[tac_plus] multiple patches?

Joe Moore joe.moore at holidaycompanies.com
Fri Jul 27 15:51:11 UTC 2012 


-----Original Message-----
From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] 
Sent: Thursday, July 26, 2012 10:16 AM
To: Joe Moore
Subject: Re: [tac_plus] multiple patches?

On Thu, 26 Jul 2012 14:42:34 +0000
Joe Moore <joe.moore at holidaycompanies.com> wrote:

> -----Original Message-----
> From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
> Sent: Thursday, July 26, 2012 12:32 AM
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] multiple patches?
> 
> On Wed, 25 Jul 2012 14:25:33 +0000
> Joe Moore <joe.moore at holidaycompanies.com> wrote:
> 
> > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch 
> > as required by our security assessor.
> > 
> > I recently added some Nexus 5500 series switches to the network so 
> > now I have to deal with PAP authentication requests. Keeping plain 
> > text passwords in the tac_plus.conf file is not an option. I'm 
> > thinking about using the PAP/PAM patch for that.
> > 
> > Can I apply both patches to the source code or do I have to choose 
> > one or the other?
> 
> The PAP passwords do not have to be plain-text, you can put the hashes 
> in tac_plus.conf just like for regular login and enable.
> 
> Simply copy the "login" line and do an s/login/pap/
> 
> We have a substantial Nexus infrastructure here and that works just 
> fine for us. No other authn changes were required. [As for authz - now 
> that's a whole different story, that one took some work]
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> 
> Alan,
> 
> Thanks for the reply.
> 
> I failed to mention that another goal is to use the *nix system 
> passwords. That's what gets used when I log in to any of the 1000+ 
> non-nexus devices I have that aren't using PAP. I can do that with 
> either '/etc/passwd' or pam.
> 
> I have an automated process in place that synchronizes the *nix system 
> passwords whenever a user changes their active directory password. I'd 
> like to avoid having to manually generate des crypts just for the 
> nexus stuff, and our security assessor (for other
> reasons) won't like that either.
> 
> Based on the 'tac_plus -P' results I get with test config files, it 
> looks like my current build will only allow the 'cleartext' or 
> 'des'keywords after 'pap='.


Joe,

I see what you mean. My infrastructure works differently - we generate the tacacs passwords and store only the hashes so it's trivial for me to write them out to tac_plus.conf.

Your needs are different though.

I don't have experience with either of the patches you mention, so I can't be of much further help other than to ask "Do both patches apply cleanly?"



--
Alan McKinnon
alan.mckinnon at gmail.com



Alan,

I'll try applying both patches early next week and see what happens...

			...jgm

More information about the tac_plus mailing list