[tac_plus] Should optional A/V pair be sent?

Jathan McCollum jathan at gmail.com
Tue Jan 24 15:53:54 UTC 2012 

John-

Are you proposing that 'service=shell' is the problem? I've tried setting
that within the configuration as well. It doesn't even read it. This config:

group = admin {
        default service = permit
        service = shell {
                priv-lvl = 15
                brcd-role = admin
        }
}

Results in this:

Tue Jan 24 07:48:39 2012 [13317]: Start authorization request
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: name=jathan isuser=1
attr=acl rec=1
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: recurse group = admin
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_pvalue: returns NULL
Tue Jan 24 07:48:39 2012 [13317]: do_author: user='jathan'
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: name=jathan isuser=1
attr=before rec=1
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: recurse group = admin
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_pvalue: returns NULL
Tue Jan 24 07:48:39 2012 [13317]: user 'jathan' found
Tue Jan 24 07:48:39 2012 [13317]: exec authorization request for jathan
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: username=jathan
N_svc_exec proto= svcname= rec=1
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: recurse group = admin
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: returns NULL
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: username=jathan
N_svc_cmd proto= svcname= rec=1
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: recurse group = admin
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: returns NULL
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: name=jathan isuser=1
attr=svc_dflt rec=1
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: recurse group = admin
Tue Jan 24 07:48:39 2012 [13317]: cfg_get_intvalue: returns 22
Tue Jan 24 07:48:39 2012 [13317]: exec permitted by default
Tue Jan 24 07:48:39 2012 [13317]: Writing AUTHOR/PASS_ADD size=18

In my past experience all the magc happens in "service = shell". Are there
other solutions?

On Mon, Jan 23, 2012 at 11:57 AM, heasley <heas at shrubbery.net> wrote:

> Mon, Jan 23, 2012 at 09:41:01AM -0800, Jathan McCollum:
> > I am still having the exact same problem.
> >
> > The tac_plus daemon is NOT sending optional a/v pairs over the wire at
> all.
> > I had been in communication with Dan back in September about modifying
> > do_auth.py to be able to append or remove a/v pairs. Currently do_auth.py
> > is only able to replace existing pairs. I was going to try to contribute
> > code to make do_auth.py do this, but it got de-prioritized until last
> week
> > and I had to move onto something else. I am just now revisiting this
> issue.
> >
> > Using this configuration:
> >
> > group = admin {
> >     default service = permit
> >     service = exec {
>         ^^^^^^^^^^^^^^
> >         optional brcd-role = admin
> >         priv-lvl = 15
> >     }
> > }
> > user = jathan {
> >     login = cleartext jathan
> >     pap   = cleartext jathan
> >     member = admin
> > }
> >
> > And running tac_plus with maximum debug output, you see this when I login
> > to the device and it sends the authorization request:
> >
> > Mon Jan 23 09:26:11 2012 [11716]: Start authorization request
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1
> > attr=acl rec=1
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL
> > Mon Jan 23 09:26:11 2012 [11716]: do_author: user='jathan'
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1
> > attr=before rec=1
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL
> > Mon Jan 23 09:26:11 2012 [11716]: user 'jathan' found
> > Mon Jan 23 09:26:11 2012 [11716]: exec authorization request for jathan
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan
> > N_svc_exec proto= svcname= rec=1
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec
> proto=
> > svcname=
> > Mon Jan 23 09:26:11 2012 [11716]: exec is explicitly permitted by line 6
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan
> > N_svc_exec proto= svcname= rec=1
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin
> > Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec
> proto=
> > svcname=
> > Mon Jan 23 09:26:11 2012 [11716]: nas:service=shell (passed thru)
>                                      ^^^^^^^^^^^^^^^^^
>



-- 
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120124/973ddb89/attachment.html>

More information about the tac_plus mailing list