From kambiz at aghaiepour.com Wed Sep 8 18:18:55 2010 From: kambiz at aghaiepour.com (Kambiz Aghaiepour) Date: Wed, 08 Sep 2010 14:18:55 -0400 Subject: [tac_plus] possible minor bug in code in waitfor() ... Message-ID: <4C87D38F.2020204@aghaiepour.com> I noticed waitfor() in programs.c calls the report() function, but seems to use the unsupported %l format string. I wonder if those need to be %d instead ? There is a line in packet.c and two other places in tac_plus.c where this happens as well. Just wanted to check before making code changes to my local copy. I can create a patch and submit if you like. Regards, Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From heas at shrubbery.net Wed Sep 8 20:13:31 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Sep 2010 13:13:31 -0700 Subject: [tac_plus] possible minor bug in code in waitfor() ... In-Reply-To: <4C87D38F.2020204@aghaiepour.com> References: <4C87D38F.2020204@aghaiepour.com> Message-ID: <20100908201331.GI25039@shrubbery.net> Wed, Sep 08, 2010 at 02:18:55PM -0400, Kambiz Aghaiepour: > I noticed waitfor() in programs.c calls the report() function, but seems > to use the unsupported %l format string. I wonder if those need to be > %d instead ? There is a line in packet.c and two other places in > tac_plus.c where this happens as well. it should be "%ld" > Just wanted to check before making code changes to my local copy. I can > create a patch and submit if you like. > > Regards, > Kambiz > > -- > "All tyranny needs to gain a foothold is for people of > good conscience to remain silent." --Thomas Jefferson > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Sep 8 20:24:32 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Sep 2010 13:24:32 -0700 Subject: [tac_plus] possible minor bug in code in waitfor() ... In-Reply-To: <20100908201331.GI25039@shrubbery.net> References: <20100908202142.EC85F108699@guelah.shrubbery.net> <4C87D38F.2020204@aghaiepour.com> <20100908201331.GI25039@shrubbery.net> Message-ID: <20100908202432.GJ25039@shrubbery.net> Wed, Sep 08, 2010 at 01:13:31PM -0700, john heasley: Wed, Sep 08, 2010 at 02:18:55PM -0400, Kambiz Aghaiepour: > I noticed waitfor() in programs.c calls the report() function, but seems > to use the unsupported %l format string. I wonder if those need to be > %d instead ? There is a line in packet.c and two other places in > tac_plus.c where this happens as well. it should be "%ld" like so Index: tac_plus.c =================================================================== --- tac_plus.c (revision 3285) +++ tac_plus.c (working copy) @@ -143,7 +143,7 @@ if (pid <= 0) return; if (debug & DEBUG_FORK_FLAG) - report(LOG_DEBUG, "%l reaped", (long)pid); + report(LOG_DEBUG, "%ld reaped", (long)pid); } } #endif /* REAPCHILD */ @@ -631,7 +631,7 @@ tac_exit(0); } else { if (debug & DEBUG_FORK_FLAG) - report(LOG_DEBUG, "forked %l", (long)pid); + report(LOG_DEBUG, "forked %ld", (long)pid); /* parent */ close(newsockfd); } Index: programs.c =================================================================== --- programs.c (revision 3285) +++ programs.c (working copy) @@ -204,17 +204,17 @@ ret = waitpid(pid, &status, 0); if (ret < 0) { - report(LOG_ERR, "%s: pid %l no child exists", session.peer, (long)pid); + report(LOG_ERR, "%s: pid %ld no child exists", session.peer, (long)pid); return(-1); } if (!WIFEXITED(status)) { - report(LOG_ERR, "%s: pid %l child in illegal state", session.peer, + report(LOG_ERR, "%s: pid %ld child in illegal state", session.peer, (long)pid); return(-1); } if (debug & DEBUG_AUTHOR_FLAG) - report(LOG_DEBUG, "pid %d child exited status %l", (long)pid, - WEXITSTATUS(status)); + report(LOG_DEBUG, "pid %ld child exited status %ld", (long)pid, + (long)WEXITSTATUS(status)); return(WEXITSTATUS(status)); } From kambiz at aghaiepour.com Wed Sep 8 20:56:30 2010 From: kambiz at aghaiepour.com (Kambiz Aghaiepour) Date: Wed, 08 Sep 2010 16:56:30 -0400 Subject: [tac_plus] possible minor bug in code in waitfor() ... In-Reply-To: <20100908202432.GJ25039@shrubbery.net> References: <20100908202142.EC85F108699@guelah.shrubbery.net> <4C87D38F.2020204@aghaiepour.com> <20100908201331.GI25039@shrubbery.net> <20100908202432.GJ25039@shrubbery.net> Message-ID: <4C87F87E.5090008@aghaiepour.com> Right, but with %ld, still looking at the report() function in report.c, it doesn't appear the 'l' case is handled in the switch statement after spotting the '%' character in the format string. Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From heas at shrubbery.net Wed Sep 8 22:42:39 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Sep 2010 15:42:39 -0700 Subject: [tac_plus] possible minor bug in code in waitfor() ... In-Reply-To: <4C87F87E.5090008@aghaiepour.com> References: <20100908202142.EC85F108699@guelah.shrubbery.net> <4C87D38F.2020204@aghaiepour.com> <20100908201331.GI25039@shrubbery.net> <20100908202432.GJ25039@shrubbery.net> <4C87F87E.5090008@aghaiepour.com> Message-ID: <20100908224239.GA28099@shrubbery.net> Wed, Sep 08, 2010 at 04:56:30PM -0400, Kambiz Aghaiepour: > Right, but with %ld, still looking at the report() function in report.c, > it doesn't appear the 'l' case is handled in the switch statement after > spotting the '%' character in the format string. > soryr, yes, you also need the report.c fix. Index: report.c =================================================================== --- report.c (revision 3285) +++ report.c (working copy) @@ -61,7 +61,8 @@ char msg[255]; /* temporary string */ char *fp, *bufp, *charp; int len, m, i, n; - char digits[16]; + long int l; + char digits[32]; va_list ap; charp = NULL; @@ -95,13 +96,19 @@ fp++; switch (*fp) { - case 's': fp++; charp = va_arg(ap, char *); m = strlen(charp); break; + case 'l': + fp++; + l = va_arg(ap, long); + sprintf(digits, "%ld", l); + m = strlen(digits); + charp = digits; + break; case 'u': fp++; i = va_arg(ap, uint); From fedorafans at gmail.com Thu Sep 9 15:51:03 2010 From: fedorafans at gmail.com (fedora fedora) Date: Thu, 9 Sep 2010 10:51:03 -0500 Subject: [tac_plus] socket 23 error? Message-ID: Hello list, I have the newest tacacs-plus installed on my ubuntu 8.04 64bit server and i noticed the following error messages constantly showing up in my logs, Does anyone know what exactly caused this? and how can i fix this? much appreciated! tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server x.x.x.x/49 is DOWN - Socket 23: Resource temporarily unavailable Regards FD -------------- next part -------------- An HTML attachment was scrubbed... URL: From rui-f-meireles at telecom.pt Fri Sep 10 17:29:06 2010 From: rui-f-meireles at telecom.pt (Rui Vitor Figueiras Meireles) Date: Fri, 10 Sep 2010 18:29:06 +0100 Subject: [tac_plus] Different "service = exec" parameters for different equipments Message-ID: <39228668B1473247A5AC45D871ADDF74D55D03@PTPTVDEX01.PTPortugal.corpPT.com> Hi. I have a simple configuration question. Is it possible to have different "service = exec" parameters for different equipments? Have a network with several IOS and IOS-XR devices. I have included this part service = exec { task = "#root-system,#cisco-support" } to be able to access some of them in the "Cisco-support" group (it permits some more commands). However, using this configuration I am not able to access the others, the ones that do not have this group. Is there any way I can use the same user and do what I want? For example, using ACLs: if it matches, use group admin1, if