From esswilley at gmail.com Mon May 2 18:58:04 2011 From: esswilley at gmail.com (Eric Swilley) Date: Mon, 2 May 2011 14:58:04 -0400 Subject: [tac_plus] PAM patch for PAP? Message-ID: Hello, Just wondering if the latest revision of TACACS+ included patches previously written for fixing PAP inquiries against PAM authentication? We've been tasked with configuring F5 appliance authentication against TACACS+ (with PAM) and were hoping the features would be seamless. Patches as referenced: http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html http://peterton.org/?p=17 Thanks for any information you may be able to provide. -Eric From jnathan at salesforce.com Tue May 3 15:48:02 2011 From: jnathan at salesforce.com (Jon Nathan) Date: Tue, 3 May 2011 08:48:02 -0700 Subject: [tac_plus] PAM patch for PAP? In-Reply-To: Message-ID: I just rebuilt Jeroen's Patch for F4.0.4.19. I didn't really change anything, just fit it into the current release. It seems to work nicely. Apply with gpatch -p0 < pap.pam.patch, and set pap = PAM in your config file. See attached. -Jon On 5/2/11 2:58 PM, "Eric Swilley" wrote: > Hello, > > Just wondering if the latest revision of TACACS+ included patches > previously written for fixing PAP inquiries against PAM > authentication? We've been tasked with configuring F5 appliance > authentication against TACACS+ (with PAM) and were hoping the features > would be seamless. > > Patches as referenced: > > http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html > > http://peterton.org/?p=17 > > Thanks for any information you may be able to provide. > > -Eric > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- A non-text attachment was scrubbed... Name: pap.pam.patch Type: application/octet-stream Size: 3805 bytes Desc: pap.pam.patch URL: From nicotine at warningg.com Wed May 4 02:23:33 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 3 May 2011 21:23:33 -0500 Subject: [tac_plus] Patch for md5 salt in tac_pwd Message-ID: <20110504022333.GQ27536@radiological.warningg.com> Attached patch adds -m option to use an eight-character salt for glibc2 versions of crypt() for stronger salts and MD5 hashing. This is supported in the actual config file natively, as the entire encrypted password is passed without checking to the crypt function in pwlib.c I re-used the existing salt selection code, but repeat it longer to generate 8 random characters for the salt, wrapping it in the MD5 salt deliminators. This eliminates the 8 character limit of DES passwords. Works on CentOS 5 test platform: # ./tac_pwd -m Password to be encrypted: testpass $1$r6IPCMQG$NLWm8WaXsb.9dUL4FNeUR0 -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- --- tac_pwd.c.orig 2009-07-17 12:34:31.000000000 -0500 +++ tac_pwd.c 2011-05-03 21:16:11.000000000 -0500 @@ -63,10 +63,11 @@ extern int optind; char *prompt = "Password to be encrypted: "; int opt_e = 0, + use_md5 = 0, n; struct termios t; - while ((n = getopt(argc, argv, "eh")) != EOF) { + while ((n = getopt(argc, argv, "ehm")) != EOF) { switch (n) { case 'e': opt_e++; @@ -75,6 +76,9 @@ usage(); exit(0); break; + case 'm': + use_md5 = 1; + break; default: usage(); exit(1); @@ -105,42 +109,67 @@ } if (!salt) { - int i, r, r1, r2; + if (use_md5) { + int i, r, r1, r2, r3, r4, r5, r6, r7, r8; + r1 = r2 = r3 = r4 = r5 = r6 = r7 = r8 = 0; + srand(time(0)); + for (i = 0; i <= 7; i++) { + r = rand(); + r = r & 127; + if (r < 46) + r += 46; + if (r > 57 && r < 65) + r += 7; + if (r > 90 && r < 97) + r +=6; + if (r > 122) + r -=5; + if (i == 0) + r1 = r; + if (i == 1) + r2 = r; + if (i == 2) + r3 = r; + if (i == 3) + r4 = r; + if (i == 4) + r5 = r; + if (i == 5) + r6 = r; + if (i == 6) + r7 = r; + if (i == 7) + r8 = r; + } + sprintf(buf, "$1$%c%c%c%c%c%c%c%c$", + r1, r2, r3, r4, r5, r6, r7, r8); + } else { + int i, r, r1, r2; + r1 = r2 = 0; + srand(time(0)); + for (i = 0; i <= 1; i++) { + r = rand(); + r = r & 127; + if (r < 46) + r += 46; + if (r > 57 && r < 65) + r += 7; + if (r > 90 && r < 97) + r += 6; + if (r > 122) + r -= 5; + if (i == 0) + r1 = r; + if (i == 1) + r2 = r; + } + sprintf(buf, "%c%c", r1, r2); + } - r1 = r2 = 0; + salt = buf; + } - srand(time(0)); - - for (i = 0; i <= 1; i++) { - - r = rand(); - - r = r & 127; - - if (r < 46) - r += 46; - - if (r > 57 && r < 65) - r += 7; - - if (r > 90 && r < 97) - r += 6; - - if (r > 122) - r -= 5; - - if (i == 0) - r1 = r; - - if (i == 1) - r2 = r; - } - - sprintf(buf, "%c%c", r1, r2); - salt = buf; - } - - result = crypt(pass, salt); + result = crypt(pass, salt); write(1, result, strlen(result)); write(1, "\n", 1); @@ -153,7 +182,9 @@ { fprintf(stderr, "Usage: tac_pwd [-eh] []\n"); fprintf(stderr, "\t-e\tdo not echo the password\n" - "\t-h\tdisplay this message\n"); + "\t-m\tUse an md5 salt (requires glibc2 version of" + " crypt)\n" + "\t-h\tdisplay this message\n"); return; } -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From nicotine at warningg.com Wed May 4 02:48:50 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 3 May 2011 21:48:50 -0500 Subject: [tac_plus] More complex do_auth.py Message-ID: <20110504024850.GR27536@radiological.warningg.com> Has anyone re-written do_auth.py to support command authorization on a per-device basis? Currently, device IP is only considered on login. Does TACACS+ pass the device ID when attempting to authorize commands? It would be beneficial to permit/deny commands on a per-group basis, considering the device ID. This would allow one to group allowed commands on a per-device basis, allowing a group that can execute "interface" or "router" configuration commands on all but a subset of devices, such as core network equipment. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Wed May 4 15:46:38 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 4 May 2011 09:46:38 -0600 Subject: [tac_plus] More complex do_auth.py In-Reply-To: <20110504024850.GR27536@radiological.warningg.com> References: <20110504024850.GR27536@radiological.warningg.com> Message-ID: Yeah, and that darn, lazy author of do_auth didn't provide much documentation! Seriously, there is only this: http://tacacs.org/ and this: python do_auth.py | less or maybe this: http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html or this: http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html So, dunno really, maybe you have a dum user named homer who you don't want on your core and that would be maybe something like: [user] homer = no_core_for_you few_core_commands_for_you other_guy = do_everything [no_core_for_you] device_deny = 1.1.1.1 1.1.1.2 device_allow = .