From nicotine at warningg.com Thu Dec 1 14:18:41 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 1 Dec 2011 08:18:41 -0600 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: <20111117195649.GA28144@brian> References: <20111117144457.GA2742@radiological.warningg.com> <20111117195649.GA28144@brian> Message-ID: <20111201141841.GG2742@radiological.warningg.com> On Thu, Nov 17, 2011 at 02:56:49PM -0500, Brian Raaen wrote: > This is an example I have > > Does do_auth.py support any kind of variable exapansion in its ini/config file? Curious if I can device groups of network devices once, and use them in multiple stanzas. No major issue if not, I can just run a template through a distiller on a regular basis to generate the file instead. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From nicotine at warningg.com Thu Dec 1 14:22:54 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 1 Dec 2011 08:22:54 -0600 Subject: [tac_plus] Quick question - NAT and TACACS Message-ID: <20111201142254.GH2742@radiological.warningg.com> Greetings, When a device that is behind NAT accesses a TACACS server, is the device IP included in the actual TACACS packet (real IP), or inferred from the source address of the IP packet (global IP)? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Thu Dec 1 14:51:48 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 1 Dec 2011 07:51:48 -0700 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: <20111201141841.GG2742@radiological.warningg.com> References: <20111117144457.GA2742@radiological.warningg.com> <20111117195649.GA28144@brian> <20111201141841.GG2742@radiological.warningg.com> Message-ID: Variable expansa-what now? -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing Sent: Thursday, December 01, 2011 7:19 AM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Examples of RBAC in do_auth.py? On Thu, Nov 17, 2011 at 02:56:49PM -0500, Brian Raaen wrote: > This is an example I have > > Does do_auth.py support any kind of variable exapansion in its ini/config file? Curious if I can device groups of network devices once, and use them in multiple stanzas. No major issue if not, I can just run a template through a distiller on a regular basis to generate the file instead. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From nicotine at warningg.com Thu Dec 1 14:54:19 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 1 Dec 2011 08:54:19 -0600 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: References: <20111117144457.GA2742@radiological.warningg.com> <20111117195649.GA28144@brian> <20111201141841.GG2742@radiological.warningg.com> Message-ID: <20111201145419.GI2742@radiological.warningg.com> On Thu, Dec 01, 2011 at 07:51:48AM -0700, Daniel Schmidt wrote: > Variable expansa-what now? > IE, could I define somewhere $PE_devices = IP_regex_1 IP_regex_2 etc And then, later on [Engineer-PE] device_permit = $PE_devices [Staff-PE] device_permit = $PE_devices -- Brandon Ewing (nicotine at warningg.com) From heas at shrubbery.net Thu Dec 1 15:43:18 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 1 Dec 2011 15:43:18 +0000 Subject: [tac_plus] Quick question - NAT and TACACS In-Reply-To: <20111201142254.GH2742@radiological.warningg.com> References: <20111201142254.GH2742@radiological.warningg.com> Message-ID: <20111201154318.GA15868@shrubbery.net> Thu, Dec 01, 2011 at 08:22:54AM -0600, Brandon Ewing: > Greetings, > > When a device that is behind NAT accesses a TACACS server, is the device IP > included in the actual TACACS packet (real IP), or inferred from the source > address of the IP packet (global IP)? inferred from the source ip. the device only sends the ip of a remote client, such as ppp/slip. From daniel.schmidt at wyo.gov Thu Dec 1 16:04:31 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 1 Dec 2011 09:04:31 -0700 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: <20111201145419.GI2742@radiological.warningg.com> References: <20111117144457.GA2742@radiological.warningg.com> <20111117195649.GA28144@brian> <20111201141841.GG2742@radiological.warningg.com> <20111201145419.GI2742@radiological.warningg.com> Message-ID: <928781824a4dd989fd70e83f613277bf@mail.gmail.com> It does not. It would be useful, but it would also be more complex and, if anything, do_auth needs to be simpler. Feel free to hack at the code, it's pretty trivial. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing Sent: Thursday, December 01, 2011 7:54 AM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Examples of RBAC in do_auth.py? On Thu, Dec 01, 2011 at 07:51:48AM -0700, Daniel Schmidt wrote: > Variable expansa-what now? > IE, could I define somewhere $PE_devices = IP_regex_1 IP_regex_2 etc And then, later on [Engineer-PE] device_permit = $PE_devices [Staff-PE] device_permit = $PE_devices -- Brandon Ewing (nicotine at warningg.com) _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From heas at shrubbery.net Tue Dec 6 19:34:54 2011 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Dec 2011 19:34:54 +0000 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: <20111125122847.2023eb73@rohan.example.com> References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> <20111124171427.GA17749@shrubbery.net> <20111125122847.2023eb73@rohan.example.com> Message-ID: <20111206193453.GG6782@shrubbery.net> Fri, Nov 25, 2011 at 12:28:47PM +0200, Alan McKinnon: > On Fri, 25 Nov 2011 10:42:22 +0100 > Fredrik Pettai wrote: > > > On Nov 24, 2011, at 18:14 , john heasley wrote: > > > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai: > > > > > >> Does the tac_plus server have insufficient credentials running as > > >> a non-root user to perform pam lookups? > > > > > > i'm