From arisg at noc.uoa.gr Fri Aug 3 13:34:43 2012 From: arisg at noc.uoa.gr (Aristotelis) Date: Fri, 3 Aug 2012 16:34:43 +0300 Subject: [tac_plus] Mysql command accounting support Message-ID: <9574f1b6cdeeb187e268844dce0b956e.squirrel@webmail02.uoa.gr> Hello, We wanted to add support for command accounting to our cisco gear, and as it seemed the case cisco only supports command accounting through tacacs+ and not radius. (We use Freeradius for AAA). Therefore I took tacacs+ daemon and coded some support to provide command accounting to mysql db. In this email you can find attached the patch that adds this support, in case you want to add it to future releases. For more info on this you can also see : http://3laloynkai2xoreyoyn.wordpress.com/2012/08/03/cisco-tacacs-accounting-to-mysql-db/ Best Regards Aristotelhs -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+-F4.0.4.26-mysql.diff.gz Type: application/gzip Size: 103941 bytes Desc: not available URL: From vadud3 at gmail.com Wed Aug 15 22:10:35 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Wed, 15 Aug 2012 18:10:35 -0400 Subject: [tac_plus] enable = PAM not supported Message-ID: Hi All I am using the tac_plus version F4.0.4.26. I noticed it supports PAM for login and pap but not for enable, like the config parsing showing. enable = PAM Error: expecting 'file', 'cleartext', 'nopassword', or 'des' keyword after 'enable =' on line 655 Is there a to have enable recognize PAM as an option as well? Thanks for your help. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From steve at steve.org.uk Thu Aug 16 06:09:56 2012 From: steve at steve.org.uk (Steve Kemp) Date: Thu, 16 Aug 2012 07:09:56 +0100 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? Message-ID: <20120816060956.GA4158@steve.org.uk> Where we work we have an in-house authentication system which is used for many things, and a few months ago we wished to add Tacas+ to that list. Looking over the code there are various authentication methods supported, each of which ultimately end up getting called with a username/password: static int des_verify(char *, char *); static int pam_verify(char *, char *); (The only exception here is the etc_passwd_verify method which takes an extra argument.) Rather than adding in our custom verification method directly into the core, along with those, I ended up writing our custom code to test a username/password in a small shared library, and then updating tacacs+ code to load it dynamically at run-time with this configuration file: .. accounting file = /var/log/tac_plus.acct sso_plugin = /usr/local/lib/sso_plugin.so .. user = steve { member = our_company login = sso skemp name = "Steve Kemp" } When I then try to login the single method is called, via the plugin file loaded with dlopen/dlsym/etc with username "skemp": int sso_authenticate( char * sso_username, char *password ) Assuming I cleaned up the code to rename the configuration options, etc, would this be of interest in the main repository and stand a chance of making it into the upstream releases of the future? I'd expect something like: auth_plugin = /path/to/shared.so user = blah { login = plugin useraname [data1] [data2] ... [dataN] } FWIW our code is currently based around F4.0.4.16, but will need re-basing against something more recent in the near future anyway. Steve -- http://www.steve.org.uk/ From heas at shrubbery.net Thu Aug 16 17:02:49 2012 From: heas at shrubbery.net (heasley) Date: Thu, 16 Aug 2012 10:02:49 -0700 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120816060956.GA4158@steve.org.uk> References: <20120816060956.GA4158@steve.org.uk> Message-ID: <20120816170249.GB60135@shrubbery.net> Thu, Aug 16, 2012 at 07:09:56AM +0100, Steve Kemp: > > Where we work we have an in-house authentication system which > is used for many things, and a few months ago we wished to > add Tacas+ to that list. > > Looking over the code there are various authentication methods > supported, each