* command_permit = .* [few_core_commands_for_you] device_allow = 1.1.1.1 1.1.1.2 command_permit = show.* exit.* dir.* [do_everything] host_allow = .* device_permit = .* command_permit = .* -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing Sent: Tuesday, May 03, 2011 8:49 PM To: tac_plus at shrubbery.net Subject: [tac_plus] More complex do_auth.py Has anyone re-written do_auth.py to support command authorization on a per-device basis? Currently, device IP is only considered on login. Does TACACS+ pass the device ID when attempting to authorize commands? It would be beneficial to permit/deny commands on a per-group basis, considering the device ID. This would allow one to group allowed commands on a per-device basis, allowing a group that can execute "interface" or "router" configuration commands on all but a subset of devices, such as core network equipment. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From daniel.schmidt at wyo.gov Wed May 4 16:38:44 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 4 May 2011 10:38:44 -0600 Subject: [tac_plus] Patch for md5 salt in tac_pwd In-Reply-To: <20110504022333.GQ27536@radiological.warningg.com> References: <20110504022333.GQ27536@radiological.warningg.com> Message-ID: <8ab90d2efc37163faef0f45cd72f9b9c@mail.gmail.com> Good idea, tac_pwd has needed an update. Last I asked, I believe Heasley had a good point about compatibility, but I can't remember what it was. I wrote a simple python cgi script that outputs long hashes - not sure if anybody might find that useful. Useful only for the truly paranoid who think md5 is not strong enough. Also useful if your just want to send your users a URL instead of having them login to type their password. Cent5. I was going to mess with the salt length but then I got lazy & 8 seemed like a good number. Was also going to have it edit tac_plus.conf but, again, lazy. (and busy) Plz send feedback if: (knowledge_crypto > mine). http://pastie.org/1864642 -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing Sent: Tuesday, May 03, 2011 8:24 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Patch for md5 salt in tac_pwd Attached patch adds -m option to use an eight-character salt for glibc2 versions of crypt() for stronger salts and MD5 hashing. This is supported in the actual config file natively, as the entire encrypted password is passed without checking to the crypt function in pwlib.c I re-used the existing salt selection code, but repeat it longer to generate 8 random characters for the salt, wrapping it in the MD5 salt deliminators. This eliminates the 8 character limit of DES passwords. Works on CentOS 5 test platform: # ./tac_pwd -m Password to be encrypted: testpass $1$r6IPCMQG$NLWm8WaXsb.9dUL4FNeUR0 -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- --- tac_pwd.c.orig 2009-07-17 12:34:31.000000000 -0500 +++ tac_pwd.c 2011-05-03 21:16:11.000000000 -0500 @@ -63,10 +63,11 @@ extern int optind; char *prompt = "Password to be encrypted: "; int opt_e = 0, + use_md5 = 0, n; struct termios t; - while ((n = getopt(argc, argv, "eh")) != EOF) { + while ((n = getopt(argc, argv, "ehm")) != EOF) { switch (n) { case 'e': opt_e++; @@ -75,6 +76,9 @@ usage(); exit(0); break; + case 'm': + use_md5 = 1; + break; default: usage(); exit(1); @@ -105,42 +109,67 @@ } if (!salt) { - int i, r, r1, r2; + if (use_md5) { + int i, r, r1, r2, r3, r4, r5, r6, r7, r8; + r1 = r2 = r3 = r4 = r5 = r6 = r7 = r8 = 0; + srand(time(0)); + for (i = 0; i <= 7; i++) { + r = rand(); + r = r & 127; + if (r < 46) + r += 46; + if (r > 57 && r < 65) + r += 7; + if (r > 90 && r < 97) + r +=6; + if (r > 122) + r -=5; + if (i == 0) + r1 = r; + if (i == 1) + r2 = r; + if (i == 2) + r3 = r; + if (i == 3) + r4 = r; + if (i == 4) + r5 = r; + if (i == 5) + r6 = r; + if (i == 6) + r7 = r; + if (i == 7) + r8 = r; + } + sprintf(buf, "$1$%c%c%c%c%c%c%c%c$", + r1, r2, r3, r4, r5, r6, r7, r8); + } else { + int i, r, r1, r2; + r1 = r2 = 0; + srand(time(0)); + for (i = 0; i <= 1; i++) { + r = rand(); + r = r & 127; + if (r < 46) + r += 46; + if (r > 57 && r < 65) + r += 7; + if (r > 90 && r < 97) + r += 6; + if (r > 122) + r -= 5; + if (i == 0) + r1 = r; + if (i == 1) + r2 = r; + } + sprintf(buf, "%c%c", r1, r2); + } - r1 = r2 = 0; + salt = buf; + } - srand(time(0)); - - for (i = 0; i <= 1; i++) { - - r = rand(); - - r = r & 127; - - if (r < 46) - r += 46; - - if (r > 57 && r < 65) - r += 7; - - if (r > 90 && r < 97) - r += 6; - - if (r > 122) - r -= 5; - - if (i == 0) - r1 = r; - - if (i == 1) - r2 = r; - } - - sprintf(buf, "%c%c", r1, r2); - salt = buf; - } - - result = crypt(pass, salt); + result = crypt(pass, salt); write(1, result, strlen(result)); write(1, "\n", 1); @@ -153,7 +182,9 @@ { fprintf(stderr, "Usage: tac_pwd [-eh] []\n"); fprintf(stderr, "\t-e\tdo not echo the password\n" - "\t-h\tdisplay this message\n"); + "\t-m\tUse an md5 salt (requires glibc2 version of" + " crypt)\n" + "\t-h\tdisplay this message\n"); return; } -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From nicotine at warningg.com Wed May 4 18:28:21 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 4 May 2011 13:28:21 -0500 Subject: [tac_plus] Patch for md5 salt in tac_pwd In-Reply-To: <8ab90d2efc37163faef0f45cd72f9b9c@mail.gmail.com> References: <20110504022333.GQ27536@radiological.warningg.com> <8ab90d2efc37163faef0f45cd72f9b9c@mail.gmail.com> Message-ID: <20110504182821.GA22352@radiological.warningg.com> On Wed, May 04, 2011 at 10:38:44AM -0600, Daniel Schmidt wrote: > Good idea, tac_pwd has needed an update. Last I asked, I believe Heasley > had a good point about compatibility, but I can't remember what it was. > > I wrote a simple python cgi script that outputs long hashes - not sure if > anybody might find that useful. Useful only for the truly paranoid who > think md5 is not strong enough. Also useful if your just want to send > your users a URL instead of having them login to type their password. > Cent5. > > I was going to mess with the salt length but then I got lazy & 8 seemed > like a good number. Was also going