not sure that it does; it would need to be able to > > > read /etc/master.passwd. > > > > The problem was that the dropped root privileges. After recompiling > > without this option, it works fine. > > > > Another thing with dropping the root privileges, is that the daemon > > can't reload the configuration after receiving SIGUSR1 if it runs > > with dropped root privileges and the configuration file ownership > > isn't correct. You won't notice this while tac_plus is starting, as > > it has root privileges while reading the configuration file first, > > and drops those later. > > A similar issue crops us with the daemon's log file. If logrotate > creates a new file and doesn't chown/chmod it correctly, the daemon > silently stops working. Also, if the log file doesn't exist, tac_plus > creates it as root then drops privileges, effectively preventing itself > from working. > ack. added verbage. > > Maybe you can add something like this to the > > tac_plus.8 man page: > > > > --- tac_plus.8.in.orig 2011-11-25 10:18:14.000000000 +0100 > > +++ tac_plus.8.in 2011-11-25 10:26:28.000000000 +0100 > > @@ -235,8 +235,9 @@ > > If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize > > itself and re-read its configuration file. > > .sp > > -Note: if an error is encountered in the configuration file, the > > daemon -will die. > > +Note: if an error is encountered in the configuration file or the > > running +tac_plus daemon hasn't sufficient rights to read it (if root > > privileges +are dropped), the daemon will die. > > .\" > > .SH "LOG MESSAGES" > > .B tac_plus > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > -- > Alan McKinnnon > alan.mckinnon at gmail.com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Dec 7 22:51:10 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 7 Dec 2011 22:51:10 +0000 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> Message-ID: <20111207225109.GB12782@shrubbery.net> Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z: > Hi All, > > > > I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1"). > > user = user1 { > ??? ??? ??? ??? default service = permit default service does not belong under user configuration. otherwise, i can not reproduce the problem that i think you are describing. given two users configured with different passwords, one can not use the other's passwords to login or enable. I'd guess that you have a device configuration problem or there is some strange problem with how you've compiled tac_plus. more likely the former. > ??? ??? ??? ??? login = cleartext user1 > ??? ??? ??? ??? enable = cleartext enauser1 > } > > user = user2 { > ??? ??? ??? ??? default service = permit > ??? ??? ??? ??? login = cleartext user2 > ??? ??? ??? ??? enable = cleartext enauser2 > } > > And if i configure enable password per user and every user using the same enable password (like config below), all > working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1"). > user = user1 { > ??? ??? ??? ??? default service = permit > ??? ??? ??? ??? login = cleartext user1 > ??? ??? ??? ??? enable = cleartext enauser > } > > user = user2 { > ??? ??? ??? ??? default service = permit > ??? ??? ??? ??? login = cleartext user2 > ??? ??? ??? ??? enable = cleartext enauser > } > > Need your advice for solve this issue. > > Tx, > Ricki > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From rz.bangka at yahoo.com Thu Dec 8 03:54:49 2011 From: rz.bangka at yahoo.com (Ricki Z) Date: Wed, 7 Dec 2011 19:54:49 -0800 (PST) Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111207225109.GB12782@shrubbery.net> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> Message-ID: <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> Hi John, Previously thanks for your info. I have done change config with default service under group but i still experience the same problem. My problem exactly is why? i can login to cisco switch using "login password" or "enable password" and why i can enter priviledge mode using "login password" or "enable password" too. Below is my new config for tac-plus server: -----------------------------------cut----------------------------------- user = user1 { ??? ??? ??? ??? member = admin ??? ??? ??? ??? login = cleartext user1 ??? ??? ??? ??? enable = cleartext enauser1 } user = user2 { ??? ??? ??? ??? member = admin ??? ??? ??? ??? login = cleartext user2 ??? ??? ??? ??? enable = cleartext enauser2 } group = admin { ??????? default service = permit } -----------------------------------cut----------------------------------- And below my cisco switch config for tac-plus authentication: -----------------------------------cut----------------------------------- aaa new-model aaa authentication login default group tacacs+ local line aaa authentication login user group tacacs+ local aaa authentication login net_admin group tacacs+ line enable aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 7 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated aaa accounting exec user start-stop group tacacs+ aaa accounting commands 0 user start-stop group tacacs+ aaa accounting commands 1 user start-stop group tacacs+ aaa accounting commands 7 user start-stop group tacacs+ aaa accounting commands 15 user start-stop group tacacs+ aaa accounting network user start-stop group tacacs+ aaa accounting connection user start-stop group tacacs ! line con 0 ?login authentication net_admin line vty 0 4 ?accounting connection user ?accounting commands 0 user ?accounting commands 1 user ?accounting commands 7 user ?accounting commands 15 user ?accounting exec user line vty 5 15 ?accounting connection user ?accounting commands 0 user ?accounting commands 1 user ?accounting