of which ultimately end up getting called with > a username/password: > > static int des_verify(char *, char *); > static int pam_verify(char *, char *); > > (The only exception here is the etc_passwd_verify method which > takes an extra argument.) > > Rather than adding in our custom verification method directly > into the core, along with those, I ended up writing our custom > code to test a username/password in a small shared library, > and then updating tacacs+ code to load it dynamically at run-time > with this configuration file: > > .. > accounting file = /var/log/tac_plus.acct > sso_plugin = /usr/local/lib/sso_plugin.so > .. > > user = steve { > member = our_company > login = sso skemp > name = "Steve Kemp" > } > > When I then try to login the single method is called, via the > plugin file loaded with dlopen/dlsym/etc with username > "skemp": > > int sso_authenticate( char * sso_username, char *password ) > > > Assuming I cleaned up the code to rename the configuration > options, etc, would this be of interest in the main repository > and stand a chance of making it into the upstream releases of > the future? sure, but why didn't you just write a PAM module for your sso and have tacacs enter from there? > I'd expect something like: > > auth_plugin = /path/to/shared.so > > user = blah { > login = plugin useraname [data1] [data2] ... [dataN] > } > > FWIW our code is currently based around F4.0.4.16, but will need > re-basing against something more recent in the near future anyway. > > > Steve > -- > http://www.steve.org.uk/ > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From steve at steve.org.uk Sat Aug 18 10:30:05 2012 From: steve at steve.org.uk (Steve Kemp) Date: Sat, 18 Aug 2012 11:30:05 +0100 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120816170249.GB60135@shrubbery.net> References: <20120816060956.GA4158@steve.org.uk> <20120816170249.GB60135@shrubbery.net> Message-ID: <20120818103005.GA3300@steve.org.uk> On Thu Aug 16, 2012 at 10:02:49 -0700, heasley wrote: > > Assuming I cleaned up the code to rename the configuration > > options, etc, would this be of interest in the main repository > > and stand a chance of making it into the upstream releases of > > the future? > > sure, but why didn't you just write a PAM module for your sso and have > tacacs enter from there? At the time that didn't occur to me/us.. I guess now you've said that I'm torn between wanting to submit the code-changes and thinking "I'll go away and hide now". I guess the utility of the work ultimately depends how likely it is that users of TACACS+ wish to tie it in to some external authentication system (which is neither PAM nor LDAP-based). If this is a common request, and common desire, then the code is useful. If people approach it from the PAM-side then it is less useful. I guess that is call I cannot make. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ From heas at shrubbery.net Mon Aug 20 16:29:26 2012 From: heas at shrubbery.net (heasley) Date: Mon, 20 Aug 2012 09:29:26 -0700 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120818103005.GA3300@steve.org.uk> References: <20120816060956.GA4158@steve.org.uk> <20120816170249.GB60135@shrubbery.net> <20120818103005.GA3300@steve.org.uk> Message-ID: <20120820162926.GL83550@shrubbery.net> Sat, Aug 18, 2012 at 11:30:05AM +0100, Steve Kemp: > On Thu Aug 16, 2012 at 10:02:49 -0700, heasley wrote: > > > > Assuming I cleaned up the code to rename the configuration > > > options, etc, would this be of interest in the main repository > > > and stand a chance of making it into the upstream releases of > > > the future? > > > > sure, but why didn't you just write a PAM module for your sso and have > > tacacs enter from there? > > At the time that didn't occur to me/us.. I guess now you've said > that I'm torn between wanting to submit the code-changes and thinking > "I'll go away and hide now". I asked because that would make your authentication mechanism