to have it edit tac_plus.conf but, > again, lazy. (and busy) Plz send feedback if: (knowledge_crypto > mine). > > http://pastie.org/1864642 > Does Python's crypt module rely on the underlying system library's crypt? http://docs.python.org/release/2.5.2/lib/module-crypt.html seems to imply so. My "man 3 crypt" doesn't mention salts prefixed with $6$ -- see also http://www.gnu.org/s/hello/manual/libc/crypt.html -- either a two character salt is used (DES), or a 3 to 8 character salt, prefixed with $1$ and optionally terminated with $ (MD5). You might be on a system that has a more robust crypt() than I that supports other encryption options -- but both the system running your script, and the system with the TACACS daemon running on it require compatible crypt() functions. Additionally, for the strongest salt, you should choose randomly from the full salt character set -- [./a-zA-Z0-9] -- it appears that you are using an artificially limited salt set, which could make a collision more likely (two users with the same password and same salt). Also, smaller salts mean smaller rainbow tables could be generated to defeat it, but I'm not an expert on cryptographic attacks and their feasibility. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ptroot at gmail.com Thu May 5 17:29:54 2011 From: ptroot at gmail.com (Paul Root) Date: Thu, 5 May 2011 12:29:54 -0500 Subject: [tac_plus] Mailing list and Syslog question Message-ID: Is there a mailling list to join for this? Also, we are trying to get accounting to go to syslog. But it persists in sending to the file. How is syslog enabled for accounting? Lastly, is there a way to disable an account after X number of failed attempts? From alan.mckinnon at gmail.com Thu May 5 20:36:13 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 5 May 2011 22:36:13 +0200 Subject: [tac_plus] Mailing list and Syslog question In-Reply-To: References: Message-ID: <201105052236.14357.alan.mckinnon@gmail.com> Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul Root did opine thusly: > Is there a mailling list to join for this? Yes, it's the address you used. That I replied is proof it works ;-) > Also, we are trying to get accounting to go to syslog. But it persists in > sending to the file. > > How is syslog enabled for accounting? I also tried to get this to work, and failed. The CHANGES file contains this: F4.0.4.16 - Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey Thomas So there is some level of support. I could not find out how to set the facility and priority, so I just let tac_plus write to the file (I wanted a local copy anyway) and configured syslog-ng to read it and send the logs onto my syslogger: # Tacacs accounting logs source s_tac_plus_acc { file("/var/log/tacacs/accounting", default-facility(local6), default-priority(info)); }; # Remote logging to syslogger destination syslogger { tcp("xxx.xxx.xxx.xxx" port(514)); }; log { source(s_tac_plus_acc); destination(syslogger); }; Not the most elegant solution, it does require you to keep your wits about you if you change log filenames, but it does work. It's for syslog-ng, AFAIR syslogd can be brutally assaulted into doing much the same, > Lastly, is there a way to disable an account after X number of failed > attempts? Not inside the conf file to the best of my knowledge. You'll have to write an external auth script that stores expiry and failed attempts info to do this. Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual bundled with the sources. Daniel Schmidt posted links to this very topic just yesterday so I'll assume you've only just registered and missed it (unlucky you!). Here's the relevant text reposted: http://tacacs.org/ and this: python do_auth.py | less or maybe this: http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html or this: http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html -- alan dot mckinnon at gmail dot com From daniel.schmidt at wyo.gov Thu May 5 21:14:19 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 5 May 2011 15:14:19 -0600 Subject: [tac_plus] Mailing list and Syslog question In-Reply-To: <201105052236.14357.alan.mckinnon@gmail.com> References: <201105052236.14357.alan.mckinnon@gmail.com> Message-ID: <527ff8d2e928f7896bb761e5b74adee5@mail.gmail.com> I thought about that too, but the after authentication script never gets called on a failed login though. Actually, Mark was once working on a feature to lock accounts on failed logins. I would have rather it locked on IP rather than user, but I once used it and it seemed to work quite well. http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Thursday, May 05, 2011 2:36 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Mailing list and Syslog question Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul Root did opine thusly: > Is there a mailling list to join for this? Yes, it's the address you used. That I replied is proof it works ;-) > Also, we are trying to get accounting to go to syslog. But it persists in > sending to the file. > > How is syslog enabled for accounting? I also tried to get this to work, and failed. The CHANGES file contains this: F4.0.4.16 - Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey Thomas So there is some level of support. I could not find out how to set the facility and priority, so I just let tac_plus write to the file (I wanted a local copy anyway) and configured syslog-ng to read it and send the logs onto my syslogger: # Tacacs accounting logs source s_tac_plus_acc { file("/var/log/tacacs/accounting", default-facility(local6), default-priority(info)); }; # Remote logging to syslogger destination syslogger { tcp("xxx.xxx.xxx.xxx" port(514)); }; log { source(s_tac_plus_acc); destination(syslogger); }; Not the most elegant solution, it does require you to keep your wits about you if you change log filenames, but it does work. It's for syslog-ng, AFAIR syslogd can be brutally assaulted into doing much the same, > Lastly, is there a way to disable an account after X number of failed > attempts? Not inside the conf file to the best of my knowledge. You'll have to write an external auth script that stores expiry and failed attempts info to do this. Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual bundled with the sources. Daniel Schmidt posted links to this very topic just yesterday so I'll assume you've only just registered and missed it (unlucky you!). Here's the relevant text reposted: http://tacacs.org/ and this: python do_auth.py | less or maybe this: http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html or this: http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html -- alan dot mckinnon at gmail dot com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From jathan at gmail.com Thu May 5 21:34:48 2011 From: jathan at gmail.com (Jathan McCollum) Date: Thu, 5 May 2011 14:34:48 -0700 Subject: [tac_plus] Mailing list and Syslog question In-Reply-To: <527ff8d2e928f7896bb761e5b74adee5@mail.gmail.com> References: <201105052236.14357.alan.mckinnon@gmail.com> <527ff8d2e928f7896bb761e5b74adee5@mail.gmail.com> Message-ID: If the syslog patch was implemented exactly as Mark's original patch, the syntax in your tac_plus.conf is like so: accounting syslog logging = local6 Additionally, his login authentication lockout code is available on GitHub: https://github.com/ellzey/tac_plus_AFL He provided a patch against 4.0.4.19, which makes it as current as it gets. Full disclosure: I used to work and am still friends with Mark. ;) jathan. On Thu, May 5, 2011 at 2:14 PM, Daniel Schmidt wrote: > I thought about that too, but the after authentication script never gets > called on a failed login though. > > Actually, Mark was once working on a feature to lock accounts on failed > logins. I would have rather it locked on IP rather than user, but I once > used it and it seemed to work quite well. > > http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Thursday, May 05, 2011 2:36 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Mailing list and Syslog question > > Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul Root > did > opine thusly: > > > Is there a mailling list to join for this? > > Yes, it's the address you used. That I replied is proof it works ;-) > > > Also, we are trying to get accounting to go to syslog. But it persists > in > > sending to the file. > > > > How is syslog enabled for accounting? > > I also tried to get this to work, and failed. The CHANGES file contains > this: > > F4.0.4.16 > - Add 'accounting syslog;' configuration knob - mostly from Mark > Ellzey Thomas > > So there is some level of support. I could not find out how to set the > facility and priority, so I just let tac_plus write to the file (I wanted > a > local copy anyway) and configured syslog-ng to read it and send the logs > onto > my syslogger: > > # Tacacs accounting logs > source s_tac_plus_acc { > file("/var/log/tacacs/accounting", > default-facility(local6), > default-priority(info)); > }; > # Remote logging to syslogger > destination syslogger { > tcp("xxx.xxx.xxx.xxx" port(514)); > }; > log { source(s_tac_plus_acc); destination(syslogger); }; > > Not the most elegant solution, it does require you to keep your wits about > you > if you change log filenames, but it does work. It's for syslog-ng, AFAIR > syslogd can be brutally assaulted into doing much the same, > > > Lastly, is there a way to disable an account after X number of failed > > attempts? > > Not inside the conf file to the best of my knowledge. You'll have to write > an > external auth script that stores expiry and failed attempts info to do > this. > Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual > bundled > with the sources. > > Daniel Schmidt posted links to this very topic just yesterday so I'll > assume > you've only just registered and missed it (unlucky you!). Here's the > relevant > text reposted: > > http://tacacs.org/ > > and this: > python do_auth.py | less > > or maybe this: > http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html > > or this: > http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Jathan. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Thu May 5 22:26:01 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 6 May 2011 00:26:01 +0200 Subject: [tac_plus] Mailing list and Syslog question In-Reply-To: References: <527ff8d2e928f7896bb761e5b74adee5@mail.gmail.com> Message-ID: <201105060026.02259.alan.mckinnon@gmail.com> Apparently, though unproven, at 23:34 on Thursday 05 May 2011, Jathan McCollum did opine thusly: > If the syslog patch was implemented exactly as Mark's original patch, the > syntax in your tac_plus.conf is like so: > > accounting syslog > logging = local6 But that's ambiguous and the documentation is even less clear. tac_plus logs by default are sent to syslog with facility=daemon. The logging directive changes that, but it only makes sense in the context of daemon logs. man tac_plus.conf for 4.0.4.19 states: accounting Only one configurable account parameter exists, the destination. All accounting records are either written to a file, syslog(3) at priority info, or both. accounting syslog; accounting file = It says nothing about the facility used for accounting logs, it's very obviously omitted. It makes no sense to use the same facility as daemon logs, syslog cannot tell them apart and both type of logs get all jumbled up. So it looks to me that the syslog feature is a good start, but incomplete. Unless the default really is local6 for accounting logs, but that is documented nowhere. -- alan dot mckinnon at gmail dot com From daniel.schmidt at wyo.gov Thu May 5 20:50:57 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 5 May 2011 14:50:57 -0600 Subject: [tac_plus] Patch for md5 salt in tac_pwd In-Reply-To: <20110504182821.GA22352@radiological.warningg.com> References: <20110504022333.GQ27536@radiological.warningg.com> <8ab90d2efc37163faef0f45cd72f9b9c@mail.gmail.com> <20110504182821.GA22352@radiological.warningg.com> Message-ID: <4e4a557d56be3621408ea4cbb5f12160@mail.gmail.com> Actually, 6 is not DES, it's SHA-512. Works great on my cent5. Good point, I guess salt can be up to 16. Thought I read that linux logins use 8, so that's what I picked. I really was not motivated to make the best hash possible, I only wanted something that was like tac_pwd, was cgi, and oh, hey, why not make it stronger encryption at the same time. (My first revision actually was md5) Salt, shmalt - it's stronger than MD5 and messing with the salt would take upwards of another 15 minutes. I'm just not that motivated. :-) -----Original Message----- From: nicotine at