From sebastien.pepin at gmail.com Tue Apr 2 19:13:26 2013 From: sebastien.pepin at gmail.com (=?ISO-8859-1?Q?S=E9bastien_Pepin?=) Date: Tue, 2 Apr 2013 15:13:26 -0400 Subject: [tac_plus] tacacs+ and cisco ios chgpass Message-ID: Hi, I wonder if this function is supported in your tacacs+ release ... If I configure an Cisco ACS I can you this feature to let the user change their password by entering their username and hitting return for the password... then the acs ask for old and new password ... But when I try this with your tacacs+ release this does not work ... is it something that only cisco support ? could this feature be added to the wishlist :) thanks -- * * -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Apr 3 08:56:26 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 03 Apr 2013 10:56:26 +0200 Subject: [tac_plus] tacacs+ and cisco ios chgpass In-Reply-To: References: Message-ID: <515BEEBA.2000806@gmail.com> On 02/04/2013 21:13, S?bastien Pepin wrote: > Hi, > > I wonder if this function is supported in your tacacs+ release ... > > If I configure an Cisco ACS I can you this feature to let the user change > their password by entering their username and hitting return for the > password... then the acs ask for old and new password ... > > But when I try this with your tacacs+ release this does not work ... is it > something that only cisco support ? could this feature be added to the > wishlist :) > > thanks > > This is not supported in tac_plus. The server only uses and reads the backend auth store, it never changes it. Easiest is to have tac_plus use /etc/passwd and /etc/shadow for password hashes then use normal Unix methods to allow user to change their password -- Alan McKinnon alan.mckinnon at gmail.com From vadud3 at gmail.com Mon Apr 8 19:06:34 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 8 Apr 2013 15:06:34 -0400 Subject: [tac_plus] Intermittent failure to talk to T+ server Message-ID: Hi I am failing to login to router, intermittently, as it drops to Password: prompt, hence failing to communicate with the T+ (F4.0.4.26) running on Ubuntu 10.04.4 LTS Here is the error I am getting when this happens Apr 8 18:35:00 tacacs-01 tac_plus[12341]: router1.example.net tty3: fd 2 eof (connection closed) Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Read -1 bytes from router1.example.net tty3, expecting 12 Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Error router1.example.net tty3: Null reply packet, expecting CONTINUE Any suggestion where the problem is and how to fix it? Thanks for your help -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Apr 8 20:58:23 2013 From: heas at shrubbery.net (heasley) Date: Mon, 8 Apr 2013 20:58:23 +0000 Subject: [tac_plus] Intermittent failure to talk to T+ server In-Reply-To: References: Message-ID: <20130408205823.GD13108@shrubbery.net> Mon, Apr 08, 2013 at 03:06:34PM -0400, Asif Iqbal: > Hi > > I am failing to login to router, intermittently, as it drops to Password: > prompt, hence failing to communicate with the T+ (F4.0.4.26) running on > Ubuntu 10.04.4 LTS > > Here is the error I am getting when this happens > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: router1.example.net tty3: fd 2 > eof (connection closed) > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Read -1 bytes from > router1.example.net tty3, expecting 12 > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Error router1.example.net tty3: > Null reply packet, expecting CONTINUE it looks like the device thinks that the tty closed; ie: the user disconnected. > > Any suggestion where the problem is and how to fix it? > > Thanks for your help > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From vadud3 at gmail.com Wed Apr 10 19:58:36 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Wed, 10 Apr 2013 15:58:36 -0400 Subject: [tac_plus] Adding a /29 network on acl Message-ID: Hi All, I see example on /24 and /16 on tac_plus.conf(5). How would you add a /29 for acl? Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Apr 10 21:09:06 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 10 Apr 2013 23:09:06 +0200 Subject: [tac_plus] Adding a /29 network on acl In-Reply-To: References: Message-ID: <5165D4F2.2080600@gmail.com> On 10/04/2013 21:58, Asif Iqbal wrote: > Hi All, > > I see example on /24 and /16 on tac_plus.conf(5). How would you add a /29 > for acl? > > Thanks > The short answer is that you don't :-( The ACL is not a network address so you cannot use any of the familiar network notations. It is a regex so you have to express it as a regex. And that depends highly on the addresses you are working with. Using for example 10.0.0.8/29, I would do this: acl = whatever { permit = "^10\.0\.0\.[89]$" permit = "^10\.0\.0\.1[012345]$ } Note how I used two lines, it just seems easier like that. Or, a /29 is just 8 lines, so maybe I would just list all 8 individually and spare myself the pain of expanding the addresses and figuring out the regex. The long answer is that to do it right, you patch the code to be able to deal with addresses properly as addresses, announce your patch here, and legions of sysadmins will be eternally grateful. -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Wed Apr 10 21:35:33 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 10 Apr 2013 15:35:33 -0600 Subject: [tac_plus] Adding a /29 network on acl In-Reply-To: <5165D4F2.2080600@gmail.com> References: <5165D4F2.2080600@gmail.com> Message-ID: I was going to add this functionality to do_auth, but it would require everybody to install IPNetwork egg and I have been too busy to look into it. Would not be hard to add / notation. Something like: if (net.find '/' > -1) then try: the_net = IPNetwork(net), try: the_net2 = IPNetwork(net2), return the_net == the_net2, except: print "#*(@, that should have worked". -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Wednesday, April 10, 2013 3:09 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Adding a /29 network on acl On 10/04/2013 21:58, Asif Iqbal wrote: > Hi All, > > I see example on /24 and /16 on tac_plus.conf(5). How would you add a > /29 for acl? > > Thanks > The short answer is that you don't :-( The ACL is not a network address so you cannot use any of the familiar network notations. It is a regex so you have to express it as a regex. And that depends highly on the addresses you are working with. Using for example 10.0.0.8/29, I would do this: acl = whatever { permit = "^10\.0\.0\.[89]$" permit = "^10\.0\.0\.1[012345]$ } Note how I used two lines, it just seems easier like that. Or, a /29 is just 8 lines, so maybe I would just list all 8 individually and spare myself the pain of expanding the addresses and figuring out the regex. The long answer is that to do it right, you patch the code to be able to deal with addresses properly as addresses, announce your patch here, and legions of sysadmins will be eternally grateful. -- Alan McKinnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From vadud3 at gmail.com Wed Apr 10 20:36:34 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Wed, 10 Apr 2013 16:36:34 -0400 Subject: [tac_plus] Intermittent failure to talk to T+ server In-Reply-To: <20130408205823.GD13108@shrubbery.net> References: <20130408205823.GD13108@shrubbery.net> Message-ID: On Mon, Apr 8, 2013 at 4:58 PM, heasley wrote: > Mon, Apr 08, 2013 at 03:06:34PM -0400, Asif Iqbal: > > Hi > > > > I am failing to login to router, intermittently, as it drops to Password: > > prompt, hence failing to communicate with the T+ (F4.0.4.26) running on > > Ubuntu 10.04.4 LTS > > > > Here is the error I am getting when this happens > > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: router1.example.net tty3: fd > 2 > > eof (connection closed) > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Read -1 bytes from > > router1.example.net tty3, expecting 12 > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Error router1.example.nettty3: > > Null reply packet, expecting CONTINUE > > it looks like the device thinks that the tty closed; ie: the user > disconnected. > We are using pam_ldap for authentication and I see few errors like these nslcd[19201]: [23d03c] failed to bind to LDAP server ldaps:// 192.168.1.10:636 Can't contact LDAP server: Connection reset by peer nslcd[19201]: [36cb51] ldap_result() failed: Can't contact LDAP server I wonder if those are the real culprit for the connection closed error > > > > Any suggestion where the problem is and how to fix it? > > > > Thanks for your help > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20130408/dd159c35/attachment.html > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Apr 10 21:40:24 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 10 Apr 2013 23:40:24 +0200 Subject: [tac_plus] Adding a /29 network on acl In-Reply-To: References: <5165D4F2.2080600@gmail.com> Message-ID: <5165DC48.9030707@gmail.com> I'm going to need that functionality myself in do_auth sometime soon[1] so I might as well write this patch too and send it on to you if you don't get there first. [1] "soon" in this context is defined to be "once I've navigated the political minefield of how each team wants their kit to work and who has those rights" :-) On 10/04/2013 23:35, Daniel Schmidt wrote: > I was going to add this functionality to do_auth, but it would require > everybody to install IPNetwork egg and I have been too busy to look into > it. Would not be hard to add / notation. Something like: if (net.find > '/' > -1) then try: the_net = IPNetwork(net), try: the_net2 = > IPNetwork(net2), return the_net == the_net2, except: print "#*(@, that > should have worked". > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Wednesday, April 10, 2013 3:09 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Adding a /29 network on acl > > On 10/04/2013 21:58, Asif Iqbal wrote: >> Hi All, >> >> I see example on /24 and /16 on tac_plus.conf(5). How would you add a >> /29 for acl? >> >> Thanks >> > > The short answer is that you don't :-( > > The ACL is not a network address so you cannot use any of the familiar > network notations. It is a regex so you have to express it as a regex. > And that depends highly on the addresses you are working with. > > Using for example 10.0.0.8/29, I would do this: > > acl = whatever { > permit = "^10\.0\.0\.[89]$" > permit = "^10\.0\.0\.1[012345]$ > } > > Note how I used two lines, it just seems easier like that. > > Or, a /29 is just 8 lines, so maybe I would just list all 8 individually > and spare myself the pain of expanding the addresses and figuring out the > regex. > > The long answer is that to do it right, you patch the code to be able to > deal with addresses properly as addresses, announce your patch here, and > legions of sysadmins will be eternally grateful. > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -- Alan McKinnon alan.mckinnon at gmail.com From heas at shrubbery.net Thu Apr 11 15:02:50 2013 From: heas at shrubbery.net (heasley) Date: Thu, 11 Apr 2013 15:02:50 +0000 Subject: [tac_plus] Intermittent failure to talk to T+ server In-Reply-To: References: <20130408205823.GD13108@shrubbery.net> Message-ID: <20130411150250.GB23392@shrubbery.net> Wed, Apr 10, 2013 at 04:36:34PM -0400, Asif Iqbal: > On Mon, Apr 8, 2013 at 4:58 PM, heasley wrote: > > > Mon, Apr 08, 2013 at 03:06:34PM -0400, Asif Iqbal: > > > Hi > > > > > > I am failing to login to router, intermittently, as it drops to Password: > > > prompt, hence failing to communicate with the T+ (F4.0.4.26) running on > > > Ubuntu 10.04.4 LTS > > > > > > Here is the error I am getting when this happens > > > > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: router1.example.net tty3: fd > > 2 > > > eof (connection closed) > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Read -1 bytes from > > > router1.example.net tty3, expecting 12 > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Error router1.example.nettty3: > > > Null reply packet, expecting CONTINUE > > > > it looks like the device thinks that the tty closed; ie: the user > > disconnected. > > > > We are using pam_ldap for authentication and I see few errors like these > > nslcd[19201]: [23d03c] failed to bind to LDAP server ldaps:// > 192.168.1.10:636 Can't contact LDAP server: Connection reset by peer > > nslcd[19201]: [36cb51] ldap_result() failed: Can't contact LDAP server > > I wonder if those are the real culprit for the connection closed error probably. if you can, try testing with an alternative source or a different ldap server. > > > > > > > Any suggestion where the problem is and how to fix it? > > > > > > Thanks for your help > > > > > > -- > > > Asif Iqbal > > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > A: Because it messes up the order in which people normally read text. > > > Q: Why is top-posting such a bad thing? > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20130408/dd159c35/attachment.html > > > > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Thu Apr 11 17:38:10 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 11 Apr 2013 13:38:10 -0400 Subject: [tac_plus] Intermittent failure to talk to T+ server In-Reply-To: <20130411150250.GB23392@shrubbery.net> References: <20130408205823.GD13108@shrubbery.net> <20130411150250.GB23392@shrubbery.net> Message-ID: On Thu, Apr 11, 2013 at 11:02 AM, heasley wrote: > Wed, Apr 10, 2013 at 04:36:34PM -0400, Asif Iqbal: > > On Mon, Apr 8, 2013 at 4:58 PM, heasley wrote: > > > > > Mon, Apr 08, 2013 at 03:06:34PM -0400, Asif Iqbal: > > > > Hi > > > > > > > > I am failing to login to router, intermittently, as it drops to > Password: > > > > prompt, hence failing to communicate with the T+ (F4.0.4.26) running > on > > > > Ubuntu 10.04.4 LTS > > > > > > > > Here is the error I am getting when this happens > > > > > > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: router1.example.nettty3: fd > > > 2 > > > > eof (connection closed) > > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Read -1 bytes from > > > > router1.example.net tty3, expecting 12 > > > > Apr 8 18:35:00 tacacs-01 tac_plus[12341]: Error > router1.example.nettty3: > > > > Null reply packet, expecting CONTINUE > > > > > > it looks like the device thinks that the tty closed; ie: the user > > > disconnected. > > > > > > > We are using pam_ldap for authentication and I see few errors like these > > > > nslcd[19201]: [23d03c] failed to bind to LDAP server ldaps:// > > 192.168.1.10:636 Can't contact LDAP server: Connection reset by peer > > > > nslcd[19201]: [36cb51] ldap_result() failed: Can't contact LDAP server > > > > I wonder if those are the real culprit for the connection closed error > > probably. if you can, try testing with an alternative source or a > different > ldap server. > idle_timelimit 100 on nslcd.conf improved it. Lot less ldap_result() failed; suggestion was inspired by this bug report. https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1074213 -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Fri Apr 12 20:35:15 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 12 Apr 2013 14:35:15 -0600 Subject: [tac_plus] Adding a /29 network on acl In-Reply-To: <5165DC48.9030707@gmail.com> References: <5165D4F2.2080600@gmail.com> <5165DC48.9030707@gmail.com> Message-ID: <332590667e6e3fb2b916f17f63fb9dcb@mail.gmail.com> Fairly easy with netaddr. I might even finish this myself. # Send IP,network def match_net(net,net2): try: the_net = IPNetwork(net) except: log.critical("#*@& it, %s isn't valid IPNetwork)" % the_net) sys.exit(1) try: the_net2 = IPNetwork(net2) except: log.critical("#*@& it, %s isn't valid IPNetwork" % the_net) sys.exit(1) return the_net in the_net2 -----Original Message----- From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] Sent: Wednesday, April 10, 2013 3:40 PM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Adding a /29 network on acl I'm going to need that functionality myself in do_auth sometime soon[1] so I might as well write this patch too and send it on to you if you don't get there first. [1] "soon" in this context is defined to be "once I've navigated the political minefield of how each team wants their kit to work and who has those rights" :-) On 10/04/2013 23:35, Daniel Schmidt wrote: > I was going to add this functionality to do_auth, but it would require > everybody to install IPNetwork egg and I have been too busy to look > into it. Would not be hard to add / notation. Something like: if > (net.find '/' > -1) then try: the_net = IPNetwork(net), try: the_net2 > = IPNetwork(net2), return the_net == the_net2, except: print "#*(@, > that should have worked". > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Wednesday, April 10, 2013 3:09 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Adding a /29 network on acl > > On 10/04/2013 21:58, Asif Iqbal wrote: >> Hi All, >> >> I see example on /24 and /16 on tac_plus.conf(5). How would you add a >> /29 for acl? >> >> Thanks >> > > The short answer is that you don't :-( > > The ACL is not a network address so you cannot use any of the familiar > network notations. It is a regex so you have to express it as a regex. > And that depends highly on the addresses you are working with. > > Using for example 10.0.0.8/29, I would do this: > > acl = whatever { > permit = "^10\.0\.0\.[89]$" > permit = "^10\.0\.0\.1[012345]$ > } > > Note how I used two lines, it just seems easier like that. > > Or, a /29 is just 8 lines, so maybe I would just list all 8 > individually and spare myself the pain of expanding the addresses and > figuring out the regex. > > The long answer is that to do it right, you patch the code to be able > to deal with addresses properly as addresses, announce your patch > here, and legions of sysadmins will be eternally grateful. > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > E-Mail to and from me, in connection with the transaction of public > business, is subject to the Wyoming Public Records Act and may be > disclosed to third parties. > -- Alan McKinnon alan.mckinnon at gmail.com E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From michael.norrving at su.se Mon Apr 22 14:59:07 2013 From: michael.norrving at su.se (Michael Norrving) Date: Mon, 22 Apr 2013 14:59:07 +0000 Subject: [tac_plus] -P and man page Message-ID: The man page of tac_plus states for ?P "-P Parse the configuration file, echo it to standard output while parsing, and then exit. tac_plus will exit non-zero when a parser error occurs." This does not seem to be the case. It echoes it to stderr. I am pasting some strace to show this. 3589 execve("/usr/sbin/tac_plus", ["/usr/sbin/tac_plus", "-P", "-C", "/local/tacacs/conf/approved/tac_"...], [/* 21 vars */]) = 0 . . . 3589 read(4, "#\n# $Id: tac_plus.conf 12 2013-0"..., 4096) = 4096 3589 write(2, "#", 1) = 1 3589 write(2, "\n", 1) = 1 3589 write(2, "#", 1) = 1 3589 write(2, " ", 1) = 1 . . . Just thought you might be interested in this. Thanks for a great application! :) Regards, Michael Norrving -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Apr 22 15:32:22 2013 From: heas at shrubbery.net (heasley) Date: Mon, 22 Apr 2013 15:32:22 +0000 Subject: [tac_plus] -P and man page In-Reply-To: References: Message-ID: <20130422153222.GA47332@shrubbery.net> Mon, Apr 22, 2013 at 02:59:07PM +0000, Michael Norrving: > The man page of tac_plus states for ?P > > "-P Parse the configuration file, echo it to standard output while parsing, and then exit. tac_plus will exit non-zero when a parser error occurs." > > This does not seem to be the case. It echoes it to stderr. I am pasting some strace to show this. > > 3589 execve("/usr/sbin/tac_plus", ["/usr/sbin/tac_plus", "-P", "-C", "/local/tacacs/conf/approved/tac_"...], [/* 21 vars */]) = 0 > . > . > . > 3589 read(4, "#\n# $Id: tac_plus.conf 12 2013-0"..., 4096) = 4096 > 3589 write(2, "#", 1) = 1 > 3589 write(2, "\n", 1) = 1 > 3589 write(2, "#", 1) = 1 > 3589 write(2, " ", 1) = 1 > . > . > . > > Just thought you might be interested in this. Thanks for a great application! :) it appears to work. roome [81] ./tac_plus -P -C tac_plus.conf.sample ... roome [82] echo $? 0 roome [83] ./tac_plus -P -C config.h /* Error: Unrecognised token /* on line 1 roome [84] echo $? 1 Perhaps if is particular to your faulty configuration file. From vadud3 at gmail.com Thu Apr 25 16:03:11 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 25 Apr 2013 12:03:11 -0400 Subject: [tac_plus] High cpu usage Message-ID: Where to look for cause of high cpu usage ? users experience slowness in typing command on router when cpu usage is high, consistently PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2739 root 20 0 615m 244m 840 R 37 6.2 389:06.39 tac_plus I have 27 tac_plus process running $ ps -ef | grep tac_plus | grep main | wc -l 27 $ ps -ef | grep tac_plus /usr/local/bin/tac_plus -L -B 192.168.6.20 -l /var/log/tacacs-main.daemon.log -C /etc/tacacs.conf [..] Thanks for any suggestion -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Apr 25 18:51:42 2013 From: heas at shrubbery.net (heasley) Date: Thu, 25 Apr 2013 18:51:42 +0000 Subject: [tac_plus] High cpu usage In-Reply-To: References: Message-ID: <20130425185141.GB90006@shrubbery.net> Thu, Apr 25, 2013 at 12:03:11PM -0400, Asif Iqbal: > Where to look for cause of high cpu usage ? users experience slowness in > typing command > on router when cpu usage is high, consistently > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 2739 root 20 0 615m 244m 840 R 37 6.2 > 389:06.39 tac_plus > > I have 27 tac_plus process running > > $ ps -ef | grep tac_plus | grep main | wc -l > 27 > > $ ps -ef | grep tac_plus > /usr/local/bin/tac_plus -L -B 192.168.6.20 -l > /var/log/tacacs-main.daemon.log -C /etc/tacacs.conf > [..] > 1) someone trying to break into one of your routers - see the tacacs log 2) someone is attacking the daemon 3) a serial line w/ tacacs having a fight with a connected device because the serial line does not have 'no login' (or it might be 'no exec'). 4) the daemon is having an argument with a misbehaving client device 5) there is a bug, unlikely