From rondole.jones.ctr at swfpac.navy.mil Tue Jul 5 19:05:49 2011 From: rondole.jones.ctr at swfpac.navy.mil (Jones, Rondole CTR) Date: Tue, 5 Jul 2011 12:05:49 -0700 Subject: [tac_plus] FW: Tacacs Message-ID: <4309F499E0707B44AD372FDB0AD085960363D95D@spbmail2.swfpac.navy.mil> -----Original Message----- From: Jones, Rondole CTR Sent: Tuesday, July 05, 2011 11:59 AM To: info at shrubbery.net Subject: Tacacs Need help loading tacacs+F50.0.a1 on my Suse 11 server can anyone help me Ron Jones Technical Director SWFPAC Help Desk staffed by Craytek 360-396-8614 From robert.lee at jos.com.hk Wed Jul 13 12:40:14 2011 From: robert.lee at jos.com.hk (Robert Lee) Date: Wed, 13 Jul 2011 20:40:14 +0800 Subject: [tac_plus] Failed attempt authentication log in tacacs Message-ID: <06EEDB006165D04BB3F3733B7C3DE4F414B47D53@EXS15HK.corp.jos.com> Dear Sir, I cannot find the failure attempt authentication log in the tacacs accounting log, may I know if this feature is off by default? If so how can I enable it? Thanks. Regards, Robert Lee ________________________________________________________________________ DISCLAIMER:- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. Thank you. ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Jul 13 21:51:26 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 13 Jul 2011 23:51:26 +0200 Subject: [tac_plus] Failed attempt authentication log in tacacs In-Reply-To: <06EEDB006165D04BB3F3733B7C3DE4F414B47D53@EXS15HK.corp.jos.com> References: <06EEDB006165D04BB3F3733B7C3DE4F414B47D53@EXS15HK.corp.jos.com> Message-ID: <5469631.8GVfk3baC6@nazgul> On Wednesday 13 July 2011 20:40:14 Robert Lee did opine thusly: > Dear Sir, > > > > I cannot find the failure attempt authentication log in the tacacs > accounting log, may I know if this feature is off by default? If so > how can I enable it? Thanks. It's not in the accounting log, it's in the tacacs log. It's the tacacs daemon that denied the auth, not the NAS so the NAS never records an accounting record for it. You will need to run tac_plus with -d 16 to get the logs -- alan dot mckinnon at gmail dot com From sujiannming at gmail.com Tue Jul 26 23:27:01 2011 From: sujiannming at gmail.com (Jiann-Ming Su) Date: Tue, 26 Jul 2011 19:27:01 -0400 Subject: [tac_plus] tac_plus, pap, and pam Message-ID: I've been trying to get PAP to work with PAM in the tacacs+-F4.0.4.19. I ran across this thread: http://www.shrubbery.net/pipermail/tac_plus/2009-July/000475.html The much older version of tac_plus we're running had a patch for PAP and PAM integration: http://www.redhat.com/archives/pam-list/2001-February/msg00009.html Will this patch work with 4.0.4.19? Thanks for any insights. -- Jiann-Ming Su "I have to decide between two equally frightening options. ?If I wanted to do that, I'd vote." --Duckman "The system's broke, Hank.? The election baby has peed in the bath water.? You got to throw 'em both out."? --Dale Gribble "Those who vote decide nothing. Those who count the votes decide everything.?? --Joseph Stalin From ozgurumutvurgun at gmail.com Thu Jul 28 14:55:58 2011 From: ozgurumutvurgun at gmail.com (=?ISO-8859-1?Q?=F6zg=FCr_umut_vurgun?=) Date: Thu, 28 Jul 2011 17:55:58 +0300 Subject: [tac_plus] TACACS+ Error Message-ID: Hi, I try to install of tacacs+ but I have taken errors when run "make install" command. Please can you look my problem ? Thanks ... Error Output : maxsessint.c: In function ?maxsess_check_count?: maxsessint.c:60: error: ?S_maxsess? undeclared (first use in this function) maxsessint.c:60: error: (Each undeclared identifier is reported only once maxsessint.c:60: error: for each function it appears in.) make: *** [maxsessint.o] Error 1 [root at Ozguruv tacacs+-F5.0.0a1]# service tac-plus start tac-plus: unrecognized service ?zg?r... -------------- next part -------------- An HTML attachment was scrubbed... URL: From kissg at ssg.ki.iif.hu Thu Jul 28 17:28:15 2011 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Thu, 28 Jul 2011 19:28:15 +0200 (CEST) Subject: [tac_plus] TACACS+ Error In-Reply-To: References: Message-ID: > I try to install of tacacs+ but I have taken errors when run "make install" > command. Please can you look my problem ? > > Thanks ... > > Error Output : > > maxsessint.c: In function ?maxsess_check_count?: > maxsessint.c:60: error: ?S_maxsess? undeclared (first use in this function) It seems the compiler does not found an include file. Check include path (-I options of cc/gcc) Gabor -- Wenn ist das Nunst?ck git und Slotermeyer? Ja! ... Beiherhund das Oder die Flipperwaldt gersput. From morty+tac_plus at frakir.org Fri Jul 29 07:42:01 2011 From: morty+tac_plus at frakir.org (Morty Abzug) Date: Fri, 29 Jul 2011 03:42:01 -0400 Subject: [tac_plus] tac_plus, pap, and pam In-Reply-To: References: Message-ID: <20110729074201.GN1290@red-sonja> On Tue, Jul 26, 2011 at 07:27:01PM -0400, Jiann-Ming Su wrote: > I've been trying to get PAP to work with