[tac_plus] auth fail lock fix or alternatives?
Alan McKinnon
alan.mckinnon at gmail.com
Tue Feb 21 22:13:44 UTC 2012
On Tue, 21 Feb 2012 16:11:26 +0000
Joe Moore <joe.moore at holidaycompanies.com> wrote:
>
>
> -----Original Message-----
> From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
> Sent: Monday, February 20, 2012 5:38 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] auth fail lock fix or alternatives?
>
> SNIP!
>
> Found it, see below:
>
>
> [snip]
> > Hunk #1 succeeded at 153.
> > Hunk #2 succeeded at 278.
> > Hunk #3 succeeded at 304.
> > Hunk #4 succeeded at 623.
> > Hmm... Ignoring the trailing garbage.
> > done
>
> You need to run "autoconf" here otherwise ./configure won't know
> about your changes to the sources. For me this makes the difference
> between it working and getting the same result you got
>
> > [root at ns3 ~/download/tacacs+-F4.0.4.19]# ./configure checking for a
> > BSD-compatible install... /usr/bin/install -c checking whether
> > build environment is sane... yes checking for a thread-safe mkdir
> > -p... ./install-sh -c -d
>
> [snip]
>
> If you read the original patch submission carefully
> http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html
> you'll see it is there at the top, (but quite easy to miss actually -
> I also missed it the first time)
>
>
> --
> Alan McKinnnon
> alan.mckinnon at gmail.com
>
> Thanks Alan!
> I've restored the lockout function for the time being.
>
> It doesn't look like the AFL patch is available for tac_plus 4.04.20.
> I'm thinking I'll have to point tac_plus at my Windows Active
> Directory backend somehow and rely on AD to lock accounts when I
> update to 4.04.20 and beyond.
>
> I can probably do that via PAM but I'll have to study a bit to see if
> there's a better/simpler way. My FBSD system accounts sync passwords
> to AD already, and it looks like the software I use for that is
> dropping FBSD support anyway.
Or you could just stick with 4.0.4.19
The Changelog for 4.0.4.20 has only a few changes and a lot of it to
streamline code. There are no real bugs as such, no security fixes and
the small features added either affect you or they don't.
4.0.4.22 is mainly better support for do_auth.py so you either need it
or you don't, and you know which it is.
4.0.4.23 fixes a build error and 4.0.4.21 had a serious bug (fixed in
4.0.4.22)
The point being that there's nothing there to warrant any attention at
all from a code auditor, and if he does want you to upgrade for the
sake of it then he's putting your network at risk.
I reckon that if 4.0.4.19 fully satisfies your needs out the box with
the afl patch applied, then there is no good reason not to continue
with it. Mention to the auditor that it is far better maintained and
has far fewer points of concern than IOS
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list