[tac_plus] parsingbug in tac-plus 4.0.4.19

Christofer Algotsson Christofer.Algotsson at malmo.se
Wed Jun 15 09:50:09 UTC 2011


Hi, Sorry quoting your email the outlook way. 

I meant the /etc/shadow file, not /etc/passwd - my bad.

User1 doesn't have a expiry date set, User2 does.

User1:<encrypted>:13867:0:99999:7:::
User2:<encrypted>:13913:0:99999:7::14061:

No matter if the expiry is configured or not the Tacacs daemon rejects all users credentials. After some investigation I found that the expiry variable got populated with a colon (:) which makes the daemon to reject the user. However it's not rejecting the user as 'accound expired' - it just silently tells you that the credentials are invalid.

So I configured a valid expiry date for my test user, no difference.. got rejected. So I configured a expired expiry date and still got rejected  (no expiry reason). My patch tells tac_plus not to treat colon as a valid expiry entry. 

Now everything works (expiry, non-expiry-accnts and so forth.) 


I could provide you with a debug if you'd like one. Could take some time to get one (production system).

Thanks
Chris



-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Tuesday, June 14, 2011 7:20 PM
To: Christofer Algotsson
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] parsingbug in tac-plus 4.0.4.19

Tue, Jun 14, 2011 at 11:01:12AM +0000, Christofer Algotsson:
> Hi,
> 
> Just to let you know Debian GNU/Linux uses : as delimiter in /etc/passwd for expiery records. Tac_plus needs to know this in order to validate the row and value correctly.
> 

I dont think this is correct.  Can you provide an example of the field value?
Your patch implies that a value that begins with a ':' is an empty or no
expiration indicator.  I think that a change must be made to the code below
this.




More information about the tac_plus mailing list