PAM in the tacacs+-F4.0.4.19. > I ran across this thread: > > http://www.shrubbery.net/pipermail/tac_plus/2009-July/000475.html > > The much older version of tac_plus we're running had a patch for PAP > and PAM integration: > > http://www.redhat.com/archives/pam-list/2001-February/msg00009.html > > Will this patch work with 4.0.4.19? Thanks for any insights. Here is a patch relative to tacacs+-F4.0.4.19 (based on the tacacs+-F4.0.4.15 patch posted earlier): diff -ur tacacs+-F4.0.4.19.orig/config.c tacacs+-F4.0.4.19-PAP/config.c --- tacacs+-F4.0.4.19.orig/config.c Fri Jul 17 17:34:30 2009 +++ tacacs+-F4.0.4.19-PAP/config.c Thu Jun 30 17:27:15 2011 @@ -66,7 +66,9 @@ skey | cleartext | des | +#ifdef HAVE_PAM PAM | +#endif nopassword := name = | @@ -80,6 +82,9 @@ #endif pap = cleartext | pap = des | +#ifdef HAVE_PAM + pap = PAM | +#endif opap = cleartext | global = cleartext | msg = @@ -1145,9 +1150,21 @@ user->pap = tac_strdup(buf); break; +#ifdef HAVE_PAM + case S_pam: + user->pap = tac_strdup(sym_buf); + break; +#endif + + default: - parse_error("expecting 'cleartext', or 'des' keyword after " - "'pap =' on line %d", sym_line); + parse_error( +#ifdef HAVE_PAM + "expecting 'cleartext', 'PAM' or 'des' keyword after 'pap =' on line %d", +#else + "expecting 'cleartext' or 'des' keyword after 'pap =' on line %d", +#endif + sym_line); } sym_get(); continue; diff -ur tacacs+-F4.0.4.19.orig/pwlib.c tacacs+-F4.0.4.19-PAP/pwlib.c --- tacacs+-F4.0.4.19.orig/pwlib.c Fri Jul 17 17:34:31 2009 +++ tacacs+-F4.0.4.19-PAP/pwlib.c Thu Jun 30 17:33:14 2011 @@ -50,6 +50,9 @@ #endif static int passwd_file_verify(char *, char *, struct authen_data *, char *); +// Global password variable for pap PAM support +static char *predef_passwd; + /* Adjust data->status depending on whether a user has expired or not */ void set_expiration_status(char *exp_date, struct authen_data *data) @@ -488,29 +491,33 @@ report(LOG_ERR, "%s %s: PAM_PROMPT_ECHO_OFF", session.peer, session.port); - send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS, - (char *)pmpp[i]->msg, - pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0, - NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO); - reply = get_authen_continue(); - if (!reply) { - /* Typically due to a premature connection close */ - report(LOG_ERR, "%s %s: Null reply packet, expecting CONTINUE", + if (strcmp(predef_passwd, "") != 0) { + prpp[i]->resp = predef_passwd; + } else { + send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS, + (char *)pmpp[i]->msg, + pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0, + NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO); + reply = get_authen_continue(); + if (!reply) { + /* Typically due to a premature connection close */ + report(LOG_ERR, "%s %s: Null reply packet, expecting CONTINUE", session.peer, session.port); - goto fail; - } - acp = (struct authen_cont *) (reply + TAC_PLUS_HDR_SIZE); + goto fail; + } + acp = (struct authen_cont *) (reply + TAC_PLUS_HDR_SIZE); - rp = reply + TAC_PLUS_HDR_SIZE + TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE; - /* - * A response to our GETDATA/GETPASS request. Create a - * null-terminated string for authen_data. - */ - prpp[i]->resp = (char *) tac_malloc(acp->user_msg_len + 1); - memcpy(prpp[i]->resp, rp, acp->user_msg_len); - prpp[i]->resp[acp->user_msg_len] = '\0'; + rp = reply + TAC_PLUS_HDR_SIZE + TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE; + /* + * A response to our GETDATA/GETPASS request. Create a + * null-terminated string for authen_data. + */ + prpp[i]->resp = (char *) tac_malloc(acp->user_msg_len + 1); + bcopy(rp, prpp[i]->resp, acp->user_msg_len); + prpp[i]->resp[acp->user_msg_len] = '\0'; - free(reply); + free(reply); + } break; case PAM_PROMPT_ECHO_ON: if (debug & DEBUG_PASSWD_FLAG) @@ -586,6 +593,7 @@ int pam_flag; struct pam_conv conv = { pam_tacacs, NULL }; pam_handle_t *pamh = NULL; + predef_passwd = passwd; if (debug & DEBUG_PASSWD_FLAG) report(LOG_DEBUG, "pam_verify %s %s", user, passwd); From heas at shrubbery.net Fri Jul 29 20:44:58 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 29 Jul 2011 20:44:58 +0000 Subject: [tac_plus] TACACS+ Error In-Reply-To: References: Message-ID: <20110729204458.GX5357@shrubbery.net> Thu, Jul 28, 2011 at 05:55:58PM +0300, ?zg?r umut vurgun: > Hi, > > I try to install of tacacs+ but I have taken errors when run "make install" > command. Please can you look my problem ? > > Thanks ... > > Error Output : > > maxsessint.c: In function ?maxsess_check_count?: > maxsessint.c:60: error: ?S_maxsess? undeclared (first use in this function) > maxsessint.c:60: error: (Each undeclared identifier is reported only once > maxsessint.c:60: error: for each function it appears in.) > make: *** [maxsessint.o] Error 1 > [root at Ozguruv tacacs+-F5.0.0a1]# service tac-plus start > tac-plus: unrecognized service > > you need --enable-maxsess option to ./configure