commands 7 user ?accounting commands 15 user ?accounting exec user -----------------------------------cut----------------------------------- Here the illustration for login to cisco switch: -----------------------------------cut----------------------------------- User Access Verification Username: user1 Password: user1 or Username: user1 Password: enauser1 -----------------------------------cut----------------------------------- Here the illustration for enter priviledge to cisco switch: -----------------------------------cut----------------------------------- cisco-sw>en Password: enauser1 or cisco-sw>en Password: user1 -----------------------------------cut----------------------------------- Is there any abnormal with my config on tac-plus server or cisco switch? Tx, Ricki ________________________________ From: john heasley To: Ricki Z Cc: "tac_plus at shrubbery.net" Sent: Thursday, December 8, 2011 5:51 AM Subject: Re: [tac_plus] tac_plus login and enable password issue Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z: > Hi All, > > > > I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1"). > > user = user1 { > ??? ??? ??? ??? default service = permit default service does not belong under user configuration. otherwise, i can not reproduce the problem that i think you are describing. given two users configured with different passwords, one can not use the other's passwords to login or enable. I'd guess that you have a device configuration problem or there is some strange problem with how you've compiled tac_plus.? more likely the former. > ??? ??? ??? ??? login = cleartext user1 > ??? ??? ??? ??? enable = cleartext enauser1 > } > > user = user2 { > ??? ??? ??? ??? default service = permit > ??? ??? ??? ??? login = cleartext user2 > ??? ??? ??? ??? enable = cleartext enauser2 > } > > And if i configure enable password per user and every user using the same enable password (like config below), all >? working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1"). > user = user1 { > ??? ??? ??? ??? default service = permit > ??? ??? ??? ??? login = cleartext user1 > ??? ??? ??? ??? enable = cleartext enauser > } > > user = user2 { > ??? ??? ??? ??? default service = permit > ??? ??? ??? ??? login = cleartext user2 > ??? ??? ??? ??? enable = cleartext enauser > } > > Need your advice for solve this issue. > > Tx, > Ricki > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Dec 8 17:42:01 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 8 Dec 2011 17:42:01 +0000 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> Message-ID: <20111208174201.GI28436@shrubbery.net> Wed, Dec 07, 2011 at 07:54:49PM -0800, Ricki Z: > Hi John, > > Previously thanks for your info. I have done change config with default service under group but i still experience the same problem. My problem exactly is why? i can login to cisco switch using "login password" or "enable password" and why i can enter priviledge mode using "login password" or "enable password" too. > > Below is my new config for tac-plus server: > -----------------------------------cut----------------------------------- > user = user1 { > ??? ??? ??? ??? member = admin > ??? ??? ??? ??? login = cleartext user1 > ??? ??? ??? ??? enable = cleartext enauser1 > } > > user = user2 { > ??? ??? ??? ??? member = admin > ??? ??? ??? ??? login = cleartext user2 > ??? ??? ??? ??? enable = cleartext enauser2 > } > group = admin { > ??????? default service = permit > } > -----------------------------------cut----------------------------------- > And below my cisco switch config for tac-plus authentication: > > -----------------------------------cut----------------------------------- > aaa new-model > aaa authentication login default group tacacs+ local line > aaa authentication login user group tacacs+ local > aaa authentication login net_admin group tacacs+ line enable > aaa authentication enable default group tacacs+ enable > aaa authorization exec default group tacacs+ if-authenticated > aaa authorization commands 0 default group tacacs+ if-authenticated > aaa authorization commands 1 default group tacacs+ if-authenticated > aaa authorization commands 7 default group tacacs+ if-authenticated > aaa authorization commands 15 default group tacacs+ if-authenticated > aaa authorization network default group tacacs+ if-authenticated > aaa accounting exec user start-stop group tacacs+ > aaa accounting commands 0 user start-stop group tacacs+ > aaa accounting commands 1 user start-stop group tacacs+ > aaa accounting commands 7 user start-stop group tacacs+ > aaa accounting commands 15 user start-stop group tacacs+ > aaa accounting network user start-stop group tacacs+ > aaa accounting connection user start-stop group tacacs > ! > line con 0 > ?login authentication net_admin > line vty 0 4 login authentication default otherwise, looks ok. try debugging options on the router and the tacacs daemon to figure out why its not working as you expect. > ?accounting connection user > ?accounting commands 0 user > ?accounting commands 1 user > ?accounting commands 7 user > ?accounting commands 15 user > ?accounting exec user > line vty 5 15 > ?accounting connection user > ?accounting commands 0 user > ?accounting commands 1 user > ?accounting commands 7 user > ?accounting commands 15 user > ?accounting exec user > -----------------------------------cut----------------------------------- > > Here the illustration for login to cisco switch: > -----------------------------------cut----------------------------------- > User Access Verification > > Username: user1 > Password: user1 > > or > > > Username: user1 > Password: enauser1 > -----------------------------------cut----------------------------------- > Here