route-map" > > > if i make line shorter it's start with no problem > i try edit tac_plus.h and tacacs.h and change MAX_INPUT_LINE_LEN to be 2048 demon start with no problem however > > show user tasks did not show the full list > > > > > * Restarting TACACS+ authentication daemon tacacs+ *** buffer overflow detected ***: /usr/sbin/tac_plus terminated > ======= Backtrace: ========= > /lib/libc.so.6(__fortify_fail+0x37)[0x7f6daf475217] > /lib/libc.so.6(+0xfe0d0)[0x7f6daf4740d0] > /lib/libc.so.6(+0xfcf87)[0x7f6daf472f87] > /usr/sbin/tac_plus[0x405f41] > /usr/sbin/tac_plus[0x405f5c] > /usr/sbin/tac_plus[0x4061d7] > /usr/sbin/tac_plus[0x407615] > /usr/sbin/tac_plus[0x40767c] > /usr/sbin/tac_plus[0x412ce4] > /usr/sbin/tac_plus[0x413175] > /lib/libc.so.6(__libc_start_main+0xfd)[0x7f6daf394c4d] > /usr/sbin/tac_plus[0x402de9] > ======= Memory map: ======== > 00400000-0041b000 r-xp 00000000 08:01 173607 /usr/sbin/tac_plus > 0061a000-0061b000 r--p 0001a000 08:01 173607 /usr/sbin/tac_plus > 0061b000-0061c000 rw-p 0001b000 08:01 173607 /usr/sbin/tac_plus > 0061c000-0061f000 rw-p 00000000 00:00 0 > 018e9000-0190a000 rw-p 00000000 00:00 0 [heap] > 7f6daef5b000-7f6daef71000 r-xp 00000000 08:01 1569848 /lib/libgcc_s.so.1 > 7f6daef71000-7f6daf170000 ---p 00016000 08:01 1569848 /lib/libgcc_s.so.1 > 7f6daf170000-7f6daf171000 r--p 00015000 08:01 1569848 /lib/libgcc_s.so.1 > 7f6daf171000-7f6daf172000 rw-p 00016000 08:01 1569848 /lib/libgcc_s.so.1 > 7f6daf172000-7f6daf174000 r-xp 00000000 08:01 1573548 /lib/libdl-2.11.1.so > 7f6daf174000-7f6daf374000 ---p 00002000 08:01 1573548 /lib/libdl-2.11.1.so > 7f6daf374000-7f6daf375000 r--p 00002000 08:01 1573548 /lib/libdl-2.11.1.so > 7f6daf375000-7f6daf376000 rw-p 00003000 08:01 1573548 /lib/libdl-2.11.1.so > 7f6daf376000-7f6daf4f0000 r-xp 00000000 08:01 1573544 /lib/libc-2.11.1.so > 7f6daf4f0000-7f6daf6ef000 ---p 0017a000 08:01 1573544 /lib/libc-2.11.1.so > 7f6daf6ef000-7f6daf6f3000 r--p 00179000 08:01 1573544 /lib/libc-2.11.1.so > 7f6daf6f3000-7f6daf6f4000 rw-p 0017d000 08:01 1573544 /lib/libc-2.11.1.so > 7f6daf6f4000-7f6daf6f9000 rw-p 00000000 00:00 0 > 7f6daf6f9000-7f6daf711000 r-xp 00000000 08:01 1573542 /lib/libpthread-2.11.1.so > 7f6daf711000-7f6daf910000 ---p 00018000 08:01 1573542 /lib/libpthread-2.11.1.so > 7f6daf910000-7f6daf911000 r--p 00017000 08:01 1573542 /lib/libpthread-2.11.1.so > 7f6daf911000-7f6daf912000 rw-p 00018000 08:01 1573542 /lib/libpthread-2.11.1.so > 7f6daf912000-7f6daf916000 rw-p 00000000 00:00 0 > 7f6daf916000-7f6daf91f000 r-xp 00000000 08:01 1573530 /lib/libcrypt-2.11.1.so > 7f6daf91f000-7f6dafb1f000 ---p 00009000 08:01 1573530 /lib/libcrypt-2.11.1.so > 7f6dafb1f000-7f6dafb20000 r--p 00009000 08:01 1573530 /lib/libcrypt-2.11.1.so > 7f6dafb20000-7f6dafb21000 rw-p 0000a000 08:01 1573530 /lib/libcrypt-2.11.1.so > 7f6dafb21000-7f6dafb4f000 rw-p 00000000 00:00 0 > 7f6dafb4f000-7f6dafb66000 r-xp 00000000 08:01 1573528 /lib/libnsl-2.11.1.so > 7f6dafb66000-7f6dafd65000 ---p 00017000 08:01 1573528 /lib/libnsl-2.11.1.so > 7f6dafd65000-7f6dafd66000 r--p 00016000 08:01 1573528 /lib/libnsl-2.11.1.so > 7f6dafd66000-7f6dafd67000 rw-p 00017000 08:01 1573528 /lib/libnsl-2.11.1.so > 7f6dafd67000-7f6dafd69000 rw-p 00000000 00:00 0 > 7f6dafd69000-7f6dafd75000 r-xp 00000000 08:01 1569866 /lib/libpam.so.0.82.2 > 7f6dafd75000-7f6daff74000 ---p 0000c000 08:01 1569866 /lib/libpam.so.0.82.2 > 7f6daff74000-7f6daff75000 r--p 0000b000 08:01 1569866 /lib/libpam.so.0.82.2 > 7f6daff75000-7f6daff76000 rw-p 0000c000 08:01 1569866 /lib/libpam.so.0.82.2 > 7f6daff76000-7f6daff7a000 r-xp 00000000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 > 7f6daff7a000-7f6db0179000 ---p 00004000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 > 7f6db0179000-7f6db017a000 r--p 00003000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 > 7f6db017a000-7f6db017b000 rw-p 00004000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 > 7f6db017b000-7f6db0184000 r-xp 00000000 08:01 1573926 /lib/libwrap.so.0.7.6 > 7f6db0184000-7f6db0383000 ---p 00009000 08:01 1573926 /lib/libwrap.so.0.7.6 > 7f6db0383000-7f6db0384000 r--p 00008000 08:01 1573926 /lib/libwrap.so.0.7.6 > 7f6db0384000-7f6db0385000 rw-p 00009000 08:01 1573926 /lib/libwrap.so.0.7.6 > 7f6db0385000-7f6db0386000 rw-p 00000000 00:00 0 > 7f6db0386000-7f6db03a6000 r-xp 00000000 08:01 1573529 /lib/ld-2.11.1.so > 7f6db0595000-7f6db059a000 rw-p 00000000 00:00 0 > 7f6db05a2000-7f6db05a5000 rw-p 00000000 00:00 0 > 7f6db05a5000-7f6db05a6000 r--p 0001f000 08:01 1573529 /lib/ld-2.11.1.so > 7f6db05a6000-7f6db05a7000 rw-p 00020000 08:01 1573529 /lib/ld-2.11.1.so > 7f6db05a7000-7f6db05a8000 rw-p 00000000 00:00 0 > 7fff1c651000-7fff1c666000 rw-p 00000000 00:00 0 [stack] > 7fff1c695000-7fff1c696000 r-xp 00000000 00:00 0 [vdso] > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] > Aborted > > > --- On Sun, 12/26/10, john heasley wrote: > >> From: john heasley >> Subject: Re: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM >> To: "MSamir" >> Cc: tac_plus at shrubbery.net >> Date: Sunday, December 26, 2010, 1:06 PM >> Sat, Dec 25, 2010 at 11:24:11PM >> -0800, MSamir: >>> hello Yagnesh, >>> i face the same problem did you solve it ? >>> it's happen when i have very long line i guess there >> is limit in config file parser >> >> the supplied config file works for me, so its something >> particular to your >> system or build. supply a backtrace from the core >> file. >> > > > From my007ms at yahoo.com Sun Dec 26 19:01:20 2010 From: my007ms at yahoo.com (MSamir) Date: Sun, 26 Dec 2010 11:01:20 -0800 (PST) Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM In-Reply-To: <20101226180620.GB5102@shrubbery.net> Message-ID: <635483.39828.qm@web110606.mail.gq1.yahoo.com> The problem happen when i try to give read access to one group in all task group ------------------------------------------------------------------ optional task = "r:route-policy,r:sbc,r:snmp,r:sonet-sdh,r:static,r:sysmgr,r:system,r:transport,r:tty-access,r:tunnel,r:vlan,r:vrrp,r:acl,r:admin,r:ancp,r:atm,rwxd:basic-services,r:bcdl,r:bfd,r:bgp,r:boot,r:bundle,r:cdp,r:cef,r:cgn,r:config-mgmt,r:config-services,r:crypto,r:diag,r:drivers,r:dwdm,r:eem,r:eigrp,r:ethernet-services,r:fabric,r:fault-mgr,r:filesystem,r:firewall,r:fr,r:hdlc,r:host-services,r:hsrp,r:interface,r:inventory,r:ip-services,r:ipv4,r:ipv6,r:isis,r:l2vpn,r:li,r:logging,r:lpts,r:monitor,r:mpls-ldp,r:mpls-static,r:mpls-te,r:multicast,r:netflow,r:network,r:ospf,r:ouni,r:pkg-mgmt,r:pos-dpt,r:ppp,r:qos,r:rib,r:rip,r:route-map" ------------------------------------------------------------------ if i make line shorter it's start with no problem i try edit tac_plus.h and tacacs.h and change MAX_INPUT_LINE_LEN to be 2048 demon start with no problem however show user tasks did not show the full list * Restarting TACACS+ authentication daemon tacacs+ *** buffer overflow detected ***: /usr/sbin/tac_plus terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x37)[0x7f6daf475217] /lib/libc.so.6(+0xfe0d0)[0x7f6daf4740d0] /lib/libc.so.6(+0xfcf87)[0x7f6daf472f87] /usr/sbin/tac_plus[0x405f41] /usr/sbin/tac_plus[0x405f5c] /usr/sbin/tac_plus[0x4061d7] /usr/sbin/tac_plus[0x407615] /usr/sbin/tac_plus[0x40767c] /usr/sbin/tac_plus[0x412ce4] /usr/sbin/tac_plus[0x413175] /lib/libc.so.6(__libc_start_main+0xfd)[0x7f6daf394c4d] /usr/sbin/tac_plus[0x402de9] ======= Memory map: ======== 00400000-0041b000 r-xp 00000000 08:01 173607 /usr/sbin/tac_plus 0061a000-0061b000 r--p 0001a000 08:01 173607 /usr/sbin/tac_plus 0061b000-0061c000 rw-p 0001b000 08:01 173607 /usr/sbin/tac_plus 0061c000-0061f000 rw-p 00000000 00:00 0 018e9000-0190a000 rw-p 00000000 00:00 0 [heap] 7f6daef5b000-7f6daef71000 r-xp 00000000 08:01 1569848 /lib/libgcc_s.so.1 7f6daef71000-7f6daf170000 ---p 00016000 08:01 1569848 /lib/libgcc_s.so.1 7f6daf170000-7f6daf171000 r--p 00015000 08:01 1569848 /lib/libgcc_s.so.1 7f6daf171000-7f6daf172000 rw-p 00016000 08:01 1569848 /lib/libgcc_s.so.1 7f6daf172000-7f6daf174000 r-xp 00000000 08:01 1573548 /lib/libdl-2.11.1.so 7f6daf174000-7f6daf374000 ---p 00002000 08:01 1573548 /lib/libdl-2.11.1.so 7f6daf374000-7f6daf375000 r--p 00002000 08:01 1573548 /lib/libdl-2.11.1.so 7f6daf375000-7f6daf376000 rw-p 00003000 08:01 1573548 /lib/libdl-2.11.1.so 7f6daf376000-7f6daf4f0000 r-xp 00000000 08:01 1573544 /lib/libc-2.11.1.so 7f6daf4f0000-7f6daf6ef000 ---p 0017a000 08:01 1573544 /lib/libc-2.11.1.so 7f6daf6ef000-7f6daf6f3000 r--p 00179000 08:01 1573544 /lib/libc-2.11.1.so 7f6daf6f3000-7f6daf6f4000 rw-p 0017d000 08:01 1573544 /lib/libc-2.11.1.so 7f6daf6f4000-7f6daf6f9000 rw-p 00000000 00:00 0 7f6daf6f9000-7f6daf711000 r-xp 00000000 08:01 1573542 /lib/libpthread-2.11.1.so 7f6daf711000-7f6daf910000 ---p 00018000 08:01 1573542 /lib/libpthread-2.11.1.so 7f6daf910000-7f6daf911000 r--p 00017000 08:01 1573542 /lib/libpthread-2.11.1.so 7f6daf911000-7f6daf912000 rw-p 00018000 08:01 1573542 /lib/libpthread-2.11.1.so 7f6daf912000-7f6daf916000 rw-p 00000000 00:00 0 7f6daf916000-7f6daf91f000 