more genericly accessible, but there can be cause for not using pam; I just couldnt think of one, so I asked. > I guess the utility of the work ultimately depends how likely > it is that users of TACACS+ wish to tie it in to some external > authentication system (which is neither PAM nor LDAP-based). If I needed to access an LDAP server, I would do it through pam. :) but, I have never needed to do that and there is probably a basket full of caveats to this that I am completely ignorant of. i like the idea though, esp. if you include documentation. > If this is a common request, and common desire, then the code > is useful. If people approach it from the PAM-side then it is > less useful. I guess that is call I cannot make. > > > Steve > -- > Debian GNU/Linux System Administration > http://www.debian-administration.org/ > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From steve at steve.org.uk Mon Aug 20 16:32:47 2012 From: steve at steve.org.uk (Steve Kemp) Date: Mon, 20 Aug 2012 17:32:47 +0100 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120820162926.GL83550@shrubbery.net> References: <20120816060956.GA4158@steve.org.uk> <20120816170249.GB60135@shrubbery.net> <20120818103005.GA3300@steve.org.uk> <20120820162926.GL83550@shrubbery.net> Message-ID: <20120820163247.GA32472@steve.org.uk> On Mon Aug 20, 2012 at 09:29:26 -0700, heasley wrote: > > I guess the utility of the work ultimately depends how likely > > it is that users of TACACS+ wish to tie it in to some external > > authentication system (which is neither PAM nor LDAP-based). > > If I needed to access an LDAP server, I would do it through pam. :) Yeah the documentation for that seems reasonably straight-forward. > i like the idea though, esp. if you include documentation. OK I'll tidy, re-test, and document the code, and submit a patch. Steve -- From vadud3 at gmail.com Mon Aug 20 17:06:03 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 20 Aug 2012 13:06:03 -0400 Subject: [tac_plus] enable = PAM not supported In-Reply-To: References: Message-ID: On Wed, Aug 15, 2012 at 6:10 PM, Asif Iqbal wrote: > Hi All > > I am using the tac_plus version F4.0.4.26. > > I noticed it supports PAM for login and pap but not for enable, like > the config parsing showing. > > enable = PAM > Error: expecting 'file', 'cleartext', 'nopassword', or 'des' keyword > after 'enable =' on line 655 > > > Is there a to have enable recognize PAM as an option as well? I am guessing there is no patch to allow keyword enable to use PAM? Would be really useful while access Cisco FWSM blades. > > Thanks for your help. > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From steve at steve.org.uk Tue Aug 21 20:21:34 2012 From: steve at steve.org.uk (Steve Kemp) Date: Tue, 21 Aug 2012 21:21:34 +0100 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120820163247.GA32472@steve.org.uk> References: <20120816060956.GA4158@steve.org.uk> <20120816170249.GB60135@shrubbery.net> <20120818103005.GA3300@steve.org.uk> <20120820162926.GL83550@shrubbery.net> <20120820163247.GA32472@steve.org.uk> Message-ID: <20120821202134.GA18044@steve.org.uk> > OK I'll tidy, re-test, and document the code, and submit a patch. Comments on this initial stab are welcome. Once we agree the documentation is adequate I'll submit the actual code. diff --unified --recursive tacacs+-F4.0.4.26.orig/tac_plus.conf.5.in tacacs+-F4.0.4.26.forked/tac_plus.conf.5.in --- tacacs+-F4.0.4.26.orig/tac_plus.conf.5.in 2012-06-07 00:21:50.000000000 +0100 +++ tacacs+-F4.0.4.26.forked/tac_plus.conf.5.in 2012-08-21 21:18:00.000000000 +0100 @@ -370,12 +370,21 @@ example, before a can be a specified as a member of a , the has to be defined. .