the illustration for enter priviledge to cisco switch: > -----------------------------------cut----------------------------------- > cisco-sw>en > Password: enauser1 > > or > > cisco-sw>en > Password: user1 > -----------------------------------cut----------------------------------- > Is there any abnormal with my config on tac-plus server or cisco switch? > > Tx, > Ricki > > > > ________________________________ > From: john heasley > To: Ricki Z > Cc: "tac_plus at shrubbery.net" > Sent: Thursday, December 8, 2011 5:51 AM > Subject: Re: [tac_plus] tac_plus login and enable password issue > > Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z: > > Hi All, > > > > > > > > I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1"). > > > > user = user1 { > > ??? ??? ??? ??? default service = permit > default service does not belong under user configuration. > > otherwise, i can not reproduce the problem that i think you are describing. > given two users configured with different passwords, one can not use the > other's passwords to login or enable. > > I'd guess that you have a device configuration problem or there is some > strange problem with how you've compiled tac_plus.? more likely the former. > > > ??? ??? ??? ??? login = cleartext user1 > > ??? ??? ??? ??? enable = cleartext enauser1 > > } > > > > user = user2 { > > ??? ??? ??? ??? default service = permit > > ??? ??? ??? ??? login = cleartext user2 > > ??? ??? ??? ??? enable = cleartext enauser2 > > } > > > > And if i configure enable password per user and every user using the same enable password (like config below), all > >? working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1"). > > user = user1 { > > ??? ??? ??? ??? default service = permit > > ??? ??? ??? ??? login = cleartext user1 > > ??? ??? ??? ??? enable = cleartext enauser > > } > > > > user = user2 { > > ??? ??? ??? ??? default service = permit > > ??? ??? ??? ??? login = cleartext user2 > > ??? ??? ??? ??? enable = cleartext enauser > > } > > > > Need your advice for solve this issue. > > > > Tx, > > Ricki > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From rz.bangka at yahoo.com Fri Dec 9 06:31:31 2011 From: rz.bangka at yahoo.com (Ricki Z) Date: Thu, 8 Dec 2011 22:31:31 -0800 (PST) Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111208174201.GI28436@shrubbery.net> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> Message-ID: <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> Hi John, I not see any abnormal log from debugging on my cisco switch, do you any idea about running debug for tac_plus on FreeBSD 8.2 and are you ever experience this situation before? Thanks, Ricki ________________________________ From: john heasley To: Ricki Z Cc: tac_plus at shrubbery.net Sent: Friday, December 9, 2011 12:42 AM Subject: Re: [tac_plus] tac_plus login and enable password issue Wed, Dec 07, 2011 at 07:54:49PM -0800, Ricki Z: > Hi John, > > Previously thanks for your info. I have done change config with default service under group but i still experience the same problem. My problem exactly is why? i can login to cisco switch using "login password" or "enable password" and why i can enter priviledge mode using "login password" or "enable password" too. > > Below is my new config for tac-plus server: > -----------------------------------cut----------------------------------- > user = user1 { > ??? ??? ??? ??? member = admin > ??? ??? ??? ??? login = cleartext user1 > ??? ??? ??? ??? enable = cleartext enauser1 > } > > user = user2 { > ??? ??? ??? ??? member = admin > ??? ??? ??? ??? login = cleartext user2 > ??? ??? ??? ??? enable = cleartext enauser2 > } > group = admin { > ??????? default service = permit > } > -----------------------------------cut----------------------------------- > And below my cisco switch config for tac-plus authentication: > > -----------------------------------cut----------------------------------- > aaa new-model > aaa authentication login default group tacacs+ local line > aaa authentication login user group tacacs+ local > aaa authentication login net_admin group tacacs+ line enable > aaa authentication enable default group tacacs+ enable > aaa authorization exec default group tacacs+ if-authenticated > aaa authorization commands 0 default group tacacs+ if-authenticated > aaa authorization commands 1 default group tacacs+ if-authenticated > aaa authorization commands 7 default group tacacs+ if-authenticated > aaa authorization commands 15 default group tacacs+ if-authenticated > aaa authorization network default group tacacs+ if-authenticated > aaa accounting exec user start-stop group tacacs+ > aaa accounting commands 0 user start-stop group tacacs+ > aaa accounting commands 1 user start-stop group tacacs+ > aaa accounting commands 7 user start-stop group tacacs+ > aaa accounting commands 15 user start-stop group tacacs+ > aaa accounting network user start-stop group tacacs+ > aaa accounting connection user start-stop group tacacs > ! > line con 0 > ?login authentication net_admin > line vty 0 4 login authentication default otherwise, looks ok.? try debugging options on the router and the tacacs daemon to figure out why its not working as you expect. > ?accounting connection user > ?accounting commands 0 user > ?accounting commands 1 user > ?accounting commands 7 user > ?accounting commands 15 user > ?accounting exec user > line vty 5 15 > ?accounting connection user > ?accounting commands 0 user > ?accounting commands 1 user > ?accounting commands 7 user > ?accounting commands 15 user > ?accounting exec user > -----------------------------------cut----------------------------------- > > Here the