[tac_plus] auth fail lock fix or alternatives?

Joe Moore joe.moore at holidaycompanies.com
Mon Feb 20 22:37:23 UTC 2012 


-----Original Message-----
From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] 
Sent: Monday, February 20, 2012 3:53 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] auth fail lock fix or alternatives?

On Mon, 20 Feb 2012 17:07:30 +0000
Joe Moore <joe.moore at holidaycompanies.com> wrote:

> I know some of you consider the account lockout feature to be a denial 
> of service vector, but our security auditor insists that we lock out 
> accounts after (no more than) 5 failed login attempts, and there is no 
> chance of that changing. So I have to do it.
> 
> I was happily running tac_plus F4.0.4.19  with the
> tacacs+-F4.0.4.19.afl.patch on a pair of FreeBSD 7.4 servers for some
> time.
> 
> As soon as I updated one of the servers to FreeBSD 8.x, tac_plus would 
> no longer start. Startup failed with the message: Error:
> Unrecognised token auth-fail-lock on line 6.

This part doesn't make much sense to me. That's not a run-time or logic error, it means that the config file parser has no knowledge of that specific token.

This should not happen as it is the same code with the same patch that worked fine on a previous version of the same OS. It's hard to think of something that would cause that, it's almost as if the #IFDEF AFL wasn't there or you missed the --enable-afl - I'm assuming that is not the case, it's a real n00b error :-)

autotools likely got upgraded, what version are you running now and what were you using on FreeBSD-7.2?

I also think the entire output of ./configure would be useful so we can all see how tac_plus decided to configure itself.



Alan,

As a router & switch admin I am no noob but as a developer, I'm an end-user, which probably puts me below noob.

The tac_plus service failed to start after a typical "buildworld" update and reboot of the FreeBSD box. At that point I had not re-compiled or re-installed tac_plus. I have subsequently patched, configured, compiled and installed tac_plus on multiple boxes with fresh FreeBSD 8.2 installs as well as a Centos 6 box. None of them would start tac_plus unless I commented out the " auth-fail-lock 4 120 900" line.

Full output of the patch and configure on FreeBSD 8.2 follows. I be happy to give you the versions of the auto tools on the old FBSD 7.2 box if you tell me how to find that out.

Thanks in advance!