radiological.warningg.com [mailto:nicotine at radiological.warningg.com] On Behalf Of Brandon Ewing Sent: Wednesday, May 04, 2011 12:28 PM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Patch for md5 salt in tac_pwd On Wed, May 04, 2011 at 10:38:44AM -0600, Daniel Schmidt wrote: > Good idea, tac_pwd has needed an update. Last I asked, I believe > Heasley had a good point about compatibility, but I can't remember what it was. > > I wrote a simple python cgi script that outputs long hashes - not sure > if anybody might find that useful. Useful only for the truly paranoid > who think md5 is not strong enough. Also useful if your just want to > send your users a URL instead of having them login to type their password. > Cent5. > > I was going to mess with the salt length but then I got lazy & 8 > seemed like a good number. Was also going to have it edit > tac_plus.conf but, again, lazy. (and busy) Plz send feedback if: (knowledge_crypto > mine). > > http://pastie.org/1864642 > Does Python's crypt module rely on the underlying system library's crypt? http://docs.python.org/release/2.5.2/lib/module-crypt.html seems to imply so. My "man 3 crypt" doesn't mention salts prefixed with $6$ -- see also http://www.gnu.org/s/hello/manual/libc/crypt.html -- either a two character salt is used (DES), or a 3 to 8 character salt, prefixed with $1$ and optionally terminated with $ (MD5). You might be on a system that has a more robust crypt() than I that supports other encryption options -- but both the system running your script, and the system with the TACACS daemon running on it require compatible crypt() functions. Additionally, for the strongest salt, you should choose randomly from the full salt character set -- [./a-zA-Z0-9] -- it appears that you are using an artificially limited salt set, which could make a collision more likely (two users with the same password and same salt). Also, smaller salts mean smaller rainbow tables could be generated to defeat it, but I'm not an expert on cryptographic attacks and their feasibility. -- Brandon Ewing (nicotine at warningg.com) From alan.mckinnon at gmail.com Thu May 5 22:43:58 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 6 May 2011 00:43:58 +0200 Subject: [tac_plus] Patch for md5 salt in tac_pwd In-Reply-To: <4e4a557d56be3621408ea4cbb5f12160@mail.gmail.com> References: <20110504022333.GQ27536@radiological.warningg.com> <20110504182821.GA22352@radiological.warningg.com> <4e4a557d56be3621408ea4cbb5f12160@mail.gmail.com> Message-ID: <201105060043.59064.alan.mckinnon@gmail.com> I find that "openssl passwd" is a fine substitute for any and all hashing apps out there :-) Why rework the wheel? With one exception: I haven't gotten openssl to do Apache digest hashes correctly yet, but that's a topic for a different mailing list altogether. Apparently, though unproven, at 22:50 on Thursday 05 May 2011, Daniel Schmidt did opine thusly: > Actually, 6 is not DES, it's SHA-512. Works great on my cent5. Good > point, I guess salt can be up to 16. Thought I read that linux logins use > 8, so that's what I picked. > > I really was not motivated to make the best hash possible, I only wanted > something that was like tac_pwd, was cgi, and oh, hey, why not make it > stronger encryption at the same time. (My first revision actually was > md5) Salt, shmalt - it's stronger than MD5 and messing with the salt would > take upwards of another 15 minutes. I'm just not that motivated. :-) > > -----Original Message----- > From: nicotine at radiological.warningg.com > [mailto:nicotine at radiological.warningg.com] On Behalf Of Brandon Ewing > Sent: Wednesday, May 04, 2011 12:28 PM > To: Daniel Schmidt > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Patch for md5 salt in tac_pwd > > On Wed, May 04, 2011 at 10:38:44AM -0600, Daniel Schmidt wrote: > > Good idea, tac_pwd has needed an update. Last I asked, I believe > > Heasley had a good point about compatibility, but I can't remember what > > it was. > > > I wrote a simple python cgi script that outputs long hashes - not sure > > if anybody might find that useful. Useful only for the truly paranoid > > who think md5 is not strong enough. Also useful if your just want to > > send your users a URL instead of having them login to type their > > password. > > > Cent5. > > > > I was going to mess with the salt length but then I got lazy & 8 > > seemed like a good number. Was also going to have it edit > > > tac_plus.conf but, again, lazy. (and busy) Plz send feedback if: > (knowledge_crypto > mine). > > > http://pastie.org/1864642 > > Does Python's crypt module rely on the underlying system library's crypt? > http://docs.python.org/release/2.5.2/lib/module-crypt.html seems to imply > so. > > My "man 3 crypt" doesn't mention salts prefixed with $6$ -- see also > http://www.gnu.org/s/hello/manual/libc/crypt.html -- either a two > character salt is used (DES), or a 3 to 8 character salt, prefixed with > $1$ and optionally terminated with $ (MD5). You might be on a system that > has a more robust crypt() than I that supports other encryption options -- > but both the system running your script, and the system with the TACACS > daemon running on it require compatible crypt() functions. > > Additionally, for the strongest salt, you should choose randomly from the > full salt character set -- [./a-zA-Z0-9] -- it appears that you are using > an artificially limited salt set, which could make a collision more likely > (two users with the same password and same salt). Also, smaller salts > mean smaller rainbow tables could be generated to defeat it, but I'm not > an expert on cryptographic attacks and their feasibility. -- alan dot mckinnon at gmail dot com From Paul.Root at qwest.com Thu May 5 22:51:10 2011 From: Paul.Root at qwest.com (Root, Paul) Date: Thu, 5 May 2011 17:51:10 -0500 Subject: [tac_plus] Mailing list and Syslog question In-Reply-To: <201105052236.14357.alan.mckinnon@gmail.com> References: <201105052236.14357.alan.mckinnon@gmail.com> Message-ID: <2685F464D7BC7C4DA88845C97AEB5F533B6508B6FC@qtomaexmbm22.AD.QINTRA.COM> Paul Root Lead Internet Systems Eng CenturyLink > -----Original Message----- > From: tac_plus-bounces at shrubbery.net [mailto:tac_plus- > bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Thursday, May 05, 2011 3:36 