r-xp 00000000 08:01 1573530 /lib/libcrypt-2.11.1.so 7f6daf91f000-7f6dafb1f000 ---p 00009000 08:01 1573530 /lib/libcrypt-2.11.1.so 7f6dafb1f000-7f6dafb20000 r--p 00009000 08:01 1573530 /lib/libcrypt-2.11.1.so 7f6dafb20000-7f6dafb21000 rw-p 0000a000 08:01 1573530 /lib/libcrypt-2.11.1.so 7f6dafb21000-7f6dafb4f000 rw-p 00000000 00:00 0 7f6dafb4f000-7f6dafb66000 r-xp 00000000 08:01 1573528 /lib/libnsl-2.11.1.so 7f6dafb66000-7f6dafd65000 ---p 00017000 08:01 1573528 /lib/libnsl-2.11.1.so 7f6dafd65000-7f6dafd66000 r--p 00016000 08:01 1573528 /lib/libnsl-2.11.1.so 7f6dafd66000-7f6dafd67000 rw-p 00017000 08:01 1573528 /lib/libnsl-2.11.1.so 7f6dafd67000-7f6dafd69000 rw-p 00000000 00:00 0 7f6dafd69000-7f6dafd75000 r-xp 00000000 08:01 1569866 /lib/libpam.so.0.82.2 7f6dafd75000-7f6daff74000 ---p 0000c000 08:01 1569866 /lib/libpam.so.0.82.2 7f6daff74000-7f6daff75000 r--p 0000b000 08:01 1569866 /lib/libpam.so.0.82.2 7f6daff75000-7f6daff76000 rw-p 0000c000 08:01 1569866 /lib/libpam.so.0.82.2 7f6daff76000-7f6daff7a000 r-xp 00000000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 7f6daff7a000-7f6db0179000 ---p 00004000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 7f6db0179000-7f6db017a000 r--p 00003000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 7f6db017a000-7f6db017b000 rw-p 00004000 08:01 173604 /usr/lib/libtacacs.so.1.0.0 7f6db017b000-7f6db0184000 r-xp 00000000 08:01 1573926 /lib/libwrap.so.0.7.6 7f6db0184000-7f6db0383000 ---p 00009000 08:01 1573926 /lib/libwrap.so.0.7.6 7f6db0383000-7f6db0384000 r--p 00008000 08:01 1573926 /lib/libwrap.so.0.7.6 7f6db0384000-7f6db0385000 rw-p 00009000 08:01 1573926 /lib/libwrap.so.0.7.6 7f6db0385000-7f6db0386000 rw-p 00000000 00:00 0 7f6db0386000-7f6db03a6000 r-xp 00000000 08:01 1573529 /lib/ld-2.11.1.so 7f6db0595000-7f6db059a000 rw-p 00000000 00:00 0 7f6db05a2000-7f6db05a5000 rw-p 00000000 00:00 0 7f6db05a5000-7f6db05a6000 r--p 0001f000 08:01 1573529 /lib/ld-2.11.1.so 7f6db05a6000-7f6db05a7000 rw-p 00020000 08:01 1573529 /lib/ld-2.11.1.so 7f6db05a7000-7f6db05a8000 rw-p 00000000 00:00 0 7fff1c651000-7fff1c666000 rw-p 00000000 00:00 0 [stack] 7fff1c695000-7fff1c696000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted --- On Sun, 12/26/10, john heasley wrote: > From: john heasley > Subject: Re: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM > To: "MSamir" > Cc: tac_plus at shrubbery.net > Date: Sunday, December 26, 2010, 1:06 PM > Sat, Dec 25, 2010 at 11:24:11PM > -0800, MSamir: > > hello Yagnesh, > > i face the same problem did you solve it ? > > it's happen when i have very long line i guess there > is limit in config file parser > > the supplied config file works for me, so its something > particular to your > system or build.? supply a backtrace from the core > file. > From my007ms at yahoo.com Mon Dec 27 13:07:24 2010 From: my007ms at yahoo.com (MSamir) Date: Mon, 27 Dec 2010 05:07:24 -0800 (PST) Subject: [tac_plus] Skey librarry In-Reply-To: <992F09AB-113D-4BDA-BFC0-2D3404275D4F@shrubbery.net> Message-ID: <243236.24970.qm@web110601.mail.gq1.yahoo.com> Hello, is there trust website to download skey source code that work with shrubbery tacacs+. Thanks MSamir From my007ms at yahoo.com Tue Dec 28 10:46:51 2010 From: my007ms at yahoo.com (MSamir) Date: Tue, 28 Dec 2010 02:46:51 -0800 (PST) Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM Message-ID: <395156.14876.qm@web110602.mail.gq1.yahoo.com> I guess it's limitation by RFC http://www.faqs.org/rfcs/rfc1492.html " In theory there are no line length limits. In practice, lines should not exceed 255 characters (counting the and ) and probably should be 80 characters or less. " however this is bad news as i need to have mover 255 per line From heas at shrubbery.net Wed Dec 29 20:37:19 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 29 Dec 2010 20:37:19 +0000 Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM In-Reply-To: <395156.14876.qm@web110602.mail.gq1.yahoo.com> References: <395156.14876.qm@web110602.mail.gq1.yahoo.com> Message-ID: <20101229203719.GB11655@shrubbery.net> Tue, Dec 28, 2010 at 02:46:51AM -0800, MSamir: > I guess it's limitation by RFC > > http://www.faqs.org/rfcs/rfc1492.html > > " > In theory there are no line length limits. In practice, lines should > not exceed 255 characters (counting the and ) and probably > should be 80 characters or less. > " > > however this is bad news as i need to have mover 255 per line "SHOULD" != "MUST". but, i still dont understand the problem you're having. From heas at shrubbery.net Wed Dec 29 20:48:04 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 29 Dec 2010 20:48:04 +0000 Subject: [tac_plus] Skey librarry In-Reply-To: <243236.24970.qm@web110601.mail.gq1.yahoo.com> References: <992F09AB-113D-4BDA-BFC0-2D3404275D4F@shrubbery.net> <243236.24970.qm@web110601.mail.gq1.yahoo.com> Message-ID: <20101229204804.GC11655@shrubbery.net> Mon, Dec 27, 2010 at 05:07:24AM -0800, MSamir: > Hello, > > is there trust website to download skey source code that work with shrubbery tacacs+. > ftp://ftp.netbsd.org/pub/pkgsrc/distfiles/skey-1.1.5.tar.bz2 From kissg at ssg.ki.iif.hu Wed Dec 29 20:58:22 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 29 Dec 2010 21:58:22 +0100 (CET) Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM In-Reply-To: <20101229203719.GB11655@shrubbery.net> References: <395156.14876.qm@web110602.mail.gq1.yahoo.com> <20101229203719.GB11655@shrubbery.net> Message-ID: > "SHOULD" != "MUST". but, i still dont understand the problem you're having. The problem: Parser can read lines as long as 1024 chars, and no continuation lines are allowed. However IOS XR authorizaton model may requires 2-3 kB long list of user groups and permissions when logging in. At this moment we have to configure a looooong list of reasonable task groups into all ASR9000-s instead of sending it from central authorization server. Gabor #sh user tasks Wed Dec 29 21:55:08.935 MET Task: aaa : READ WRITE EXECUTE