\" + +.TP +.B load_plugin +This loads a shared library which is assumed to export the single function +.sp +int plugin_authenticate( char *username, char *passwd, char *args ); +.sp +If this function returns 1 the login is considered a success. + .TP .B password_spec There are five authentication mechanisms available: no password, cleartext, DES, PAM, a file in .BR passwd(5) -format, and skey. +format, skey, and via an external plugin. .sp .nf file @@ -384,6 +393,7 @@ PAM skey nopassword + plugin [plugin arguments] .fi .sp skey is an OTP (One Time Password) facility. The daemon must be built @@ -401,6 +411,9 @@ .sp Note: some cases of do not accept all of these mechanisms. .\" +.sp +plugin usage delegates the authentication to a single method exported via +the shared library loaded via .TP .B permission Specifies that some match (for example a or ) is diff --unified --recursive tacacs+-F4.0.4.26.orig/users_guide.in tacacs+-F4.0.4.26.forked/users_guide.in --- tacacs+-F4.0.4.26.orig/users_guide.in 2011-05-27 23:11:57.000000000 +0100 +++ tacacs+-F4.0.4.26.forked/users_guide.in 2012-08-21 21:11:26.000000000 +0100 @@ -353,7 +353,7 @@ daemon to the NAS. This is a security issue if the TACACS+ key is ever compromised. -There are 4 ways to authenticate a user for login. +There are 5 ways to authenticate a user for login. 1). You can include a DES (or cleartext) password for a user or for a group that s/he is a member of, viz: @@ -433,6 +433,30 @@ be that for each authentiction that is attempted, the password will appear to be wrong whether it was typed correctly or not. +5). Authentication via a tac_plus-specific plugin + +tac_plus supports the use of plugins for authentication purposes. These +plugins are implemented as shared libraries which export a single function +invoked to test a username & password pair. + +Writing a tac_plus plugin is considerably more straight-forward than writing +a PAM plugin, and offers a comparible level of flexibility. + +A sample configuration might look like this: + + load_plugin = /usr/lib/day_of_week.so + + user = bob { + login = plugin Mon-Fri + } + + user = chris { + login = plugin + } + +Currently only a single plugin may be loaded, but this might be extended +in the future. + RECURSIVE PASSWORD LOOKUPS --------------------------- Steve -- From arisg at noc.edunet.gr Tue Aug 21 20:51:13 2012 From: arisg at noc.edunet.gr (Aristotelis) Date: Tue, 21 Aug 2012 23:51:13 +0300 Subject: [tac_plus] Mysql command accounting support Message-ID: <0653d55f55c6b5e925ed01d2cfbf878c.squirrel@webmail01.edunet.gr> Sorry for the repost, but somehow I think that my previous email to the list never arrived. We wanted to add support for command accounting to our cisco gear, and as it seemed the case cisco only supports command accounting through tacacs+ and not radius. (We use Freeradius for AAA). Therefore I took tacacs+ daemon and coded some support to provide command accounting to mysql db. In this email you can find attached the patch that adds this support, do you think it is something of interest for future releases? For more info on this you can also see : http://3laloynkai2xoreyoyn.wordpress.com/2012/08/03/cisco-tacacs-accounting-to-mysql-db/ Best Regards, Aristotelhs -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+-F4.0.4.26-mysql.diff Type: text/x-patch Size: 612649 bytes Desc: not available URL: From heas at shrubbery.net Tue Aug 21 21:39:54 2012 From: heas at shrubbery.net (heasley) Date: Tue, 21 Aug 2012 14:39:54 -0700 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120821202134.GA18044@steve.org.uk> References: <20120816060956.GA4158@steve.org.uk> <20120816170249.GB60135@shrubbery.net> <20120818103005.GA3300@steve.org.uk> <20120820162926.GL83550@shrubbery.net> <20120820163247.GA32472@steve.org.uk> <20120821202134.GA18044@steve.org.uk> Message-ID: <20120821213954.GO28737@shrubbery.net> Tue, Aug 21, 2012 at 09:21:34PM +0100, Steve Kemp: > > OK I'll tidy, re-test, and document the code, and submit a patch. > > Comments on this initial stab are welcome. Once we agree > the documentation is adequate I'll submit the actual code. > > +This loads a shared library which is assumed to export the single function > +.sp > +int plugin_authenticate( char *username, char *passwd, char *args ); > +.sp > +If this function returns 1 the login is considered a success. > + except that args needs to be defined, this looks fine. From steve at steve.org.uk Wed Aug 22 07:18:09 2012 From: steve at steve.org.uk (Steve Kemp) Date: Wed, 22 Aug 2012 08:18:09 +0100 Subject: [tac_plus] Dynamic authentication plugins via shared libraries? In-Reply-To: <20120821213954.GO28737@shrubbery.net> References: <20120816060956.GA4158@steve.org.uk> <20120816170249.GB60135@shrubbery.net> <20120818103005.GA3300@steve.org.uk> <20120820162926.GL83550@shrubbery.net> <20120820163247.GA32472@steve.org.uk> <20120821202134.GA18044@steve.org.uk> <20120821213954.GO28737@shrubbery.net> Message-ID: <20120822071809.GC18791@steve.org.uk> On Tue Aug 21, 2012 at 14:39:54 -0700, heasley wrote: > > Comments on this initial stab are welcome. Once we agree > > the documentation is adequate I'll submit the actual code. > > > > +This loads a shared library which is assumed to export the single function > > +.sp > > +int plugin_authenticate( char *username, char *passwd, char *args ); > > +.sp > > +If this function returns 1 the login is considered a success. > > + > > except that args needs to be defined, this looks fine. I was going to document that in a new section, or new PLUGIN file. (Seems "odd" to document API in the manpage there.) Still if that first stab doesn't look too bad then I'll work on the next bits today/tomorrow. Steve -- http://www.steve.org.uk/ From steve at steve.org.uk Wed Aug 22 08:43:54 2012 From: steve at steve.org.uk (Steve Kemp) Date: Wed, 22 Aug 2012 09:43:54 +0100 Subject: [tac_plus] plugin-loading: 1/3: updating configuration parser Message-ID: <20120822084353.GA27159@steve.org.uk> --- a/parse.c +++ b/parse.c @@ -96,6 +96,7 @@ declare("ipx", S_ipx); declare("key", S_key); declare("lcp", S_lcp); + declare("load_plugin", S_load_plugin); #ifdef MAXSESS declare("maxsess", S_maxsess); #endif @@ -106,6 +107,7 @@ declare("login", S_login); declare("permit", S_permit); declare("pap", S_pap); + declare("plugin", S_plugin); declare("opap", S_opap); declare("ppp", S_ppp); declare("protocol", S_protocol); @@ -164,6 +166,8 @@ #endif case S_key: return("key"); + case S_load_plugin: + return("load_plugin"); case S_user: return("user"); case S_group: @@ -210,6 +214,8 @@ #endif /* MSCHAP */ case S_pap: return("pap"); + case S_plugin: + return("plugin"); case S_opap: return("opap"); case S_cleartext: --- a/parse.h +++ b/parse.h @@ -91,3 +91,5 @@ #endif #define S_syslog 50 #define S_aceclnt 51 +#define S_load_plugin 52 +#define S_plugin 53 --- a/tac_plus.h +++ b/tac_plus.h @@ -199,6 +199,7 @@ char *cfgfile; /* config file name */ char *acctfile; /* name of accounting file */ char port[NAS_PORT_MAX_LEN+1]; /* For error reporting */ + char *auth_plugin; /* External authentication plugin library */ u_char version; /* version of last packet read */ }; --- a/config.c +++ b/config.c @@ -746,7 +746,7 @@ static int parse_decls() { - + struct stat sb; /* for stat()ing the auth plugin(s) */ sym_code = 0; rch(); @@ -786,6 +786,24 @@ sym_get(); continue; + case S_load_plugin: + sym_get(); + parse(S_separator); + + if (session.auth_plugin != NULL) + free(session.auth_plugin); + + session.auth_plugin = tac_strdup(sym_buf); + sym_get(); + + if ( stat( session.auth_plugin, &sb ) != 0 ) + { + parse_error("plugin library %s doesn't exist lines %d and %d", + session.auth_plugin, session.keyline, sym_line); + return(1); + } + continue; + case S_default: sym_get(); switch (sym_code) { @@ -1121,6 +1139,7 @@ case S_file: case S_cleartext: case S_des: + case S_plugin: sprintf(buf, "%s ", sym_buf); sym_get(); strcat(buf, sym_buf); @@ -1138,7 +1157,7 @@ #ifdef HAVE_PAM "'PAM', " #endif - "or 'des' keyword after 'login =' on line %d", + "'plugin', or 'des' keyword after 'login =' on line %d", sym_line); } sym_get(); @@ -1164,6 +1183,7 @@ case S_file: case S_cleartext: case S_des: + case S_plugin: sprintf(buf, "%s ", sym_buf); sym_get(); strcat(buf, sym_buf); From steve at steve.org.uk Wed Aug 22 08:44:32 2012 From: steve at steve.org.uk (Steve Kemp) Date: Wed, 22 Aug 2012 09:44:32 +0100 Subject: [tac_plus] plugin-loading: 2/3: invoking plugins Message-ID: <20120822084432.GA27313@steve.org.uk> --- a/pwlib.c +++ b/pwlib.c @@ -44,6 +44,10 @@ void *); #endif +#if HAVE_DLFCN_H +# include +#endif + /* * Generic password verification routines for des, file and cleartext passwords */ @@ -53,6 +57,7 @@ static int pam_verify(char *, char *); #endif static int passwd_file_verify(char *, char *, struct authen_data *, char *); +static int plugin_verify(char *, char *,char *); /* Adjust data->status depending on whether a user has expired or not */ void @@ -204,6 +209,18 @@ return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); } + + p = tac_find_substring("plugin", cfg_passwd); + if (p) { + /* skip past the length of "plugin" to get any extra data. */ + if (!plugin_verify(name,passwd, p+6)) { + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; + } else { + data->status = TAC_PLUS_AUTHEN_STATUS_PASS; + } + return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); + } + p = tac_find_substring("file ", cfg_passwd); if (p) { return(passwd_file_verify(name, passwd, data, p)); @@ -376,9 +393,95 @@ return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); } + +/* + * Verify authentication via an external plugin. + */ +static int +plugin_verify(char *user, char *supplied_passwd, char *extra_args) +{ + int (*auth)(char *, char *, char *); /* plugin function signature */ + void *handle; /* handle to open library */ + struct stat sb; /* stat buffer */ + char *error; + int ret; + +#ifdef DLFCN + + if ( stat( session.sso_plugin, &sb ) != 0 ) + { + report(LOG_ERR, "%s: Plugin not found %s", + session.peer, + session.auth_plugin ); + return(0); + } + + handle = dlopen( session.auth_plugin, RTLD_LAZY); + if (!handle) + { + report(LOG_ERR, "%s: Plugin load error: %s", + session.peer, + dlerror()); + + return(0); + } + + dlerror(); /* Clear any existing error */ + + /* get the function, by name */ + *(void **) (&auth) = dlsym(handle, "plugin_authenticate"); + + if ((error = dlerror()) != NULL) + { + report(LOG_ERR, "%s: Plugin symbol error: %s", + session.peer, + error); + session.peer, + dlerror()); + + return(0); + } + + /* Clear any existing error */ + dlerror(); + + /* get the function, by name */ + *(void **) (&auth) = dlsym(handle, "plugin_authenticate"); + + if ((error = dlerror()) != NULL) + { + report(LOG_ERR, "%s: Plugin symbol error: %s", + session.peer, + error); + + return(0); + } + + ret = (*auth)(user, supplied_passwd, extra_args); + + if (debug & DEBUG_PASSWD_FLAG) { + report(LOG_ERR, "%s: Plugin call (%s,%s,%s) -> %d", + session.peer, user, supplied_passwd, extra_args, ret ); + } + + /** + * Cleanup + */ + dlclose(handle); + return( ret ); + +#else + report(LOG_ERR, "%s: Plugin call (%s,%s,%s) ignored - no dlopen()", + session.peer, user, supplied_passwd, extra_args); + + return 0; +#endif +} + + /* * verify that this user/password is valid per a passwd(5) style database. - * Return 0 if invalid. + * return 0 if invalid. */ static int passwd_file_verify(char *user, char *supplied_passwd, struct authen_data *data, From steve at steve.org.uk Wed Aug 22 08:46:44 2012 From: steve at steve.org.uk (Steve Kemp) Date: Wed, 22 Aug 2012 09:46:44 +0100 Subject: [tac_plus] plugin-loading: 3/3: more docs + sample plugins In-Reply-To: <20120822084432.GA27313@steve.org.uk> References: <20120822084432.GA27313@steve.org.uk> Message-ID: <20120822084644.GA27381@steve.org.uk> I've included the plugin README, and two sample plugins in the archive available here: http://steve.org.uk/plugins.tar.gz I imagine we'll not install these trivial plugins by default so they're reference/samples and we don't need to update the autoconf magic to do anything here. Steve -- From amanihamdi89 at gmail.com Tue Aug 28 10:03:50 2012 From: amanihamdi89 at gmail.com (amani hamdi) Date: Tue, 28 Aug 2012 11:03:50 +0100 Subject: [tac_plus] Problem managing tacacs+ Message-ID: *hello, I have installed the f4.0.4.22 version of Tacacs+ from your site but i have problems with managing authorizations. ** this is my configuration: * cisco catalyst 2960 configuration:* aaa new-model aaa authentication login telnet group tacacs+ local aaa authentication login console group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization config-command aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ * tacacs+ configuration file: *user = supervisor { login = cleartext "normal" enable = cleartext "enable" cmd = show { * permit interfaces deny .** *} For this example I wanted to limit the use of the "show" command and enable only the "show interfaces" command. But, it didn't work for me. All "show" commands are enabled! I'm using a cisco catalyst 2960. Can you help me please? think you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at steve.org.uk Tue Aug 28 16:28:43 2012 From: steve at steve.org.uk (Steve Kemp) Date: Tue, 28 Aug 2012 17:28:43 +0100 Subject: [tac_plus] Problem managing tacacs+ In-Reply-To: References: Message-ID: <20120828162843.GA7884@steve.org.uk> On Tue Aug 28, 2012 at 11:03:50 +0100, amani hamdi wrote: > cmd = show { > * permit interfaces > deny .** > *} Try this: cmd = show { permit version permit interface deny .* } Steve -- Let me steal your soul? http://stolen-souls.com From nikolais at mellanox.com Wed Aug 29 12:29:09 2012 From: nikolais at mellanox.com (Nikolai Sednev) Date: Wed, 29 Aug 2012 12:29:09 +0000 Subject: [tac_plus] authorization venor-specific attribute Message-ID: <70F662A3A26E42448FE10C1211446A981294F666@MTRDAG01.mtl.com> Hi, How can I configure vendor-specific attribute for authorization as admin or monitor in the configuration file of TACACS+ server? Best regards, Nikolai -------------------------------------------------------------------------------------------- Nikolai Sednev QA Engineer, QnR Extension: 9176 Cell: +972 52 734 2734 Email: nikolais at mellanox.com [Description: http://www.mellanox.com/img/news/media_kit/logo/Mellanox_logo.gif] Mellanox Technologies http://www.mellanox.com/ -------------------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2777 bytes Desc: image001.jpg URL: From alan.mckinnon at gmail.com Wed Aug 29 16:03:48 2012 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 29 Aug 2012 18:03:48 +0200 Subject: [tac_plus] authorization venor-specific attribute In-Reply-To: <70F662A3A26E42448FE10C1211446A981294F666@MTRDAG01.mtl.com> References: <70F662A3A26E42448FE10C1211446A981294F666@MTRDAG01.mtl.com> Message-ID: <20120829180348.48c4bcd6@khamul.example.com> On Wed, 29 Aug 2012 12:29:09 +0000 Nikolai Sednev wrote: > Hi, > How can I configure vendor-specific attribute for authorization as > admin or monitor in the configuration file of TACACS+ server? Here's an example: service = exec { optional task = "rwx:*,#root-system,#cisco-support" idletime = 30 timeout = 720 # shell:roles="priv-15" } The tarball comes with an FAQ that covers this topic in some detail. Have you read it? > > > > Best regards, Nikolai > -------------------------------------------------------------------------------------------- > Nikolai Sednev > QA Engineer, QnR > Extension: 9176 > Cell: +972 52 734 2734 > Email: nikolais at mellanox.com > [Description: > http://www.mellanox.com/img/news/media_kit/logo/Mellanox_logo.gif] > Mellanox Technologies http://www.mellanox.com/ > -------------------------------------------------------------------------------------------- > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > -------------- next part -------------- A non-text attachment was > scrubbed... Name: image001.jpg > Type: image/jpeg > Size: 2777 bytes > Desc: image001.jpg > URL: > > _______________________________________________ tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnon alan.mckinnon at gmail.com