[tac_plus] Mailing list and Syslog question

Fri May 6 14:58:54 UTC 2011

Thkx - I’ll add AFL to tacacs.org when I get a chance.

*From:* Jathan McCollum [mailto:jathan at gmail.com]
*Sent:* Thursday, May 05, 2011 3:35 PM
*To:* Daniel Schmidt
*Cc:* Alan McKinnon; tac_plus at shrubbery.net
*Subject:* Re: [tac_plus] Mailing list and Syslog question

If the syslog patch was implemented exactly as Mark's original patch, the
syntax in your tac_plus.conf is like so:

accounting syslog

logging = local6

Additionally, his login authentication lockout code is available on GitHub:

https://github.com/ellzey/tac_plus_AFL

He provided a patch against 4.0.4.19, which makes it as current as it gets.

Full disclosure: I used to work and am still friends with Mark. ;)

jathan.

On Thu, May 5, 2011 at 2:14 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:

I thought about that too, but the after authentication script never gets
called on a failed login though.

Actually, Mark was once working on a feature to lock accounts on failed
logins.  I would have rather it locked on IP rather than user, but I once
used it and it seemed to work quite well.

http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Thursday, May 05, 2011 2:36 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Mailing list and Syslog question

Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul Root
did
opine thusly:

> Is there a mailling list to join for this?

Yes, it's the address you used. That I replied is proof it works ;-)

> Also, we are trying to get accounting to go to syslog. But it persists
in
> sending to the file.
>
> How is syslog enabled for accounting?

I also tried to get this to work, and failed. The CHANGES file contains
this:

F4.0.4.16
       - Add 'accounting syslog;' configuration knob - mostly from Mark
         Ellzey Thomas

So there is some level of support. I could not find out how to set the
facility and priority, so I just let tac_plus write to the file (I wanted
a
local copy anyway) and configured syslog-ng to read it and send the logs
onto
my syslogger:

# Tacacs accounting logs
source s_tac_plus_acc {
   file("/var/log/tacacs/accounting",
        default-facility(local6),
        default-priority(info));
};
# Remote logging to syslogger
destination syslogger {
      tcp("xxx.xxx.xxx.xxx" port(514));
};
log { source(s_tac_plus_acc); destination(syslogger); };

Not the most elegant solution, it does require you to keep your wits about
you
if you change log filenames, but it does work. It's for syslog-ng, AFAIR
syslogd can be brutally assaulted into doing much the same,

> Lastly, is there a way to disable an account after X number of failed
> attempts?

Not inside the conf file to the best of my knowledge. You'll have to write
an
external auth script that stores expiry and failed attempts info to do
this.
Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual
bundled
with the sources.

Daniel Schmidt posted links to this very topic just yesterday so I'll
assume
you've only just registered and missed it (unlucky you!). Here's the
relevant
text reposted:

http://tacacs.org/

and this:
python do_auth.py | less

or maybe this:
http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html

or this:
http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html

--
alan dot mckinnon at gmail dot com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

-- 
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110506/d290e12d/attachment.html>