[tac_plus] auth fail lock fix or alternatives?
Alan McKinnon
alan.mckinnon at gmail.com
Mon Feb 20 23:37:41 UTC 2012
On Mon, 20 Feb 2012 22:37:23 +0000
Joe Moore <joe.moore at holidaycompanies.com> wrote:
>
>
> -----Original Message-----
> From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
> Sent: Monday, February 20, 2012 3:53 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] auth fail lock fix or alternatives?
>
> On Mon, 20 Feb 2012 17:07:30 +0000
> Joe Moore <joe.moore at holidaycompanies.com> wrote:
>
> > I know some of you consider the account lockout feature to be a
> > denial of service vector, but our security auditor insists that we
> > lock out accounts after (no more than) 5 failed login attempts, and
> > there is no chance of that changing. So I have to do it.
> >
> > I was happily running tac_plus F4.0.4.19 with the
> > tacacs+-F4.0.4.19.afl.patch on a pair of FreeBSD 7.4 servers for
> > some time.
> >
> > As soon as I updated one of the servers to FreeBSD 8.x, tac_plus
> > would no longer start. Startup failed with the message: Error:
> > Unrecognised token auth-fail-lock on line 6.
>
> This part doesn't make much sense to me. That's not a run-time or
> logic error, it means that the config file parser has no knowledge of
> that specific token.
>
> This should not happen as it is the same code with the same patch
> that worked fine on a previous version of the same OS. It's hard to
> think of something that would cause that, it's almost as if the
> #IFDEF AFL wasn't there or you missed the --enable-afl - I'm assuming
> that is not the case, it's a real n00b error :-)
>
> autotools likely got upgraded, what version are you running now and
> what were you using on FreeBSD-7.2?
>
> I also think the entire output of ./configure would be useful so we
> can all see how tac_plus decided to configure itself.
>
>
>
> Alan,
>
> As a router & switch admin I am no noob but as a developer, I'm an
> end-user, which probably puts me below noob.
>
> The tac_plus service failed to start after a typical "buildworld"
> update and reboot of the FreeBSD box. At that point I had not
> re-compiled or re-installed tac_plus. I have subsequently patched,
> configured, compiled and installed tac_plus on multiple boxes with
> fresh FreeBSD 8.2 installs as well as a Centos 6 box. None of them
> would start tac_plus unless I commented out the " auth-fail-lock 4
> 120 900" line.
>
> Full output of the patch and configure on FreeBSD 8.2 follows. I be
> happy to give you the versions of the auto tools on the old FBSD 7.2
> box if you tell me how to find that out.
>
> Thanks in advance!
Found it, see below:
[snip]
> Hunk #1 succeeded at 153.
> Hunk #2 succeeded at 278.
> Hunk #3 succeeded at 304.
> Hunk #4 succeeded at 623.
> Hmm... Ignoring the trailing garbage.
> done
You need to run "autoconf" here otherwise ./configure won't know about
your changes to the sources. For me this makes the difference between
it working and getting the same result you got
> [root at ns3 ~/download/tacacs+-F4.0.4.19]# ./configure
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... ./install-sh -c -d
[snip]
If you read the original patch submission carefully
http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html
you'll see it is there at the top, (but quite easy to miss actually - I
also missed it the first time)
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list