illustration for login to cisco switch: > -----------------------------------cut----------------------------------- > User Access Verification > > Username: user1 > Password: user1 > > or > > > Username: user1 > Password: enauser1 > -----------------------------------cut----------------------------------- > Here the illustration for enter priviledge to cisco switch: > -----------------------------------cut----------------------------------- > cisco-sw>en > Password: enauser1 > > or > > cisco-sw>en > Password: user1 > -----------------------------------cut----------------------------------- > Is there any abnormal with my config on tac-plus server or cisco switch? > > Tx, > Ricki > > > > ________________________________ >? From: john heasley > To: Ricki Z > Cc: "tac_plus at shrubbery.net" > Sent: Thursday, December 8, 2011 5:51 AM > Subject: Re: [tac_plus] tac_plus login and enable password issue >? > Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z: > > Hi All, > > > > > > > > I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1"). > > > > user = user1 { > > ??? ??? ??? ??? default service = permit > default service does not belong under user configuration. > > otherwise, i can not reproduce the problem that i think you are describing. > given two users configured with different passwords, one can not use the > other's passwords to login or enable. > > I'd guess that you have a device configuration problem or there is some > strange problem with how you've compiled tac_plus.? more likely the former. > > > ??? ??? ??? ??? login = cleartext user1 > > ??? ??? ??? ??? enable = cleartext enauser1 > > } > > > > user = user2 { > > ??? ??? ??? ??? default service = permit > > ??? ??? ??? ??? login = cleartext user2 > > ??? ??? ??? ??? enable = cleartext enauser2 > > } > > > > And if i configure enable password per user and every user using the same enable password (like config below), all > >? working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1"). > > user = user1 { > > ??? ??? ??? ??? default service = permit > > ??? ??? ??? ??? login = cleartext user1 > > ??? ??? ??? ??? enable = cleartext enauser > > } > > > > user = user2 { > > ??? ??? ??? ??? default service = permit > > ??? ??? ??? ??? login = cleartext user2 > > ??? ??? ??? ??? enable = cleartext enauser > > } > > > > Need your advice for solve this issue. > > > > Tx, > > Ricki > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Dec 9 06:43:17 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 9 Dec 2011 06:43:17 +0000 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> Message-ID: <20111209064317.GI1028@shrubbery.net> Thu, Dec 08, 2011 at 10:31:31PM -0800, Ricki Z: > Hi John, > > I not see any abnormal log from debugging on my cisco switch, do you any idea about running debug for tac_plus on FreeBSD 8.2 and are you ever experience this situation before? tac_plus -d 1 -h or man tac_plus has the debug knobs. output appears in syslog. From rz.bangka at yahoo.com Fri Dec 9 08:37:22 2011 From: rz.bangka at yahoo.com (Ricki Z) Date: Fri, 9 Dec 2011 00:37:22 -0800 (PST) Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111209064317.GI1028@shrubbery.net> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> Message-ID: <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> Hi John, This issue already solve with change the enable password with other password. In my case this happen if i use login password and enable password with same character from the first and have only 1 different character in the end of password. Maybe des encryption do not check until the last character. Anyway thanks so much for your help. Regards, Ricki ________________________________ From: john heasley To: Ricki Z Cc: "tac_plus at shrubbery.net" Sent: Friday, December 9, 2011 1:43 PM Subject: Re: [tac_plus] tac_plus login and enable password issue Thu, Dec 08, 2011 at 10:31:31PM -0800, Ricki Z: > Hi John, > > I not see any abnormal log from debugging on my cisco switch, do you any idea about running debug for tac_plus on FreeBSD 8.2 and are you ever experience this situation before? tac_plus -d 1 -h or man tac_plus has the debug knobs.? output appears in syslog. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Fri Dec 9 15:44:53 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 9 Dec 2011 08:44:53 -0700 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> Message-ID: <75515b15225824bb6e9fda53941c6056@mail.gmail.com> Correct, try using something different to generate the tac passwords. My silly cgi works: http://pastie.org/2433995 You can also use mkpasswd, but it has to be a newer version. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Ricki Z Sent: Friday, December 09, 2011 1:37 AM To: john heasley Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] tac_plus login and enable password issue Hi John, This issue already solve with change the enable password with other password. In my case this happen if i use login password and enable password with same character from the first and have only 1 different character in the end of password. Maybe des encryption do not check until the last character. Anyway thanks so much for your help. Regards, Ricki ________________________________ From: john heasley To: Ricki Z Cc: "tac_plus at shrubbery.net" Sent: Friday, December 9, 2011 1:43 PM Subject: Re: [tac_plus] tac_plus login and enable password issue Thu, Dec 08, 2011 at 10:31:31PM -0800, Ricki Z: > Hi John, > > I not see any abnormal log from debugging on my cisco switch, do you any idea about running debug for tac_plus on FreeBSD 8.2 and are you ever experience this situation before? tac_plus -d 1 -h or man tac_plus has the debug knobs.? output