[tac_plus] tac_plus, pap, and pam
Morty Abzug
morty+tac_plus at frakir.org
Fri Jul 29 07:42:01 UTC 2011
On Tue, Jul 26, 2011 at 07:27:01PM -0400, Jiann-Ming Su wrote:
> I've been trying to get PAP to work with PAM in the tacacs+-F4.0.4.19.
> I ran across this thread:
>
> http://www.shrubbery.net/pipermail/tac_plus/2009-July/000475.html
>
> The much older version of tac_plus we're running had a patch for PAP
> and PAM integration:
>
> http://www.redhat.com/archives/pam-list/2001-February/msg00009.html
>
> Will this patch work with 4.0.4.19? Thanks for any insights.
Here is a patch relative to tacacs+-F4.0.4.19 (based on the
tacacs+-F4.0.4.15 patch posted earlier):
diff -ur tacacs+-F4.0.4.19.orig/config.c tacacs+-F4.0.4.19-PAP/config.c
--- tacacs+-F4.0.4.19.orig/config.c Fri Jul 17 17:34:30 2009
+++ tacacs+-F4.0.4.19-PAP/config.c Thu Jun 30 17:27:15 2011
@@ -66,7 +66,9 @@
skey |
cleartext <password> |
des <password> |
+#ifdef HAVE_PAM
PAM |
+#endif
nopassword
<user_attr> := name = <string> |
@@ -80,6 +82,9 @@
#endif
pap = cleartext <string> |
pap = des <string> |
+#ifdef HAVE_PAM
+ pap = PAM |
+#endif
opap = cleartext <string> |
global = cleartext <string> |
msg = <string>
@@ -1145,9 +1150,21 @@
user->pap = tac_strdup(buf);
break;
+#ifdef HAVE_PAM
+ case S_pam:
+ user->pap = tac_strdup(sym_buf);
+ break;
+#endif
+
+
default:
- parse_error("expecting 'cleartext', or 'des' keyword after "
- "'pap =' on line %d", sym_line);
+ parse_error(
+#ifdef HAVE_PAM
+ "expecting 'cleartext', 'PAM' or 'des' keyword after 'pap =' on line %d",
+#else
+ "expecting 'cleartext' or 'des' keyword after 'pap =' on line %d",
+#endif
+ sym_line);
}
sym_get();
continue;
diff -ur tacacs+-F4.0.4.19.orig/pwlib.c tacacs+-F4.0.4.19-PAP/pwlib.c
--- tacacs+-F4.0.4.19.orig/pwlib.c Fri Jul 17 17:34:31 2009
+++ tacacs+-F4.0.4.19-PAP/pwlib.c Thu Jun 30 17:33:14 2011
@@ -50,6 +50,9 @@
#endif
static int passwd_file_verify(char *, char *, struct authen_data *, char *);
+// Global password variable for pap PAM support
+static char *predef_passwd;
+
/* Adjust data->status depending on whether a user has expired or not */
void
set_expiration_status(char *exp_date, struct authen_data *data)
@@ -488,29 +491,33 @@
report(LOG_ERR, "%s %s: PAM_PROMPT_ECHO_OFF", session.peer,
session.port);
- send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
- (char *)pmpp[i]->msg,
- pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
- NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
- reply = get_authen_continue();
- if (!reply) {
- /* Typically due to a premature connection close */
- report(LOG_ERR, "%s %s: Null reply packet, expecting CONTINUE",
+ if (strcmp(predef_passwd, "") != 0) {
+ prpp[i]->resp = predef_passwd;
+ } else {
+ send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
+ (char *)pmpp[i]->msg,
+ pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
+ NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
+ reply = get_authen_continue();
+ if (!reply) {
+ /* Typically due to a premature connection close */
+ report(LOG_ERR, "%s %s: Null reply packet, expecting CONTINUE",
session.peer, session.port);
- goto fail;
- }
- acp = (struct authen_cont *) (reply + TAC_PLUS_HDR_SIZE);
+ goto fail;
+ }
+ acp = (struct authen_cont *) (reply + TAC_PLUS_HDR_SIZE);
- rp = reply + TAC_PLUS_HDR_SIZE + TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE;
- /*
- * A response to our GETDATA/GETPASS request. Create a
- * null-terminated string for authen_data.
- */
- prpp[i]->resp = (char *) tac_malloc(acp->user_msg_len + 1);
- memcpy(prpp[i]->resp, rp, acp->user_msg_len);
- prpp[i]->resp[acp->user_msg_len] = '\0';
+ rp = reply + TAC_PLUS_HDR_SIZE + TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE;
+ /*
+ * A response to our GETDATA/GETPASS request. Create a
+ * null-terminated string for authen_data.
+ */
+ prpp[i]->resp = (char *) tac_malloc(acp->user_msg_len + 1);
+ bcopy(rp, prpp[i]->resp, acp->user_msg_len);
+ prpp[i]->resp[acp->user_msg_len] = '\0';
- free(reply);
+ free(reply);
+ }
break;
case PAM_PROMPT_ECHO_ON:
if (debug & DEBUG_PASSWD_FLAG)
@@ -586,6 +593,7 @@
int pam_flag;
struct pam_conv conv = { pam_tacacs, NULL };
pam_handle_t *pamh = NULL;
+ predef_passwd = passwd;
if (debug & DEBUG_PASSWD_FLAG)
report(LOG_DEBUG, "pam_verify %s %s", user, passwd);
More information about the tac_plus
mailing list