DEBUG Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ WRITE EXECUTE DEBUG Task: ancp : READ WRITE EXECUTE DEBUG Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ WRITE EXECUTE DEBUG Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: cgn : READ WRITE EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: drivers : READ WRITE EXECUTE DEBUG Task: dwdm : READ WRITE EXECUTE DEBUG Task: eem : READ WRITE EXECUTE DEBUG Task: eigrp : READ WRITE EXECUTE DEBUG Task: ethernet-services : READ WRITE EXECUTE DEBUG Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: firewall : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG Task: inventory : READ WRITE EXECUTE DEBUG Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG Task: l2vpn : READ WRITE EXECUTE DEBUG Task: li : READ WRITE EXECUTE DEBUG Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ WRITE EXECUTE DEBUG Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Task: netflow : READ WRITE EXECUTE DEBUG Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ WRITE EXECUTE DEBUG Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG Task: root-lr : READ WRITE EXECUTE DEBUG (reserved) Task: root-system : READ WRITE EXECUTE DEBUG (reserved) Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: sbc : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ WRITE EXECUTE DEBUG Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ WRITE EXECUTE DEBUG (reserved) Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG # -- A mug of beer, please. Shaken, not stirred. From my007ms at yahoo.com Thu Dec 30 10:29:55 2010 From: my007ms at yahoo.com (MSamir) Date: Thu, 30 Dec 2010 10:29:55 -0000 Subject: [tac_plus] tacacs+-F4.0.4.19 and skey-1.1.5 skeychalleng function difference in definition Message-ID: <894448.43712.qm@web110611.mail.gq1.yahoo.com> Hello, I am trying to compile tacacs+ with skey support however there is difference in definition of skeychalleng function. Tacacs+ try to pass 4 arg to the function ===================================================================== [root at TACACS tacacs+-F4.0.4.19]# grep skeychallenge skey_fn.c if (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) { ===================================================================== while function definition expect only 3 arg ===================================================================== [root at TACACS skey-1.1.5]# grep skeychallenge *.h skey.h:int skeychallenge(struct skey * mp, char *name, char *ss); ===================================================================== From my007ms at yahoo.com Thu Dec 30 10:37:19 2010 From: my007ms at yahoo.com (MSamir) Date: Thu, 30 Dec 2010 10:37:19 -0000 Subject: [tac_plus] tac_plus*** buffer overflow detected *** PROBLEM Message-ID: <256479.7036.qm@web110610.mail.gq1.yahoo.com> this is exact what i try to avoid send task groups from central authorization server ( Tacacs+ in my case ) will be more good you don't have to change configuration in devices when you need to change group role