it doesn't, use group admin2. Or using duplicate users (2 users with the same name, but with different groups, and if the access fails on the first, it tries the second). Thanks. Any help would be appreciated. Rui Meireles ##################### group = shadow { login = file /etc/passwd } # Users with Full Access group = admin { default service = permit member = shadow enable = cleartext "cisco" acl = all_acl enableacl = all_acl service = exec { task = "#root-system,#cisco-support" priv-lvl=15 idletime=10 } } user = rmeireles { member = admin } -------------- next part -------------- An HTML attachment was scrubbed... URL: From flz at esat.net Tue Sep 14 15:20:37 2010 From: flz at esat.net (Florent Thoumie) Date: Tue, 14 Sep 2010 16:20:37 +0100 Subject: [tac_plus] Using PAM as default authentication Message-ID: Hi all, I know this has been discussed here before but I haven't been able to find a reason why PAM can't be used as default authentication, either via default auth or user = DEFAULT. ATM I have a cron job that dumps the list of tacacs users from LDAP and inserts them in the config file and it works fine, but it's not exactly pretty. -- Florent Thoumie flz at esat.net From flz at esat.net Tue Sep 14 15:24:41 2010 From: flz at esat.net (Florent Thoumie) Date: Tue, 14 Sep 2010 16:24:41 +0100 Subject: [tac_plus] [patch] Add support for PAM to enable keyword Message-ID: <6370e88165a55412b46505859149d4d2@mayday.esat.net> Not sure why this wasn't supported so I quickly added it. Patch attached. -- Florent Thoumie flz at esat.net -------------- next part -------------- A non-text attachment was scrubbed... Name: enable-pam.diff Type: application/octet-stream Size: 1298 bytes Desc: not available URL: From rui-f-meireles at telecom.pt Tue Sep 21 10:18:58 2010 From: rui-f-meireles at telecom.pt (Rui Vitor Figueiras Meireles) Date: Tue, 21 Sep 2010 11:18:58 +0100 Subject: [tac_plus] Different "service = exec" parameters for different equipments Message-ID: <39228668B1473247A5AC45D871ADDF74E1A48B@PTPTVDEX01.PTPortugal.corpPT.com> Hi. I have a simple configuration question. Is it possible to have different "service = exec" parameters for different equipments? Have a network with several IOS and IOS-XR devices. I have included this part service = exec { task = "#root-system,#cisco-support" } to be able to access some of them in the "Cisco-support" group (it permits some more commands). However, using this configuration I am not able to access the others, the ones that do not have this group. Is there any way I can use the same user and do what I want? For example, using ACLs: if it matches, use group admin1, if it doesn't, use group admin2. Or using duplicate users (2 users with the same name, but with different groups, and if the access fails on the first, it tries the second). Thanks. Any help would be appreciated. Rui Meireles ##################### group = shadow { login = file /etc/passwd } # Users with Full Access group = admin { default service = permit member = shadow enable = cleartext "cisco" acl = all_acl enableacl = all_acl service = exec { task = "#root-system,#cisco-support" priv-lvl=15 idletime=10 } } user = rmeireles { member = admin } -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt_e at mail.ru Tue Sep 28 07:46:41 2010 From: rt_e at mail.ru (=?koi8-r?Q?=E9=D7=C1=CE_=EB=CF=CC=C5=D3=CE=C9=CB=CF=D7?=) Date: Tue, 28 Sep 2010 11:46:41 +0400 Subject: [tac_plus] restrict authentication from remote address Message-ID: Hi. I use Version F4.0.4.18 of Tacacs and I were confronted with a problem. I would like to use a specific username, for authentication to the devices in network but only from a specific ip address(rem_addr). How can I do it in my version?