[root at ns3 ~/download]# cd tacacs+-F4.0.4.19
[root at ns3 ~/download/tacacs+-F4.0.4.19]# ls tac*
tac_convert.in                  tac_plus.conf.5.in              tac_pwd.c
tac_plus.8.in                   tac_plus.h                      tacacs+-F4.0.4.19.afl.patch
tac_plus.c                      tac_pwd.8                       tacacs.h
[root at ns3 ~/download/tacacs+-F4.0.4.19]# patch < tacacs+-F4.0.4.19.afl.patch
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/authen.c ./authen.c
|--- ../tacacs+-F4.0.4.19.orig/authen.c 2009-07-17 13:34:32.000000000 -0400
|+++ ./authen.c 2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file authen.c using Plan A...
Hunk #1 succeeded at 316.
Hunk #2 succeeded at 356.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/config.c ./config.c
|--- ../tacacs+-F4.0.4.19.orig/config.c 2009-07-17 13:34:30.000000000 -0400
|+++ ./config.c 2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file config.c using Plan A...
Hunk #1 succeeded at 114.
Hunk #2 succeeded at 183.
Hunk #3 succeeded at 221.
Hunk #4 succeeded at 539.
Hunk #5 succeeded at 772.
Hunk #6 succeeded at 2475.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/config.h.in ./config.h.in
|--- ../tacacs+-F4.0.4.19.orig/config.h.in      2009-07-17 16:02:18.000000000 -0400
|+++ ./config.h.in      2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file config.h.in using Plan A...
Hunk #1 succeeded at 288.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/configure.in ./configure.in
|--- ../tacacs+-F4.0.4.19.orig/configure.in     2009-07-17 13:54:16.000000000 -0400
|+++ ./configure.in     2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file configure.in using Plan A...
Hunk #1 succeeded at 620.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/parse.c ./parse.c
|--- ../tacacs+-F4.0.4.19.orig/parse.c  2009-07-17 13:34:32.000000000 -0400
|+++ ./parse.c  2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file parse.c using Plan A...
Hunk #1 succeeded at 118.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/parse.h ./parse.h
|--- ../tacacs+-F4.0.4.19.orig/parse.h  2009-07-17 13:34:32.000000000 -0400
|+++ ./parse.h  2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file parse.h using Plan A...
Hunk #1 succeeded at 90.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/tac_plus.c ./tac_plus.c
|--- ../tacacs+-F4.0.4.19.orig/tac_plus.c       2009-07-28 11:50:24.000000000 -0400
|+++ ./tac_plus.c       2009-09-10 15:17:32.000000000 -0400
--------------------------
Patching file tac_plus.c using Plan A...
Hunk #1 succeeded at 79.
Hunk #2 succeeded at 99.
Hunk #3 succeeded at 112.
Hunk #4 succeeded at 349.
Hunk #5 succeeded at 927.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -Naur ../tacacs+-F4.0.4.19.orig/tac_plus.h ./tac_plus.h
|--- ../tacacs+-F4.0.4.19.orig/tac_plus.h       2009-07-27 20:11:53.000000000 -0400
|+++ ./tac_plus.h       2009-09-10 15:18:33.000000000 -0400
--------------------------
Patching file tac_plus.h using Plan A...
Hunk #1 succeeded at 153.
Hunk #2 succeeded at 278.
Hunk #3 succeeded at 304.
Hunk #4 succeeded at 623.
Hmm...  Ignoring the trailing garbage.
done
[root at ns3 ~/download/tacacs+-F4.0.4.19]# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking build system type... i386-unknown-freebsd8.2
checking host system type... i386-unknown-freebsd8.2
checking for gmake... /usr/local/bin/gmake
checking whether /usr/local/bin/gmake sets $(MAKE)... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for style of include used by /usr/local/bin/gmake... GNU
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for /usr/bin/ld option to reload object files... -r
checking for BSD-compatible nm... /usr/bin/nm -B
checking whether ln -s works... yes
checking how to recognize dependent libraries... pass_all
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking dlfcn.h usability... yes
checking dlfcn.h presence... yes
checking for dlfcn.h... yes
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking how to run the C++ preprocessor... g++ -E
checking for g77... no
checking for xlf... no
checking for f77... no
checking for frt... no
checking for pgf77... no
checking for cf77... no
checking for fort77... no
checking for fl32... no
checking for af77... no
checking for xlf90... no
checking for f90... no
checking for pgf90... no
checking for pghpf... no
checking for epcf90... no
checking for gfortran... no
checking for g95... no
checking for xlf95... no
checking for f95... no
checking for fort... no
checking for ifort... no
checking for ifc... no
checking for efc... no
checking for pgf95... no
checking for lf95... no
checking for ftn... no
checking whether we are using the GNU Fortran 77 compiler... no
checking whether  accepts -g... no
checking the maximum length of command line arguments... 196608
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for objdir... .libs
checking for ar... ar
checking for ranlib... ranlib
checking for strip... strip
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC
checking if gcc PIC flag -fPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... freebsd8.2 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... no
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
configure: creating libtool
appending configuration tag "CXX" to libtool
checking for ld used by g++... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC
checking if g++ PIC flag -fPIC works... yes
checking if g++ static flag -static works... yes
checking if g++ supports -c -o file.o... yes
checking whether the g++ linker (/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... freebsd8.2 ld.so
(cached) (cached) checking how to hardcode library paths into programs... immediate
appending configuration tag "F77" to libtool
checking for the pthreads library -lpthreads... no
checking whether pthreads work without any flags... no
checking whether pthreads work with -Kthread... no
checking whether pthreads work with -kthread... no
checking for the pthreads library -llthread... no
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... -D_THREAD_SAFE
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking dependency style of gcc... (cached) gcc3
checking for function prototypes... yes
checking for string.h... (cached) yes
checking how to run the C preprocessor... gcc -E
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for preprocessor stringizing operator... yes
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking whether yacc is bison in disguise... yes
checking whether byte ordering is bigendian... no
checking size of long int... 4
checking for a BSD-compatible install... /usr/bin/install -c
checking whether to include symbols... no
checking whether to set gcc warnings... no
checking whether to use libwrap... yes
checking whether to include skey support... no
checking whether to setuid()... no
checking whether to setgid()... no
checking whether to include ACL support... yes
checking whether to include user-enable support... yes
checking whether to include maximum sessions (maxsess) support... no
checking whether to include maxsess finger support... no
checking for alt pid file FQPN... /var/run/tac_plus.pid
checking for alt accounting file FQPN... /var/log/tac_plus.acct
checking for alt log file FQPN... /var/log/tac_plus.log
checking for alt wholog file FQPN... /var/log/tacwho.log
checking whether to profile... no
checking for pam_start in -lpam... yes
checking for ANSI C header files... (cached) yes
checking whether time.h and sys/time.h may both be included... yes
checking crypt.h usability... no
checking crypt.h presence... no
checking for crypt.h... no
checking ctype.h usability... yes
checking ctype.h presence... yes
checking for ctype.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking malloc.h usability... no
checking malloc.h presence... no
checking for malloc.h... no
checking shadow.h usability... no
checking shadow.h presence... no
checking for shadow.h... no
checking for stdlib.h... (cached) yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/resource.h usability... yes
checking sys/resource.h presence... yes
checking for sys/resource.h... yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/types.h... (cached) yes
checking sys/wait.h usability... yes
checking sys/wait.h presence... yes
checking for sys/wait.h... yes
checking sysexits.h usability... yes
checking sysexits.h presence... yes
checking for sysexits.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking termios.h usability... yes
checking termios.h presence... yes
checking for termios.h... yes
checking for unistd.h... (cached) yes
checking wait.h usability... no
checking wait.h presence... no
checking for wait.h... no
checking return type of signal handlers... void
checking for socklen_t... yes
checking for pid_t... yes
checking for getdtablesize... yes
checking for memcpy... yes
checking for memset... yes
checking for strchr... yes
checking for strcspn... yes
checking for strerror... yes
checking for strrchr... yes
checking for wait3... yes
checking for wait4... yes
checking for waitpid... yes
checking whether setpgrp takes no argument... no
checking if waitpid takes a union wait... no
checking if signals need to be re-armed... no
checking if children need to be reaped... yes
checking if children need to be reaped with SIG_IGN... no
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for a BSD-compatible install... /usr/bin/install -c
checking for perl5... /usr/bin/perl5
configure: creating ./config.status
config.status: creating Makefile
config.status: creating version.h
config.status: creating pathsl.h
config.status: creating tac_plus.8
config.status: creating tac_plus.conf.5
config.status: creating config.h
config.status: executing depfiles commands
[root at ns3 ~/download/tacacs+-F4.0.4.19]#

More information about the tac_plus mailing list