appears in syslog. -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From heas at shrubbery.net Fri Dec 9 16:31:03 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 9 Dec 2011 16:31:03 +0000 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <75515b15225824bb6e9fda53941c6056@mail.gmail.com> References: <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> <75515b15225824bb6e9fda53941c6056@mail.gmail.com> Message-ID: <20111209163103.GH13725@shrubbery.net> Fri, Dec 09, 2011 at 08:44:53AM -0700, Daniel Schmidt: > Correct, try using something different to generate the tac passwords. My > silly cgi works: > > http://pastie.org/2433995 > > You can also use mkpasswd, but it has to be a newer version. > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Ricki Z > Sent: Friday, December 09, 2011 1:37 AM > To: john heasley > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] tac_plus login and enable password issue > > Hi John, > > This issue already solve with change the enable password with other > password. In my case this happen if i use login password and enable > password with same character from the first and have only 1 different > character in the end of password. Maybe des encryption do not check until > the last character. crypt(3) normally only supports a maximum 8 character password. From alan.mckinnon at gmail.com Fri Dec 9 21:33:25 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 9 Dec 2011 23:33:25 +0200 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111209163103.GH13725@shrubbery.net> References: <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> <75515b15225824bb6e9fda53941c6056@mail.gmail.com> <20111209163103.GH13725@shrubbery.net> Message-ID: <20111209233325.5d292504@rohan.example.com> On Fri, 9 Dec 2011 16:31:03 +0000 john heasley wrote: > > This issue already solve with change the enable password with other > > password. In my case this happen if i use login password and enable > > password with same character from the first and have only 1 > > different character in the end of password. Maybe des encryption do > > not check until the last character. > > crypt(3) normally only supports a maximum 8 character password. Of course! That explains everything. Incidentally, crypt normally accepts up to 10 characters but only uses the first 8 for hashing. An password of 11 characters and longer causes an error. That one has caused no end of confusion around here. It's one of those bizarre limits that users simply cannot get their wits around. -- Alan McKinnnon alan.mckinnon at gmail.com From rz.bangka at yahoo.com Mon Dec 12 03:02:11 2011 From: rz.bangka at yahoo.com (Ricki Z) Date: Sun, 11 Dec 2011 19:02:11 -0800 (PST) Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111209233325.5d292504@rohan.example.com> References: <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> <75515b15225824bb6e9fda53941c6056@mail.gmail.com> <20111209163103.GH13725@shrubbery.net> <20111209233325.5d292504@rohan.example.com> Message-ID: <1323658931.36748.YahooMailNeo@web111508.mail.gq1.yahoo.com> Hi All. Thank you for your information, it's will help me in the future for implement aaa. Regards, Ricki ________________________________ From: Alan McKinnon To: tac_plus at shrubbery.net Sent: Saturday, December 10, 2011 4:33 AM Subject: Re: [tac_plus] tac_plus login and enable password issue On Fri, 9 Dec 2011 16:31:03 +0000 john heasley wrote: > > This issue already solve with change the enable password with other > > password. In my case this happen if i use login password and enable > > password with same character from the first and have only 1 > > different character in the end of password. Maybe des encryption do > > not check until the last character. > > crypt(3) normally only supports a maximum 8 character password. Of course! That explains everything. Incidentally, crypt normally accepts up to 10 characters but only uses the first 8 for hashing. An password of 11 characters and longer causes an error. That one has caused no end of confusion around here. It's one of those bizarre limits that users simply cannot get their wits around. -- Alan McKinnnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon Dec 12 15:38:01 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 12 Dec 2011 08:38:01 -0700 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111209233325.5d292504@rohan.example.com> References: <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> <75515b15225824bb6e9fda53941c6056@mail.gmail.com> <20111209163103.GH13725@shrubbery.net> <20111209233325.5d292504@rohan.example.com> Message-ID: Of note, it can be worked around, as I did with a salt in the quick/dirty cgi. This is from the GNU crypt man pages: GNU EXTENSION The glibc2 version of this function has the following additional fea- tures. If salt is a character string starting with the three charac- ters "$1$" followed by at most eight characters, and optionally termi- nated by "$", then instead of using the DES machine, the glibc crypt function uses an MD5-based algorithm, and outputs up to 34 bytes, namely "$1$$", where "" stands for the up to 8 charac- ters following "$1$" in the salt, followed by 22 bytes chosen from the set [a-zA-Z0-9./]. The entire key is significant here (instead of only the first 8 bytes). -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Friday, December 09, 2011 2:33 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] tac_plus login and enable password issue On Fri, 9 Dec 2011 16:31:03 +0000 john heasley wrote: > > This issue already solve with change the enable password with other > > password. In my case this happen if i use login password and enable > > password with same character