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Mailing list and Syslog question > > Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul > Root did > opine thusly: > > > Is there a mailling list to join for this? I was on the web site. I thought this was just a developer. > Yes, it's the address you used. That I replied is proof it works ;-) > > > Also, we are trying to get accounting to go to syslog. But it > persists in > > sending to the file. > > > > How is syslog enabled for accounting? > > I also tried to get this to work, and failed. The CHANGES file contains > this: > > F4.0.4.16 > - Add 'accounting syslog;' configuration knob - mostly from > Mark > Ellzey Thomas > > So there is some level of support. I could not find out how to set the > facility and priority, so I just let tac_plus write to the file (I > wanted a > local copy anyway) and configured syslog-ng to read it and send the > logs onto I assumed the facility would be the same as the auth logging. The man page said what the priority was, don't remember it right now. Glad to know that it's not just me. > my syslogger: > > # Tacacs accounting logs > source s_tac_plus_acc { > file("/var/log/tacacs/accounting", > default-facility(local6), > default-priority(info)); > }; > # Remote logging to syslogger > destination syslogger { > tcp("xxx.xxx.xxx.xxx" port(514)); > }; > log { source(s_tac_plus_acc); destination(syslogger); }; > > Not the most elegant solution, it does require you to keep your wits > about you > if you change log filenames, but it does work. It's for syslog-ng, > AFAIR > syslogd can be brutally assaulted into doing much the same, I don't have -ng on this machine, I want to send it to a remote -ng machine for splunk to pick up. > > > Lastly, is there a way to disable an account after X number of failed > > attempts? > > Not inside the conf file to the best of my knowledge. You'll have to > write an > external auth script that stores expiry and failed attempts info to do > this. > Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual > bundled > with the sources. My router person found the patch that gives it in the config file. I may try this way though too, if it gives us more flexibility. > Daniel Schmidt posted links to this very topic just yesterday so I'll > assume > you've only just registered and missed it (unlucky you!). Here's the > relevant > text reposted: Yep, just today. > http://tacacs.org/ > > and this: > python do_auth.py | less > > or maybe this: > http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html > > or this: > http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html > > -- > alan dot mckinnon at gmail dot com Thanks, Paul. This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From daniel.schmidt at wyo.gov Fri May 6 14:58:54 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 6 May 2011 08:58:54 -0600 Subject: [tac_plus] Mailing list and Syslog question In-Reply-To: References: <201105052236.14357.alan.mckinnon@gmail.com> <527ff8d2e928f7896bb761e5b74adee5@mail.gmail.com> Message-ID: Thkx - I?ll add AFL to tacacs.org when I get a chance. *From:* Jathan McCollum [mailto:jathan at gmail.com] *Sent:* Thursday, May 05, 2011 3:35 PM *To:* Daniel Schmidt *Cc:* Alan McKinnon; tac_plus at shrubbery.net *Subject:* Re: [tac_plus] Mailing list and Syslog question If the syslog patch was implemented exactly as Mark's original patch, the syntax in your tac_plus.conf is like so: accounting syslog logging = local6 Additionally, his login authentication lockout code is available on GitHub: https://github.com/ellzey/tac_plus_AFL He provided a patch against 4.0.4.19, which makes it as current as it gets. Full disclosure: I used to work and am still friends with Mark. ;) jathan. On Thu, May 5, 2011 at 2:14 PM, Daniel Schmidt wrote: I thought about that too, but the after authentication script never gets called on a failed login though. Actually, Mark was once working on a feature to lock accounts on failed logins. I would have rather it locked on IP rather than user, but I once used it and it seemed to work quite well. http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Thursday, May 05, 2011 2:36 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Mailing list and Syslog question Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul Root did opine thusly: > Is there a mailling list to join for this? Yes, it's the address you used. That I replied is proof it works ;-) > Also, we are trying to get accounting to go to syslog. But it persists in > sending to the file. > > How is syslog enabled for accounting? I also tried to get this to work, and failed. The CHANGES file contains this: F4.0.4.16 - Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey Thomas So there is some level of support. I could not find out how to set the facility and priority, so I just let tac_plus write to the file (I wanted a local copy anyway) and configured syslog-ng to read it and send the logs onto my syslogger: # Tacacs accounting logs source s_tac_plus_acc { file("/var/log/tacacs/accounting", default-facility(local6), default-priority(info)); }; # Remote logging to syslogger destination syslogger { tcp("xxx.xxx.xxx.xxx" port(514)); }; log { source(s_tac_plus_acc); destination(syslogger); }; Not the most elegant solution, it does require you to keep your wits about you if you change log filenames, but it does work. It's for syslog-ng, AFAIR syslogd can be brutally assaulted into doing much the same, > Lastly, is there a way to disable an account after X number of failed > attempts? Not inside the conf file to the best of my knowledge. You'll have to write an external auth script that stores expiry and failed attempts info to do this. Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual bundled with the sources. Daniel Schmidt posted links to this very topic just yesterday so I'll assume you've only just registered and missed it (unlucky you!). Here's the relevant text reposted: http://tacacs.org/ and this: python do_auth.py | less or maybe this: http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html or this: http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html -- alan dot mckinnon at gmail dot com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Jathan. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Fri May 6 15:01:00 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 6 May 2011 09:01:00 -0600 Subject: [tac_plus] Patch for md5 salt in tac_pwd In-Reply-To: <201105060043.59064.alan.mckinnon@gmail.com> References: <20110504022333.GQ27536@radiological.warningg.com> <20110504182821.GA22352@radiological.warningg.com> <4e4a557d56be3621408ea4cbb5f12160@mail.gmail.com> <201105060043.59064.alan.mckinnon@gmail.com> Message-ID: <762da238311144ce7172c89eb87d796a@mail.gmail.com> > Why rework the wheel? Cause... I wanted something stronger and I wanted a cgi that I could send 2 users. ;-) Nevertheless, thanks for the tip. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Thursday, May 05, 2011 4:44 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Patch for md5 salt in tac_pwd I find that "openssl passwd" is a fine substitute for any and all hashing apps out there :-) Why rework the wheel? With one exception: I haven't gotten openssl to do Apache digest hashes correctly yet, but that's a topic for a different mailing list altogether. Apparently, though unproven, at 22:50 on Thursday 05 May 2011, Daniel Schmidt did opine thusly: > Actually, 6 is not DES, it's SHA-512. Works great on my cent5. Good > point, I guess salt can be up to 16. Thought I read that linux logins use > 8, so that's what I picked. > > I really was not motivated to make the best hash possible, I only wanted > something that was like tac_pwd, was cgi, and oh, hey, why not make it > stronger encryption at the same time. (My first revision actually was > md5) Salt, shmalt - it's stronger than MD5 and messing with the salt would > take upwards of another 15 minutes. I'm just not that motivated. :-) > > -----Original Message----- > From: nicotine at radiological.warningg.com > [mailto:nicotine at radiological.warningg.com] On Behalf Of Brandon Ewing > Sent: Wednesday, May 04, 2011 12:28 PM > To: Daniel Schmidt > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Patch for md5 salt in tac_pwd > > On Wed, May 04, 2011 at 10:38:44AM -0600, Daniel Schmidt wrote: > > Good idea, tac_pwd has needed an update. Last I asked, I believe > > Heasley had a good point about compatibility, but I can't remember what > > it was. > > > I wrote a simple python cgi script that outputs long hashes - not sure > > if anybody might find that useful. Useful only for the truly paranoid > > who think md5 is not strong enough. Also useful if your just want to > > send your users a URL instead of having them login to type their > > password. > > > Cent5. > > > > I was going to mess with the salt length but then I got lazy & 8 > > seemed like a good number. Was also going to have it edit > > > tac_plus.conf but, again, lazy. (and busy) Plz send feedback if: > (knowledge_crypto > mine). > > > http://pastie.org/1864642 > > Does Python's crypt module rely on the underlying system library's crypt? > http://docs.python.org/release/2.5.2/lib/module-crypt.html seems to imply > so. > > My "man 3 crypt" doesn't mention salts prefixed with $6$ -- see also > http://www.gnu.org/s/hello/manual/libc/crypt.html -- either a two > character salt is used (DES), or a 3 to 8 character salt, prefixed with > $1$ and optionally terminated with $ (MD5). You might be on a system that > has a more robust crypt() than I that supports other encryption options -- > but both the system running your script, and the system with the TACACS > daemon running on it require compatible crypt() functions. > > Additionally, for the strongest salt, you should choose randomly from the > full salt character set -- [./a-zA-Z0-9] -- it appears that you are using > an artificially limited salt set, which could make a collision more likely > (two users with the same password and same salt). Also, smaller salts > mean smaller rainbow tables could be generated to defeat it, but I'm not > an expert on cryptographic attacks and their feasibility. -- alan dot mckinnon at gmail dot com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From nicotine at warningg.com Sat May 7 15:47:36 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Sat, 7 May 2011 10:47:36 -0500 Subject: [tac_plus] More complex do_auth.py In-Reply-To: References: <20110504024850.GR27536@radiological.warningg.com> Message-ID: <20110507154736.GB22352@radiological.warningg.com> On Wed, May 04, 2011 at 09:46:38AM -0600, Daniel Schmidt wrote: > Yeah, and that darn, lazy author of do_auth didn't provide much > documentation! Seriously, there is only this: Thanks -- I found my issue -- I was putting in implicit command_deny's in the groups instead of relying on fall-through. Quick question, since I'm not as familiar with Python regexp as I'd like to be -- if I'd like to permit the "no" version of a command at the same time as the command itself, could I just do: command_permit = (no )? interface.* Would definitely shorten my do_auth config file. Trying to do config-mode authorization as well as command authorization, so I can have groups that can re-configure interfaces and IPs, but not muck about in router ospf and router bgp. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Tue May 10 15:34:27 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 10 May 2011 09:34:27 -0600 Subject: [tac_plus] More complex do_auth.py In-Reply-To: <20110507154736.GB22352@radiological.warningg.com> References: <20110504024850.GR27536@radiological.warningg.com> <20110507154736.GB22352@radiological.warningg.com> Message-ID: <4b3ace6ae4a191fc2c2e004b745f3612@mail.gmail.com> You're welcome. As for regular expressions, I might recommend Pyreb. http://freshmeat.net/projects/pyreb/ I would also recommend it because, as I noted in the documentation, python re freaks out if you get the regular expression wrong. Best to test it before applying to your ini file. You might also simply consider using command_deny for "router.*" -----Original Message----- From: nicotine at radiological.warningg.com [mailto:nicotine at radiological.warningg.com] On Behalf Of Brandon Ewing Sent: Saturday, May 07, 2011 9:48 AM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] More complex do_auth.py On Wed, May 04, 2011 at 09:46:38AM -0600, Daniel Schmidt wrote: > Yeah, and that darn, lazy author of do_auth didn't provide much > documentation! Seriously, there is only this: Thanks -- I found my issue -- I was putting in implicit command_deny's in the groups instead of relying on fall-through. Quick question, since I'm not as familiar with Python regexp as I'd like to be -- if I'd like to permit the "no" version of a command at the same time as the command itself, could I just do: command_permit = (no )? interface.