[tac_plus] multiple patches?
Joe Moore
joe.moore at holidaycompanies.com
Fri Jul 27 15:51:11 UTC 2012
-----Original Message-----
From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
Sent: Thursday, July 26, 2012 10:16 AM
To: Joe Moore
Subject: Re: [tac_plus] multiple patches?
On Thu, 26 Jul 2012 14:42:34 +0000
Joe Moore <joe.moore at holidaycompanies.com> wrote:
> -----Original Message-----
> From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
> Sent: Thursday, July 26, 2012 12:32 AM
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] multiple patches?
>
> On Wed, 25 Jul 2012 14:25:33 +0000
> Joe Moore <joe.moore at holidaycompanies.com> wrote:
>
> > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch
> > as required by our security assessor.
> >
> > I recently added some Nexus 5500 series switches to the network so
> > now I have to deal with PAP authentication requests. Keeping plain
> > text passwords in the tac_plus.conf file is not an option. I'm
> > thinking about using the PAP/PAM patch for that.
> >
> > Can I apply both patches to the source code or do I have to choose
> > one or the other?
>
> The PAP passwords do not have to be plain-text, you can put the hashes
> in tac_plus.conf just like for regular login and enable.
>
> Simply copy the "login" line and do an s/login/pap/
>
> We have a substantial Nexus infrastructure here and that works just
> fine for us. No other authn changes were required. [As for authz - now
> that's a whole different story, that one took some work]
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
>
> Alan,
>
> Thanks for the reply.
>
> I failed to mention that another goal is to use the *nix system
> passwords. That's what gets used when I log in to any of the 1000+
> non-nexus devices I have that aren't using PAP. I can do that with
> either '/etc/passwd' or pam.
>
> I have an automated process in place that synchronizes the *nix system
> passwords whenever a user changes their active directory password. I'd
> like to avoid having to manually generate des crypts just for the
> nexus stuff, and our security assessor (for other
> reasons) won't like that either.
>
> Based on the 'tac_plus -P' results I get with test config files, it
> looks like my current build will only allow the 'cleartext' or
> 'des'keywords after 'pap='.
Joe,
I see what you mean. My infrastructure works differently - we generate the tacacs passwords and store only the hashes so it's trivial for me to write them out to tac_plus.conf.
Your needs are different though.
I don't have experience with either of the patches you mention, so I can't be of much further help other than to ask "Do both patches apply cleanly?"
--
Alan McKinnon
alan.mckinnon at gmail.com
Alan,
I'll try applying both patches early next week and see what happens...
...jgm
More information about the tac_plus
mailing list