[tac_plus] auth fail lock fix or alternatives?
Alan McKinnon
alan.mckinnon at gmail.com
Mon Feb 20 21:52:43 UTC 2012
On Mon, 20 Feb 2012 17:07:30 +0000
Joe Moore <joe.moore at holidaycompanies.com> wrote:
> I know some of you consider the account lockout feature to be a
> denial of service vector, but our security auditor insists that we
> lock out accounts after (no more than) 5 failed login attempts, and
> there is no chance of that changing. So I have to do it.
>
> I was happily running tac_plus F4.0.4.19 with the
> tacacs+-F4.0.4.19.afl.patch on a pair of FreeBSD 7.4 servers for some
> time.
>
> As soon as I updated one of the servers to FreeBSD 8.x, tac_plus
> would no longer start. Startup failed with the message: Error:
> Unrecognised token auth-fail-lock on line 6.
This part doesn't make much sense to me. That's not a run-time or logic
error, it means that the config file parser has no knowledge of that
specific token.
This should not happen as it is the same code with the same
patch that worked fine on a previous version of the same OS. It's hard
to think of something that would cause that, it's almost as if the
#IFDEF AFL wasn't there or you missed the --enable-afl - I'm assuming
that is not the case, it's a real n00b error :-)
autotools likely got upgraded, what version are you running now and
what were you using on FreeBSD-7.2?
I also think the entire output of ./configure would be useful so we can
all see how tac_plus decided to configure itself.
>
> The only way I was able to get tac_plus to start was by commenting
> out that line. I've tried installing F4.0.4.19 with the patch on
> fresh installs of FreeBSD 8.2 and Centos 6.2 with the same results.
> I've had no luck contacting the author of the patch so I'm assuming
> there won't be updates available for newer versions of tac_plus. Not
> updating tac_plus is also something the auditor will eventually
> notice.
>
> Are there any alternatives to the afl patch? Something that delays
> the login prompt ever increasing amounts after each failed attempt
> might work too.
>
> I really don't want to tell my boss that Cisco AC$ is our only
> option...
>
>
> L ...jgm
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120220/d12e746f/attachment.html>
> _______________________________________________ tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list