* Would definitely shorten my do_auth config file. Trying to do config-mode authorization as well as command authorization, so I can have groups that can re-configure interfaces and IPs, but not muck about in router ospf and router bgp. -- Brandon Ewing (nicotine at warningg.com) From vadud3 at gmail.com Sun May 15 21:11:24 2011 From: vadud3 at gmail.com (Asif Iqbal) Date: Sun, 15 May 2011 17:11:24 -0400 Subject: [tac_plus] ldap auth Message-ID: Hi I have the following scenario user -- (ssh) ----> jumpstation --- (telnet) ----> router1-----> T+ -------> ldap server - - - - > router2 - - - > ..... routerN so user *must* ssh into the jumpstation which is the only server that allows telnet to routers with their tacacs+ account the tacacs+ server using ldap auth in the backend. so I have few questions about this setup. - Is there a way to enable SSO, so the users don't have to put their T+ / ldap password for every router they login - Do the routers must enable ssh, so the ldap password from jumpstation to router is not clear text? - Is there a way to make sure T+ to ldap server communication *not* clear text? I am assuming it is clear text now. probably a question for ldap mailing lists. (sorry) - If SSO possible if there is a way to keep the cookie (auth token) valid for longer time so user won't fail to login, should the ldap server be unavailable temporarily. might be able to achieve it by stacking the pams differently. hmm.. might be a question for pam mailing list. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From morty+tac_plus at frakir.org Wed May 25 01:24:37 2011 From: morty+tac_plus at frakir.org (Morty) Date: Tue, 24 May 2011 21:24:37 -0400 Subject: [tac_plus] hostname resolution; include files; groups; start/stop; same keys for RADIUS and TACACS+ Message-ID: <20110525012437.GB15573@red-sonja> I'm testing tacacs+-F4.0.4.19 under Solaris. Questions: (1) I'd like to build host configs based on hostnames. The hostnames are in /etc/hosts rather than DNS, so DNS lookup latency should not be an issue. Even with the -L option, though, this isn't working correctly. IP works fine, i.e.: host = $IP { key = "mykey" } But if I use $hostname instead, I get log entries like so: Wed May 25 00:52:13 2011 [15897]: Error tacacs-test : Invalid AUTHEN/START packet (check keys) The config with hostname is: host = "tacacs-test" { key = "mykey" } (2) Is there a way to do includes in the config file? I'd like to autogenerate various components of the tacacs+ config file, such as host sections and user sections. Seems like the cleanest way to do that is to have a master config file that includes components as needed. Not really too critical, though; I could just cat them together into one big file. (3) Is there a way to utilize configurations based on Unix groups? I already have existing Unix groups for "engineer" and "operator". I want to be able to do something like this: group = engineer { LOGIN=PAM service = exec { priv-lvl = 15 } } group = operator { LOGIN=PAM service = exec { priv-lvl = 2 } } This doesn't work as-is unless I also build a user stanza for each use, like so: user = morty { member=engineer } user = jack { member=operator } ... Is there a way to get the groups to utilize Unix group members? If not, I'll just write a script to autogenerate user entries as needed. (4) Is there a pre-written start/stop/reload/graceful script for tac_plus that I'm missing? If not, I'd be happy to contrib one. (5) We're currently using RADIUS. We chose RADIUS back in the day because it was the only AAA protocol spoken by all our devices. We now have some new devices that only talk TACACS+, not RADIUS. So I'm planning to stand up a TACACS+ server in parallel. I'm planning to use the RADIUS clients file as a master and run scripts to regenerate the TACACS+ hosts config as needed, using the same key as for RADIUS. Then the network folks can configure their devices to use either RADIUS or TACACS+ as needed. I'm sure you guys understand the protocols better than I do. Is it safe to use the same keys for both RADIUS and TACACS+, or should I generate separate keys for TACACS+? TIA. - Morty From morty+tac_plus at frakir.org Thu May 26 05:11:34 2011 From: morty+tac_plus at frakir.org (Morty) Date: Thu, 26 May 2011 01:11:34 -0400 Subject: [tac_plus] password expiration with PAM? Message-ID: <20110526051134.GD15573@red-sonja> I'm testing tacacs+-F4.0.4.19 under Solaris. I've got users with LOGIN=PAM. I set the password to be expired (i.e. I faked out the age in /etc/shadow to be 1000 days, with a max age of 60 days). Other subsystems using PAM, i.e. openssh and radiusd, do not allow the user to login; openssh provides a useful prompt, while radiusd just fails to allow the login for devices that utilize radiusd. But when the user logs in to a device using the tac_plus server, the login succeeds. This seems like a bug. - Morty From nicotine at warningg.com Fri May 27 17:18:11 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Fri, 27 May 2011 12:18:11 -0500 Subject: [tac_plus] password expiration with PAM? In-Reply-To: <20110526051134.GD15573@red-sonja> References: <20110526051134.GD15573@red-sonja> Message-ID: <20110527171811.GI15202@radiological.warningg.com> On Thu, May 26, 2011 at 01:11:34AM -0400, Morty wrote: > I'm testing tacacs+-F4.0.4.19 under Solaris. > > I've got users with LOGIN=PAM. I set the password to be expired > (i.e. I faked out the age in /etc/shadow to be 1000 days, with a max > age of 60 days). Other subsystems using PAM, i.e. openssh and > radiusd, do not allow the user to login; openssh provides a useful > prompt, while radiusd just fails to allow the login for devices that > utilize radiusd. But when the user logs in to a device using the > tac_plus server, the login succeeds. > > This seems like a bug. > > - Morty What's in your PAM config for tac_plus? If your config doesn't have a "password" section, I don't believe it will respect password expiration. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: