[tac_plus] Mailing list and Syslog question

Thu May 5 21:34:48 UTC 2011

If the syslog patch was implemented exactly as Mark's original patch, the
syntax in your tac_plus.conf is like so:

accounting syslog
logging = local6

Additionally, his login authentication lockout code is available on GitHub:

https://github.com/ellzey/tac_plus_AFL

He provided a patch against 4.0.4.19, which makes it as current as it gets.

Full disclosure: I used to work and am still friends with Mark. ;)

jathan.

On Thu, May 5, 2011 at 2:14 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:

> I thought about that too, but the after authentication script never gets
> called on a failed login though.
>
> Actually, Mark was once working on a feature to lock accounts on failed
> logins.  I would have rather it locked on IP rather than user, but I once
> used it and it seemed to work quite well.
>
> http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Thursday, May 05, 2011 2:36 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Mailing list and Syslog question
>
> Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul Root
> did
> opine thusly:
>
> > Is there a mailling list to join for this?
>
> Yes, it's the address you used. That I replied is proof it works ;-)
>
> > Also, we are trying to get accounting to go to syslog. But it persists
> in
> > sending to the file.
> >
> > How is syslog enabled for accounting?
>
> I also tried to get this to work, and failed. The CHANGES file contains
> this:
>
> F4.0.4.16
>        - Add 'accounting syslog;' configuration knob - mostly from Mark
>          Ellzey Thomas
>
> So there is some level of support. I could not find out how to set the
> facility and priority, so I just let tac_plus write to the file (I wanted
> a
> local copy anyway) and configured syslog-ng to read it and send the logs
> onto
> my syslogger:
>
> # Tacacs accounting logs
> source s_tac_plus_acc {
>    file("/var/log/tacacs/accounting",
>         default-facility(local6),
>         default-priority(info));
> };
> # Remote logging to syslogger
> destination syslogger {
>       tcp("xxx.xxx.xxx.xxx" port(514));
> };
> log { source(s_tac_plus_acc); destination(syslogger); };
>
> Not the most elegant solution, it does require you to keep your wits about
> you
> if you change log filenames, but it does work. It's for syslog-ng, AFAIR
> syslogd can be brutally assaulted into doing much the same,
>
> > Lastly, is there a way to disable an account after X number of failed
> > attempts?
>
> Not inside the conf file to the best of my knowledge. You'll have to write
> an
> external auth script that stores expiry and failed attempts info to do
> this.
> Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual
> bundled
> with the sources.
>
> Daniel Schmidt posted links to this very topic just yesterday so I'll
> assume
> you've only just registered and missed it (unlucky you!). Here's the
> relevant
> text reposted:
>
> http://tacacs.org/
>
> and this:
> python do_auth.py | less
>
> or maybe this:
> http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html
>
> or this:
> http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html
>
> --
> alan dot mckinnon at gmail dot com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>

-- 
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110505/0a2df852/attachment.html>