from the first and have only 1 > > different character in the end of password. Maybe des encryption do > > not check until the last character. > > crypt(3) normally only supports a maximum 8 character password. Of course! That explains everything. Incidentally, crypt normally accepts up to 10 characters but only uses the first 8 for hashing. An password of 11 characters and longer causes an error. That one has caused no end of confusion around here. It's one of those bizarre limits that users simply cannot get their wits around. -- Alan McKinnnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From alan.mckinnon at gmail.com Mon Dec 12 21:22:29 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 12 Dec 2011 23:22:29 +0200 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: References: <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> <75515b15225824bb6e9fda53941c6056@mail.gmail.com> <20111209163103.GH13725@shrubbery.net> <20111209233325.5d292504@rohan.example.com> Message-ID: <20111212232229.4acacd07@rohan.example.com> There is almost no reason left anymore to use DES hashes in tac_plus.conf - they have become somewhat trivial to crack (tip: hire the cpu grunt to do it from Amazon...) The sysadmin has to generate the hashes somehow, I usually use openssl: "openssl passwd -1" generates MD5 hashes with a random salt "openssl passwd -1 -salt xxxxxxxx" does the same with a given salt (xxxxxxxx) The -table option prints the hash and entered password, useful for finding stupid users that enter their password at a username prompt filling your logs with entries like "invalid user password123" Many folks don't seem to know how tac_plus uses hashes, so a quick summary is probably in order: tac_plus uses the crypt() library in the underlying operating system and asks it to hash a given password against the hash in tac_plus.conf. This will of course either succeed or fail. As such, you can transparently put any hash value you like in tac_plus.conf as long as crypt() supports it and it will JustWork(tm). On most modern Linuxes these days blowfish, sha-256 and sha-512 are supported out of the box. One just needs to read man 3 crypt to find the methods supported and man openssl to find the option switches to generate those hashes. On Mon, 12 Dec 2011 08:38:01 -0700 Daniel Schmidt wrote: > Of note, it can be worked around, as I did with a salt in the > quick/dirty cgi. > > This is from the GNU crypt man pages: > > GNU EXTENSION > The glibc2 version of this function has the following additional fea- > tures. If salt is a character string starting with the three charac- > ters "$1$" followed by at most eight characters, and optionally termi- > nated by "$", then instead of using the DES machine, the glibc crypt > function uses an MD5-based algorithm, and outputs up to 34 bytes, > namely "$1$$", where "" stands for the up to 8 charac- > ters following "$1$" in the salt, followed by 22 bytes chosen from the > set [a-zA-Z0-9./]. The entire key is significant here (instead of only > the first 8 bytes). > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Friday, December 09, 2011 2:33 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] tac_plus login and enable password issue > > On Fri, 9 Dec 2011 16:31:03 +0000 > john heasley wrote: > > > > > This issue already solve with change the enable password with > > > other password. In my case this happen if i use login password > > > and enable password with same character from the first and have > > > only 1 different character in the end of password. Maybe des > > > encryption do not check until the last character. > > > > crypt(3) normally only supports a maximum 8 character password. > > Of course! That explains everything. > > Incidentally, crypt normally accepts up to 10 characters but only > uses the first 8 for hashing. An password of 11 characters and longer > causes an error. > > That one has caused no end of confusion around here. It's one of those > bizarre limits that users simply cannot get their wits around. > > -- > Alan McKinnnon > alan.mckinnon at gmail.com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction > of public business,is subject to the Wyoming Public Records > Act, and may be disclosed to third parties. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Mon Dec 12 21:38:09 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 12 Dec 2011 14:38:09 -0700 Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <20111212232229.4acacd07@rohan.example.com> References: <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> <20111207225109.GB12782@shrubbery.net> <1323316489.53375.YahooMailNeo@web111502.mail.gq1.yahoo.com> <20111208174201.GI28436@shrubbery.net> <1323412291.97335.YahooMailNeo@web111516.mail.gq1.yahoo.com> <20111209064317.GI1028@shrubbery.net> <1323419842.46155.YahooMailNeo@web111507.mail.gq1.yahoo.com> <75515b15225824bb6e9fda53941c6056@mail.gmail.com> <20111209163103.GH13725@shrubbery.net> <20111209233325.5d292504@rohan.example.com> <20111212232229.4acacd07@rohan.example.com> Message-ID: Good point, for instance, the cgi I threw together uses CRYPT_SHA512 which typically start with $6$. One need only look at it to create an even shorter python script to do it. (Not that I claim any great understanding on the subject) -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Monday, December 12, 2011 2:22 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] tac_plus login and enable password issue There is almost no reason left anymore to use DES hashes in tac_plus.conf - they have become somewhat trivial to crack (tip: hire the cpu grunt to do it from Amazon...) The sysadmin has to generate the hashes somehow, I usually use openssl: "openssl passwd -1" generates MD5 hashes with a random salt "openssl passwd -1 -salt xxxxxxxx" does the same with a given salt (xxxxxxxx) The -table option prints the hash and entered password, useful for finding stupid users that enter their password at a username prompt filling your logs with entries like "invalid user password123" Many folks don't seem to know how tac_plus uses hashes, so a quick summary is probably in order: tac_plus uses the crypt() library in the underlying operating system and asks it to hash a given password against the hash in tac_plus.conf. This will of course either succeed or fail. As such, you can transparently put any hash value you like in tac_plus.conf as long as crypt() supports it and it will JustWork(tm). On most modern Linuxes these days blowfish, sha-256 and sha-512 are supported out of the box. One just needs to read man 3 crypt to find the methods supported and man openssl to find the option switches to generate those hashes. On Mon, 12 Dec 2011 08:38:01 -0700 Daniel Schmidt wrote: > Of note, it can be worked around, as I did with a salt in the > quick/dirty cgi. > > This is from the GNU crypt man pages: > > GNU EXTENSION > The glibc2 version of this function has the following additional fea- > tures. If salt is a character string starting with the three charac- > ters "$1$" followed by at most eight characters, and optionally termi- > nated by "$", then instead of using the DES machine, the glibc crypt > function uses an MD5-based algorithm, and outputs up to 34 bytes, > namely "$1$$", where "" stands for the up to 8 charac- ters following > "$1$" in the salt, followed by 22 bytes chosen from the set > [a-zA-Z0-9./]. The entire key is significant here (instead of only the > first 8 bytes). > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Friday, December 09, 2011 2:33 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] tac_plus login and enable password issue > > On Fri, 9 Dec 2011 16:31:03 +0000 > john heasley wrote: > > > > > This issue already solve with change the enable password with > > > other password. In my case this happen if i use login password and > > > enable password with same character from the first and have only 1 > > > different character in the end of password. Maybe des encryption > > > do not check until the last character. > > > > crypt(3) normally only supports a maximum 8 character password. > > Of course! That explains everything. > > Incidentally, crypt normally accepts up to 10 characters but only uses > the first 8 for hashing. An password of 11 characters and longer > causes an error. > > That one has caused no end of confusion around here. It's one of those > bizarre limits that users simply cannot get their wits around. > > -- > Alan McKinnnon > alan.mckinnon at gmail.com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction of public > business,is subject to the Wyoming Public Records Act, and may be > disclosed to third parties. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From Technic at connecta.net Wed Dec 21 16:34:21 2011 From: Technic at connecta.net (Technic IT) Date: Wed, 21 Dec 2011 17:34:21 +0100 Subject: [tac_plus] Serious security bug in ACL handling of tacacs+-F4.0.4.20 Message-ID: <74D92B16A733274FA2F36D474607F94C323D45AB24@srv-ax-bdc-01.connecta.local> Hello tac_plus developers, First of all I would like to thank you for the great tacacs+ implementation. While testing around with the acl of Version F4.0.4.20 I discovered a bug in the procedure cfg_acl_check (implemented in the file config.c). The line if (regexec((regex_t *)next->value1, ip, 0, NULL, 0)) { should be if (regexec((regex_t *)next->value1, ip, 0, NULL, 0) == 0) { >From different sources: "If regexec() finds a match it returns zero; otherwise, it returns nonzero" "regexec() returns zero for a successful match or REG_NOMATCH for failure" Therefore all the acl work something like inverse which could lead to serious security holes. Kind regards Valentin Schmid Systemengineering aurax connecta ag Betreiber von KnS und ilnet Bahnhofstrasse 2 7130 Ilanz Telefon: +41 81 926 27 28 Telefax: +41 81 926 27 29 http://www.kns.ch http://www.ilnet.ch -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsena at mitre.org Wed Dec 28 20:59:13 2011 From: rsena at mitre.org (Sena, Rich) Date: Wed, 28 Dec 2011 20:59:13 +0000 Subject: [tac_plus] raccess and tac_plus Message-ID: <424FDD749926764BA44BBE7F0B58802A1A23E2@IMCMBX01.MITRE.ORG> Trying to set up a cisco terminal server and limit access to certain tty's for some admins. Behind this serer we have network devices and storage devices. I want to limit the consoles that the storage admins are permitted to connect to. Here is what I've done... BTW I Also had an iteration where I tried to add the port numbers to the acl (permit = ^10\.83\.125\.235" "2011$) but I figured I was barking up the wrong tree... On NAS: aaa authorization reverse-access default group tacacs+ if-authenticated In tac_plus.conf user = san { name = "SAN Admin" member = netsup } group = netsup { login = file /etc/passwd member = supaccess # expires = "Dec 25 2011" } group = supaccess { default service = permit service = raccess { # limit console logins for supaccess port#1 = dc-cons1/tty0\/0\/8 port#2 = dc-cons1/tty0\/0\/9 port#3 = dc-cons1/tty0\/0\/10 } cmd = conf { # allow supaccess to config MDS permit 10\.83\.125\.191 deny .* } cmd = write { # allow supaccess to write MDS permit 10\.83\.125\.191 deny .* } #acl = supacl service = exec { priv-lvl = 15 } } acl = supacl { permit = ^10\.83\.125\.235$ permit = ^10\.83\.125\.191$ deny = .* } -------------- next part -------------- An HTML attachment was scrubbed... URL: