From kg6hum at gmail.com Wed Dec 11 03:25:00 2013 From: kg6hum at gmail.com (Rob Campbell) Date: Tue, 10 Dec 2013 19:25:00 -0800 Subject: [tac_plus] Problem with authentication Message-ID: Hello, I am new to TACACS+ and tac_plus. I was just trying it out with a very simple configuration between my Ubuntu laptop and an Imagestream router. I have the two configured and talking to each other, but I cannot get it to accept my password. Here are the logs from one of my attempts: session.peerip is 192.168.100.222 connect from 192.168.100.222 [192.168.100.222] cfg_get_hvalue: name=192.168.100.222 attr=key cfg_get_hvalue: no host named 192.168.100.222 cfg_get_phvalue: returns NULL cfg_get_value: name=rcampbell isuser=1 attr=pap rec=1 cfg_get_pvalue: returns NULL cfg_get_value: name=rcampbell isuser=1 attr=global rec=1 cfg_get_pvalue: returns NULL cfg_get_value: name=rcampbell isuser=1 attr=acl rec=1 cfg_get_pvalue: returns NULL pap-login query for 'rcampbell' ssh from 192.168.100.222 rejected login failure: rcampbell 192.168.100.222 (192.168.100.222) ssh cfg_get_hvalue: name=192.168.100.222 attr=key cfg_get_hvalue: no host named 192.168.100.222 cfg_get_phvalue: returns NULL Here is the corresponding tac_plus.conf for that setup: accounting file = /var/log/tac_plus.acct key = testing123 user = rcampbell { name = "Rob Campbell" login = des "gjh0yUzBigWxQ" } user = DEFAULT { login = PAM service = ppp protocol = ip {} } I have tried this with both a DES encrypted password and a plaintext password with no luck. The logs also look exactly the same no matter what password I supply. Is there something simple I am overlooking here? Thank you. -- Rob Campbell KG6HUM -------------- next part -------------- An HTML attachment was scrubbed... URL: From kg6hum at gmail.com Thu Dec 12 02:52:55 2013 From: kg6hum at gmail.com (Rob Campbell) Date: Wed, 11 Dec 2013 18:52:55 -0800 Subject: [tac_plus] Problem with TACACS+ Authentication Message-ID: Hello, I tried sending this email yesterday, but I wasn't a list member at the time so it was blocked for moderation. I am new to TACACS+ and tac_plus. I was just trying it out with a very simple configuration between my Ubuntu laptop and an Imagestream router. Imagestream routers run linux, so it is using pam_tacplus.so. I am only using it for sshd at this time, so I do not lose the ability to login to the router. I have the two configured and talking to each other, but I cannot get it to accept my password. Here are the logs from one of my attempts: session.peerip is 192.168.100.222 connect from 192.168.100.222 [192.168.100.222] cfg_get_hvalue: name=192.168.100.222 attr=key cfg_get_hvalue: no host named 192.168.100.222 cfg_get_phvalue: returns NULL cfg_get_value: name=rcampbell isuser=1 attr=pap rec=1 cfg_get_pvalue: returns NULL cfg_get_value: name=rcampbell isuser=1 attr=global rec=1 cfg_get_pvalue: returns NULL cfg_get_value: name=rcampbell isuser=1 attr=acl rec=1 cfg_get_pvalue: returns NULL pap-login query for 'rcampbell' ssh from 192.168.100.222 rejected login failure: rcampbell 192.168.100.222 (192.168.100.222) ssh cfg_get_hvalue: name=192.168.100.222 attr=key cfg_get_hvalue: no host named 192.168.100.222 cfg_get_phvalue: returns NULL Here is the corresponding tac_plus.conf for that setup: accounting file = /var/log/tac_plus.acct key = testing123 user = rcampbell { name = "Rob Campbell" login = des "gjh0yUzBigWxQ" } user = DEFAULT { login = PAM service = ppp protocol = ip {} } I have tried this with both a DES encrypted password and a plaintext password with no luck. The logs also look exactly the same no matter what password I supply. Is there something simple I am overlooking here? Thank you. -- Rob Campbell KG6HUM -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Thu Dec 12 06:57:47 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 12 Dec 2013 08:57:47 +0200 Subject: [tac_plus] Problem with TACACS+ Authentication In-Reply-To: References: Message-ID: <52A95E6B.9050200@gmail.com> On 12/12/2013 04:52, Rob Campbell wrote: > Hello, > > I tried sending this email yesterday, but I wasn't a list member at the > time so it was blocked for moderation. > > I am new to TACACS+ and tac_plus. I was just trying it out with a very > simple configuration between my Ubuntu laptop and an Imagestream router. > Imagestream routers run linux, so it is using pam_tacplus.so. I am only > using it for sshd at this time, so I do not lose the ability to login to > the router. I have the two configured and talking to each other, but I > cannot get it to accept my password. Here are the logs from one of my > attempts: > > session.peerip is 192.168.100.222 > connect from 192.168.100.222 [192.168.100.222] > cfg_get_hvalue: name=192.168.100.222 attr=key > cfg_get_hvalue: no host named 192.168.100.222 > cfg_get_phvalue: returns NULL > cfg_get_value: name=rcampbell isuser=1 attr=pap rec=1 > cfg_get_pvalue: returns NULL > cfg_get_value: name=rcampbell isuser=1 attr=global rec=1 > cfg_get_pvalue: returns NULL > cfg_get_value: name=rcampbell isuser=1 attr=acl rec=1 > cfg_get_pvalue: returns NULL > pap-login query for 'rcampbell' ssh from 192.168.100.222 rejected > login failure: rcampbell 192.168.100.222 (192.168.100.222) ssh > cfg_get_hvalue: name=192.168.100.222 attr=key > cfg_get_hvalue: no host named 192.168.100.222 > cfg_get_phvalue: returns NULL > > Here is the corresponding tac_plus.conf for that setup: > > accounting file = /var/log/tac_plus.acct > key = testing123 > > user = rcampbell { > name = "Rob Campbell" > login = des "gjh0yUzBigWxQ" > } > > user = DEFAULT { > login = PAM > service = ppp protocol = ip {} > } > > > I have tried this with both a DES encrypted password and a plaintext > password with no luck. The logs also look exactly the same no matter what > password I supply. Is there something simple I am overlooking here? Thank > you. Your router is using pap (not ascii) to do the password exchange step with tac_plus. Try this in tac_plus.conf: user = rcampbell { name = "Rob Campbell" login = des "gjh0yUzBigWxQ" pap = des "gjh0yUzBigWxQ" } -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Tue Dec 17 21:43:47 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 17 Dec 2013 14:43:47 -0700 Subject: [tac_plus] double free or corruption? Message-ID: *** glibc detected *** /usr/local/bin/tac_plus: double free or corruption Well, THAT's never happened before. Hum... E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Dec 18 00:24:39 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 18 Dec 2013 02:24:39 +0200 Subject: [tac_plus] double free or corruption? In-Reply-To: References: Message-ID: <52B0EB47.8020102@gmail.com> On 17/12/2013 23:43, Daniel Schmidt wrote: > *** glibc detected *** /usr/local/bin/tac_plus: double free or corruption > > Well, THAT's never happened before. Hum... ^_^ <=== raised eyebrows Yup, first for me too. What crazy level of hackery are you up to lately that you found *that* code path? :-) -- Alan McKinnon alan.mckinnon at gmail.com From heas at shrubbery.net Wed Dec 18 04:14:31 2013 From: heas at shrubbery.net (heasley) Date: Wed, 18 Dec 2013 04:14:31 +0000 Subject: [tac_plus] double free or corruption? In-Reply-To: References: Message-ID: <20131218041431.GD170@shrubbery.net> Tue, Dec 17, 2013 at 02:43:47PM -0700, Daniel Schmidt: > *** glibc detected *** /usr/local/bin/tac_plus: double free or corruption > > Well, THAT's never happened before. Hum... did it dump a core for me to analyze? From daniel.schmidt at wyo.gov Wed Dec 18 21:48:41 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 18 Dec 2013 14:48:41 -0700 Subject: [tac_plus] double free or corruption? In-Reply-To: <20131218041431.GD170@shrubbery.net> References: <20131218041431.GD170@shrubbery.net> Message-ID: Nope, no core. And it was just when one guy logged in. I can't seem to make it to happen again. I suppose I have to admit that I am also running the afl patch..... https://github.com/ellzey/tac_plus_AFL Which technically has a free: + free(session.afl_cfg); But, I didn't really look at it - I prefer languages that treat me like I'm not smart enough to manage my own memory allocation. Tacacs restarted 781 # *** glibc detected *** /usr/local/bin/tac_plus: double free or corruption (!prev): 0x000000001c32c110 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3fec67174f] /lib64/libc.so.6(cfree+0x4b)[0x3fec675a4b] /usr/local/bin/tac_plus[0x407996] /usr/local/bin/tac_plus[0x403175] /usr/local/bin/tac_plus[0x410938] /usr/local/bin/tac_plus[0x411159] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3fec61d9c4] /usr/local/bin/tac_plus[0x402869] ======= Memory map: ======== 00400000-00419000 r-xp 00000000 fd:00 2277718 /usr/local/bin/tac_plus 00618000-00619000 rw-p 00018000 fd:00 2277718 /usr/local/bin/tac_plus 00619000-0061c000 rw-p 00619000 00:00 0 1c31f000-1c340000 rw-p 1c31f000 00:00 0 [heap] 3fec200000-3fec21c000 r-xp 00000000 fd:00 2236429 /lib64/ld-2.5.so 3fec41c000-3fec41d000 r--p 0001c000 fd:00 2236429 /lib64/ld-2.5.so 3fec41d000-3fec41e000 rw-p 0001d000 fd:00 2236429 /lib64/ld-2.5.so 3fec600000-3fec74f000 r-xp 00000000 fd:00 2236446 /lib64/libc-2.5.so 3fec74f000-3fec94f000 ---p 0014f000 fd:00 2236446 /lib64/libc-2.5.so 3fec94f000-3fec953000 r--p 0014f000 fd:00 2236446 /lib64/libc-2.5.so 3fec953000-3fec954000 rw-p 00153000 fd:00 2236446 /lib64/libc-2.5.so 3fec954000-3fec959000 rw-p 3fec954000 00:00 0 3fed200000-3fed202000 r-xp 00000000 fd:00 2236770 /lib64/libdl-2.5.so 3fed202000-3fed402000 ---p 00002000 fd:00 2236770 /lib64/libdl-2.5.so 3fed402000-3fed403000 r--p 00002000 fd:00 2236770 /lib64/libdl-2.5.so 3fed403000-3fed404000 rw-p 00003000 fd:00 2236770 /lib64/libdl-2.5.so 3fed600000-3fed616000 r-xp 00000000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed616000-3fed816000 ---p 00016000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed816000-3fed817000 r--p 00016000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed817000-3fed818000 rw-p 00017000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed818000-3fed81c000 rw-p 3fed818000 00:00 0 3ff0600000-3ff063b000 r-xp 00000000 fd:00 2236777 /lib64/libsepol.so.1 3ff063b000-3ff083b000 ---p 0003b000 fd:00 2236777 /lib64/libsepol.so.1 3ff083b000-3ff083c000 rw-p 0003b000 fd:00 2236777 /lib64/libsepol.so.1 3ff083c000-3ff0846000 rw-p 3ff083c000 00:00 0 3ff0a00000-3ff0a15000 r-xp 00000000 fd:00 2236778 /lib64/libselinux.so.1 3ff0a15000-3ff0c15000 ---p 00015000 fd:00 2236778 /lib64/libselinux.so.1 3ff0c15000-3ff0c17000 rw-p 00015000 fd:00 2236778 /lib64/libselinux.so.1 3ff0c17000-3ff0c18000 rw-p 3ff0c17000 00:00 0 3ff4c00000-3ff4c15000 r-xp 00000000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4c15000-3ff4e14000 ---p 00015000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4e14000-3ff4e15000 r--p 00014000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4e15000-3ff4e16000 rw-p 00015000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4e16000-3ff4e18000 rw-p 3ff4e16000 00:00 0 3ff5000000-3ff5008000 r-xp 00000000 fd:00 2236453 /lib64/libwrap.so.0.7.6 3ff5008000-3ff5207000 ---p 00008000 fd:00 2236453 /lib64/libwrap.so.0.7.6 3ff5207000-3ff5209000 rw-p 00007000 fd:00 2236453 /lib64/libwrap.so.0.7.6 3ff5800000-3ff5802000 r-xp 00000000 fd:00 2236779 /lib64/libcom_err.so.2.1 3ff5802000-3ff5a01000 ---p 00002000 fd:00 2236779 /lib64/libcom_err.so.2.1 3ff5a01000-3ff5a02000 rw-p 00001000 fd:00 2236779 /lib64/libcom_err.so.2.1 3ff5c00000-3ff5c02000 r-xp 00000000 fd:00 2236775 /lib64/libkeyutils-1.2.so 3ff5c02000-3ff5e01000 ---p 00002000 fd:00 2236775 /lib64/libkeyutils-1.2.so 3ff5e01000-3ff5e02000 rw-p 00001000 fd:00 2236775 /lib64/libkeyutils-1.2.so 3ff6000000-3ff6091000 r-xp 00000000 fd:00 2485683 /usr/lib64/libkrb5.so.3.3 3ff6091000-3ff6291000 ---p 00091000 fd:00 2485683 /usr/lib64/libkrb5.so.3.3 3ff6291000-3ff6295000 rw-p 00091000 fd:00 2485683 /usr/lib64/libkrb5.so.3.3 3ff6400000-3ff6424000 r-xp 00000000 fd:00 2485682 /usr/lib64/libk5crypto.so.3.1 3ff6424000-3ff6623000 ---p 00024000 fd:00 2485682 /usr/lib64/libk5crypto.so.3.1 3ff6623000-3ff6625000 rw-p 00023000 fd:00 2485682 /usr/lib64/libk5crypto.so.3.1 3ff6800000-3ff6808000 r-xp 00000000 fd:00 2484955 /usr/lib64/libkrb5support.so.0.1 3ff6808000-3ff6a07000 ---p 00008000 fd:00 2484955 /usr/lib64/libkrb5support.so.0.1 3ff6a07000-3ff6a08000 rw-p 00007000 fd:00 2484955 /usr/lib64/libkrb5support.so.0.1 3ff7800000-3ff7817000 r-xp 00000000 fd:00 2236790 /lib64/libaudit.so.0.0.0 3ff7817000-3ff7a16000 ---p 00017000 fd:00 2236790 /lib64/libaudit.so.0.0.0 3ff7a16000-3ff7a18000 rw-p 00016000 fd:00 2236790 /lib64/libaudit.so.0.0.0 3ffa000000-3ffa00b000 r-xp 00000000 fd:00 2236791 /lib64/libpam.so.0.81.5 3ffa00b000-3ffa20a000 ---p 0000b000 fd:00 2236791 /lib64/libpam.so.0.81.5 3ffa20a000-3ffa20b000 rw-p 0000a000 fd:00 2236791 /lib64/libpam.so.0.81.5 3ffa400000-3ffa409000 r-xp 00000000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa409000-3ffa608000 ---p 00009000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa608000-3ffa609000 r--p 00008000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa609000-3ffa60a000 rw-p 00009000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa60a000-3ffa638000 rw-p 3ffa60a000 00:00 0 3ffac00000-3ffac0d000 r-xp 00000000 fd:00 2236789 /lib64/libgcc_s-4.1.2-20080825.so.1 3ffac0d000-3ffae0d000 ---p 0000d000 fd:00 2236789 /lib64/libgcc_s-4.1.2-20080825.so.1 3ffae0d000-3ffae0e000 rw-p 0000d000 fd:00 2236789 /lib64/libgcc_s-4.1.2-20080825.so.1 2b6975ad0000-2b6975ad2000 rw-p 2b6975ad0000 00:00 0 2b6975ad2000-2b6975ad5000 rw-s 00000000 00:09 55443461 /SYSV4100440c (deleted) 2b6975ad5000-2b6975ad8000 rw-s 00000000 00:09 55443461 /SYSV4100440c (deleted) 2b6975ae8000-2b6975aec000 r-xp 00000000 fd:00 2277706 /usr/local/lib/libtacacs.so.1.0.0 2b6975aec000-2b6975ceb000 ---p 00004000 fd:00 2277706 /usr/local/lib/libtacacs.so.1.0.0 2b6975ceb000-2b6975cec000 rw-p 00003000 fd:00 2277706 /usr/local/lib/libtacacs.so.1.0.0 2b6975cec000-2b6975cf0000 rw-p 2b6975cec000 00:00 0 2b697630e000-2b6976326000 r-xp 00000000 fd:00 2236678 /lib64/security/pam_krb5.so 2b6976326000-2b6976525000 ---p 00018000 fd:00 2236678 /lib64/security/pam_krb5.so 2b6976525000-2b6976526000 rw-p 00017000 fd:00 2236678 /lib64/security/pam_krb5.so 2b697653c000-2b6976556000 r-xp 00000000 fd:00 2485514 /usr/lib64/libkrb4.so.2.0 2b6976556000-2b6976755000 ---p 0001a000 fd:00 2485514 /usr/lib64/libkrb4.so.2.0 2b6976755000-2b6976757000 rw-p 00019000 fd:00 2485514 /usr/lib64/libkrb4.so.2.0 2b6976757000-2b697675c000 rw-p 2b6976757000 00:00 0 2b697675c000-2b697675f000 r-xp 00000000 fd:00 2485286 /usr/lib64/libdes425.so.3.0 2b697675f000-2b697695e000 ---p 00003000 fd:00 2485286 /usr/lib64/libdes425.so.3.0 2b697695e000-2b697695f000 rw-p 00002000 fd:00 2485286 /usr/lib64/libdes425.so.3.0 2b697695f000-2b6976970000 r-xp 00000000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976970000-2b6976b70000 ---p 00011000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976b70000-2b6976b71000 r--p 00011000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976b71000-2b6976b72000 rw-p 00012000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976b72000-2b6976b74000 rw-p 2b6976b72000 00:00 0 2b6977784000-2b697778e000 r-xp 00000000 fd:00 2236689 /lib64/libnss_files-2.5.so 2b697778e000-2b697798d000 ---p 0000a000 fd:00 2236689 /lib64/libnss_files-2.5.so 2b697798d000-2b697798e000 r--p 00009000 fd:00 2236689 /lib64/libnss_files-2.5.so 2b697798e000-2b697798f000 rw-p 0000a000 fd:00 2236689 /lib64/libnss_files-2.5.so 7fff0ed62000-7fff0ed7f000 rw-p 7ffffffe1000 00:00 0 [stack] 7fff0edfd000-7fff0ee00000 r-xp 7fff0edfd000 00:00 0 [vdso] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall] *** glibc detected *** /usr/local/bin/tac_plus: double free or corruption (!prev): 0x000000001c32c110 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3fec67174f] /lib64/libc.so.6(cfree+0x4b)[0x3fec675a4b] /usr/local/bin/tac_plus[0x407996] /usr/local/bin/tac_plus[0x403175] /usr/local/bin/tac_plus[0x410938] /usr/local/bin/tac_plus[0x411159] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3fec61d9c4] /usr/local/bin/tac_plus[0x402869] ======= Memory map: ======== 00400000-00419000 r-xp 00000000 fd:00 2277718 /usr/local/bin/tac_plus 00618000-00619000 rw-p 00018000 fd:00 2277718 /usr/local/bin/tac_plus 00619000-0061c000 rw-p 00619000 00:00 0 1c31f000-1c340000 rw-p 1c31f000 00:00 0 [heap] 3fec200000-3fec21c000 r-xp 00000000 fd:00 2236429 /lib64/ld-2.5.so 3fec41c000-3fec41d000 r--p 0001c000 fd:00 2236429 /lib64/ld-2.5.so 3fec41d000-3fec41e000 rw-p 0001d000 fd:00 2236429 /lib64/ld-2.5.so 3fec600000-3fec74f000 r-xp 00000000 fd:00 2236446 /lib64/libc-2.5.so 3fec74f000-3fec94f000 ---p 0014f000 fd:00 2236446 /lib64/libc-2.5.so 3fec94f000-3fec953000 r--p 0014f000 fd:00 2236446 /lib64/libc-2.5.so 3fec953000-3fec954000 rw-p 00153000 fd:00 2236446 /lib64/libc-2.5.so 3fec954000-3fec959000 rw-p 3fec954000 00:00 0 3fed200000-3fed202000 r-xp 00000000 fd:00 2236770 /lib64/libdl-2.5.so 3fed202000-3fed402000 ---p 00002000 fd:00 2236770 /lib64/libdl-2.5.so 3fed402000-3fed403000 r--p 00002000 fd:00 2236770 /lib64/libdl-2.5.so 3fed403000-3fed404000 rw-p 00003000 fd:00 2236770 /lib64/libdl-2.5.so 3fed600000-3fed616000 r-xp 00000000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed616000-3fed816000 ---p 00016000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed816000-3fed817000 r--p 00016000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed817000-3fed818000 rw-p 00017000 fd:00 2236619 /lib64/libpthread-2.5.so 3fed818000-3fed81c000 rw-p 3fed818000 00:00 0 3ff0600000-3ff063b000 r-xp 00000000 fd:00 2236777 /lib64/libsepol.so.1 3ff063b000-3ff083b000 ---p 0003b000 fd:00 2236777 /lib64/libsepol.so.1 3ff083b000-3ff083c000 rw-p 0003b000 fd:00 2236777 /lib64/libsepol.so.1 3ff083c000-3ff0846000 rw-p 3ff083c000 00:00 0 3ff0a00000-3ff0a15000 r-xp 00000000 fd:00 2236778 /lib64/libselinux.so.1 3ff0a15000-3ff0c15000 ---p 00015000 fd:00 2236778 /lib64/libselinux.so.1 3ff0c15000-3ff0c17000 rw-p 00015000 fd:00 2236778 /lib64/libselinux.so.1 3ff0c17000-3ff0c18000 rw-p 3ff0c17000 00:00 0 3ff4c00000-3ff4c15000 r-xp 00000000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4c15000-3ff4e14000 ---p 00015000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4e14000-3ff4e15000 r--p 00014000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4e15000-3ff4e16000 rw-p 00015000 fd:00 2236769 /lib64/libnsl-2.5.so 3ff4e16000-3ff4e18000 rw-p 3ff4e16000 00:00 0 3ff5000000-3ff5008000 r-xp 00000000 fd:00 2236453 /lib64/libwrap.so.0.7.6 3ff5008000-3ff5207000 ---p 00008000 fd:00 2236453 /lib64/libwrap.so.0.7.6 3ff5207000-3ff5209000 rw-p 00007000 fd:00 2236453 /lib64/libwrap.so.0.7.6 3ff5800000-3ff5802000 r-xp 00000000 fd:00 2236779 /lib64/libcom_err.so.2.1 3ff5802000-3ff5a01000 ---p 00002000 fd:00 2236779 /lib64/libcom_err.so.2.1 3ff5a01000-3ff5a02000 rw-p 00001000 fd:00 2236779 /lib64/libcom_err.so.2.1 3ff5c00000-3ff5c02000 r-xp 00000000 fd:00 2236775 /lib64/libkeyutils-1.2.so 3ff5c02000-3ff5e01000 ---p 00002000 fd:00 2236775 /lib64/libkeyutils-1.2.so 3ff5e01000-3ff5e02000 rw-p 00001000 fd:00 2236775 /lib64/libkeyutils-1.2.so 3ff6000000-3ff6091000 r-xp 00000000 fd:00 2485683 /usr/lib64/libkrb5.so.3.3 3ff6091000-3ff6291000 ---p 00091000 fd:00 2485683 /usr/lib64/libkrb5.so.3.3 3ff6291000-3ff6295000 rw-p 00091000 fd:00 2485683 /usr/lib64/libkrb5.so.3.3 3ff6400000-3ff6424000 r-xp 00000000 fd:00 2485682 /usr/lib64/libk5crypto.so.3.1 3ff6424000-3ff6623000 ---p 00024000 fd:00 2485682 /usr/lib64/libk5crypto.so.3.1 3ff6623000-3ff6625000 rw-p 00023000 fd:00 2485682 /usr/lib64/libk5crypto.so.3.1 3ff6800000-3ff6808000 r-xp 00000000 fd:00 2484955 /usr/lib64/libkrb5support.so.0.1 3ff6808000-3ff6a07000 ---p 00008000 fd:00 2484955 /usr/lib64/libkrb5support.so.0.1 3ff6a07000-3ff6a08000 rw-p 00007000 fd:00 2484955 /usr/lib64/libkrb5support.so.0.1 3ff7800000-3ff7817000 r-xp 00000000 fd:00 2236790 /lib64/libaudit.so.0.0.0 3ff7817000-3ff7a16000 ---p 00017000 fd:00 2236790 /lib64/libaudit.so.0.0.0 3ff7a16000-3ff7a18000 rw-p 00016000 fd:00 2236790 /lib64/libaudit.so.0.0.0 3ffa000000-3ffa00b000 r-xp 00000000 fd:00 2236791 /lib64/libpam.so.0.81.5 3ffa00b000-3ffa20a000 ---p 0000b000 fd:00 2236791 /lib64/libpam.so.0.81.5 3ffa20a000-3ffa20b000 rw-p 0000a000 fd:00 2236791 /lib64/libpam.so.0.81.5 3ffa400000-3ffa409000 r-xp 00000000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa409000-3ffa608000 ---p 00009000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa608000-3ffa609000 r--p 00008000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa609000-3ffa60a000 rw-p 00009000 fd:00 2236774 /lib64/libcrypt-2.5.so 3ffa60a000-3ffa638000 rw-p 3ffa60a000 00:00 0 3ffac00000-3ffac0d000 r-xp 00000000 fd:00 2236789 /lib64/libgcc_s-4.1.2-20080825.so.1 3ffac0d000-3ffae0d000 ---p 0000d000 fd:00 2236789 /lib64/libgcc_s-4.1.2-20080825.so.1 3ffae0d000-3ffae0e000 rw-p 0000d000 fd:00 2236789 /lib64/libgcc_s-4.1.2-20080825.so.1 2b6975ad0000-2b6975ad2000 rw-p 2b6975ad0000 00:00 0 2b6975ad2000-2b6975ad5000 rw-s 00000000 00:09 55443461 /SYSV4100440c (deleted) 2b6975ad5000-2b6975ad8000 rw-s 00000000 00:09 55443461 /SYSV4100440c (deleted) 2b6975ae8000-2b6975aec000 r-xp 00000000 fd:00 2277706 /usr/local/lib/libtacacs.so.1.0.0 2b6975aec000-2b6975ceb000 ---p 00004000 fd:00 2277706 /usr/local/lib/libtacacs.so.1.0.0 2b6975ceb000-2b6975cec000 rw-p 00003000 fd:00 2277706 /usr/local/lib/libtacacs.so.1.0.0 2b6975cec000-2b6975cf0000 rw-p 2b6975cec000 00:00 0 2b697630e000-2b6976326000 r-xp 00000000 fd:00 2236678 /lib64/security/pam_krb5.so 2b6976326000-2b6976525000 ---p 00018000 fd:00 2236678 /lib64/security/pam_krb5.so 2b6976525000-2b6976526000 rw-p 00017000 fd:00 2236678 /lib64/security/pam_krb5.so 2b697653c000-2b6976556000 r-xp 00000000 fd:00 2485514 /usr/lib64/libkrb4.so.2.0 2b6976556000-2b6976755000 ---p 0001a000 fd:00 2485514 /usr/lib64/libkrb4.so.2.0 2b6976755000-2b6976757000 rw-p 00019000 fd:00 2485514 /usr/lib64/libkrb4.so.2.0 2b6976757000-2b697675c000 rw-p 2b6976757000 00:00 0 2b697675c000-2b697675f000 r-xp 00000000 fd:00 2485286 /usr/lib64/libdes425.so.3.0 2b697675f000-2b697695e000 ---p 00003000 fd:00 2485286 /usr/lib64/libdes425.so.3.0 2b697695e000-2b697695f000 rw-p 00002000 fd:00 2485286 /usr/lib64/libdes425.so.3.0 2b697695f000-2b6976970000 r-xp 00000000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976970000-2b6976b70000 ---p 00011000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976b70000-2b6976b71000 r--p 00011000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976b71000-2b6976b72000 rw-p 00012000 fd:00 2236776 /lib64/libresolv-2.5.so 2b6976b72000-2b6976b74000 rw-p 2b6976b72000 00:00 0 2b6977784000-2b697778e000 r-xp 00000000 fd:00 2236689 /lib64/libnss_files-2.5.so 2b697778e000-2b697798d000 ---p 0000a000 fd:00 2236689 /lib64/libnss_files-2.5.so 2b697798d000-2b697798e000 r--p 00009000 fd:00 2236689 /lib64/libnss_files-2.5.so 2b697798e000-2b697798f000 rw-p 0000a000 fd:00 2236689 /lib64/libnss_files-2.5.so 7fff0ed62000-7fff0ed7f000 rw-p 7ffffffe1000 00:00 0 [stack] 7fff0edfd000-7fff0ee00000 r-xp 7fff0edfd000 00:00 0 [vdso] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall] # On Tue, Dec 17, 2013 at 9:14 PM, heasley wrote: > Tue, Dec 17, 2013 at 02:43:47PM -0700, Daniel Schmidt: > > *** glibc detected *** /usr/local/bin/tac_plus: double free or corruption > > > > Well, THAT's never happened before. Hum... > > did it dump a core for me to analyze? > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ttjones2013 at hotmail.com Fri Dec 20 15:18:01 2013 From: ttjones2013 at hotmail.com (Tucker Jones) Date: Fri, 20 Dec 2013 10:18:01 -0500 Subject: [tac_plus] tac_plus and PAM Message-ID: Hello, I am setting up a Centos server to run tac_plus and am trying to use it with PAM. Currently, I am trying to use tac_plus to authenticate users who are VPN'ing into the network. The users are able to VPN in however, the pam_tally2 is indicating is a bad login and incrementing the attempts so after a period of time the user gets locked out. I am sure it is some step I have missed in my configuration. I have seen where some other people had a similar problem but, I haven't seen what their resolution was. I did look in the past archives but, I didn't see anything specific to this. I apologize if I missed it. My current tac_plus.conf appears like this. I just started testing this so it is only slightly modified from the default currently. key = "xxxxxxxx" -removed accounting file = /var/log/tac.acct # authentication users not appearing elsewhere via # the file /etc/passwd #default authentication = file /etc/passwd acl = default { #permit = 192\.168\.0\. } # Example of host-specific configuration: host = 192.168.2.1 { prompt = "Enter your Unix username and password, Username: " # Enable password for the router, generate a new one with tac_pwd #enable = des 4P8MBRmulyloo } # Group that is allowed to do most configuration on all interfaces etc. group = admin { # group members who don't have their own login password will be # looked up in /etc/passwd #login = file /etc/passwd #login = PAM # group members who have no expiry date set will use this one #expires = "Jan 1 1997" # only allow access to specific routers acl = default # Needed for the router to make commands available to user (subject # to authorization if so configured on the router service = exec { priv-lvl = 15 #default service = permit } cmd = username { permit .* } cmd = enable { permit .* } cmd = show { permit .* } cmd = exit { permit .* } cmd = configure { permit .* } cmd = interface { permit .* } cmd = switchport { permit .* } cmd = description { permit .* } cmd = no { permit shutdown } } # A group that can change some limited configuration on switchports # related to host-side network configuration group = sysadmin { # group members who don't have their own login password will be # looked up in /etc/passwd: #login = file /etc/passwd # or authenticated via PAM: login = PAM acl = default # Needed for the router to make commands available to user (subject # to authorization if so configured on the router service = exec { priv-lvl = 15 } cmd = enable { permit .* } cmd = show { permit .* } cmd = exit { permit .* } cmd = configure { permit .* } cmd = interface { permit FastEthernet.* permit GigabitEthernet.* } cmd = switchport { permit "access vlan.*" permit "trunk encapsulation.*" permit "mode.*" permit "trunk allowed vlan.*" } cmd = description { permit .* } cmd = no { permit shutdown } } user = joe { login = PAM #member = sysadmin member = admin } user=kdavis { login = PAM } user = fred { login = PAM member = sysadmin } # User account configured for use with "rancid" user = rancid { # Generate a new password with tac_pwd #login = des LXUxLCkFhGpwA service = exec { priv-lvl = 15 } cmd = show { permit .* } cmd = exit { permit .* } cmd = dir { permit .* } cmd = write { permit term } } # Global enable level 15 password, generate a new one with tac_pwd user = $enab15$ { #login = des 97cZOIgSXU/4I } #user = DEFAULT { # login = PAM #member = default #} I did turn on debugging when my user logged in and saw this: cfg_get_hvalue: name=192.168.0.1 attr=key cfg_get_hvalue: no host named 192.168.0.1 cfg_get_phvalue: returns NULL cfg_get_hvalue: name=192.168.0.1 attr=key cfg_get_hvalue: no host named 192.168.0.1 cfg_get_phvalue: returns NULL cfg_get_value: name=kdavis isuser=1 attr=expires rec=1 cfg_get_pvalue: returns NULL cfg_get_value: name=kdavis isuser=1 attr=acl rec=1 cfg_get_pvalue: returns NULL login query for 'kdavis' 1032192 from 192.168.0.1 accepted cfg_get_hvalue: name=192.168.0.1 attr=key cfg_get_hvalue: no host named 192.168.0.1 cfg_get_phvalue: returns NULL I wonder if its something with these Null values that is somehow impacting things. Any suggestions or help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Dec 23 17:39:43 2013 From: heas at shrubbery.net (heasley) Date: Mon, 23 Dec 2013 17:39:43 +0000 Subject: [tac_plus] tac_plus and PAM In-Reply-To: References: Message-ID: <20131223173943.GD92808@shrubbery.net> Fri, Dec 20, 2013 at 10:18:01AM -0500, Tucker Jones: > Hello, > > I am setting up a Centos server to run tac_plus and am trying to use it with PAM. Currently, I am trying to use tac_plus to authenticate users who are VPN'ing into the network. The users are able to VPN in however, the pam_tally2 is indicating is a bad login and incrementing the attempts so after a period of time the user gets locked out. I am sure it is some step I have missed in my configuration. I have seen where some other people had a similar problem but, I haven't seen what their resolution was. I did look in the past archives but, I didn't see anything specific to this. I apologize if I missed it. > > My current tac_plus.conf appears like this. I just started testing this so it is only slightly modified from the default currently. Since tacacs is authenticating users normally until pam_tally blocks them, I expect the problem is mostly likely not related to tacacs at all. It is probably your pam configuartion for tacacs. presumably, its the order that the module appears or some module it relies upon is missing. Compare the config to another pam config that uses this module. From derekywchan at gmail.com Tue Dec 24 04:24:45 2013 From: derekywchan at gmail.com (Derek Chan) Date: Tue, 24 Dec 2013 12:24:45 +0800 Subject: [tac_plus] Command Authorization Message-ID: Hi, I would like to allow my user to enter a command "admin" without any parameter. Can we configure this by the following: cmd = admin { permit ^$ deny .* } or cmd = admin { permit "" deny .* } Regards, Derek -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Dec 24 15:48:23 2013 From: heas at shrubbery.net (heasley) Date: Tue, 24 Dec 2013 15:48:23 +0000 Subject: [tac_plus] Command Authorization In-Reply-To: References: Message-ID: <20131224154823.GC28882@shrubbery.net> Tue, Dec 24, 2013 at 12:24:45PM +0800, Derek Chan: > Hi, > > I would like to allow my user to enter a command "admin" without any > parameter. Can we configure this by the following: > > cmd = admin { > permit ^$ > deny .* > } That should work. it really depends upon what the device sends to the daemon as the command string. if you can't figure that out, use the debugging knobs to see the text being sent. From ttjones2013 at hotmail.com Sat Dec 28 21:32:56 2013 From: ttjones2013 at hotmail.com (Tucker Jones) Date: Sat, 28 Dec 2013 16:32:56 -0500 Subject: [tac_plus] tac_plus and PAM In-Reply-To: <20131223173943.GD92808@shrubbery.net> References: , <20131223173943.GD92808@shrubbery.net> Message-ID: Please excuse my newbie questions. To utilize PAM do I need to use the pam_tacplus module? I currently was only using pam_tally2 but after looking around it appeared I needed to utilize the pam_tacplus module instead? Would you be able to clarify which module would be the best? You also said "Since tacacs is authenticating users normally until pam_tally blocks them", per my understanding if I have a user configured for PAM and they attempt to login, tacacs would look in its conf file and see that the user is set to PAM and then use the associated tac_plus conf file in the PAM directory to tell it what to authenticate the user against? Would you know of any example configuration where they are using a local shadow file to work with tac_plus and PAM? Most of the examples I find are for LDAP but this is a unique situation and we just want to utilize the shadow file initially. Are there any good ways to test this locally on the server to try to find any errors? When I changed the module to pam_tacplus I see the user failing authentication now but I can't see what is causing the authentication problem as the user's password is correct that is being entered. Thank you. > Date: Mon, 23 Dec 2013 17:39:43 +0000 > From: heas at shrubbery.net > To: ttjones2013 at hotmail.com > CC: tac_plus at shrubbery.net > Subject: Re: [tac_plus] tac_plus and PAM > > Fri, Dec 20, 2013 at 10:18:01AM -0500, Tucker Jones: > > Hello, > > > > I am setting up a Centos server to run tac_plus and am trying to use it with PAM. Currently, I am trying to use tac_plus to authenticate users who are VPN'ing into the network. The users are able to VPN in however, the pam_tally2 is indicating is a bad login and incrementing the attempts so after a period of time the user gets locked out. I am sure it is some step I have missed in my configuration. I have seen where some other people had a similar problem but, I haven't seen what their resolution was. I did look in the past archives but, I didn't see anything specific to this. I apologize if I missed it. > > > > My current tac_plus.conf appears like this. I just started testing this so it is only slightly modified from the default currently. > > Since tacacs is authenticating users normally until pam_tally blocks them, I > expect the problem is mostly likely not related to tacacs at all. It is > probably your pam configuartion for tacacs. presumably, its the order that > the module appears or some module it relies upon is missing. Compare the > config to another pam config that uses this module. -------------- next part -------------- An HTML attachment was scrubbed... URL: From krux at thcnet.net Sat Dec 28 22:37:56 2013 From: krux at thcnet.net (krux at thcnet.net) Date: Sat, 28 Dec 2013 14:37:56 -0800 (PST) Subject: [tac_plus] tac_plus and PAM In-Reply-To: References: , <20131223173943.GD92808@shrubbery.net> Message-ID: > Please excuse my newbie questions. To utilize PAM do I need to use the > pam_tacplus module? I currently was only using pam_tally2 but after looking No, I think that's a module to have PAM use TACACS+ for authentication. You'll have to create a tac_plus pam config file under /etc/pam.d. A quick and easy way to do so, is to "cp /etc/pam.d/ssh /etc/pam.d/tac_plus" which would copy the same method of authentication for SSH as for TACACS. Of course you can tweak the authentication settings for PAM so it does something different for tac_plus. For example, our system uses Kerberos for ssh, but for TACACS authentication, we want it to use RSA for two factor authentication. perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' From ttjones2013 at hotmail.com Sun Dec 29 00:21:48 2013 From: ttjones2013 at hotmail.com (Tucker Jones) Date: Sat, 28 Dec 2013 19:21:48 -0500 Subject: [tac_plus] tac_plus and PAM In-Reply-To: References: , <20131223173943.GD92808@shrubbery.net> , Message-ID: So it sounds like I can just use the pam_tally2 instead? When I used that I was able to authenticate but, each time a person logged in successfully via tacacs using pam_tally2 it was counting each of my logins as failed and my user was being locked out after a period of time? Any thoughts on what I may have done wrong to have pam_tally2 track the login as failed though it was allowing the user to login in and work? > Date: Sat, 28 Dec 2013 14:37:56 -0800 > From: krux at thcnet.net > To: ttjones2013 at hotmail.com > CC: heas at shrubbery.net; tac_plus at shrubbery.net > Subject: Re: [tac_plus] tac_plus and PAM > > > Please excuse my newbie questions. To utilize PAM do I need to use the > > pam_tacplus module? I currently was only using pam_tally2 but after looking > > No, I think that's a module to have PAM use TACACS+ for authentication. > You'll have to create a tac_plus pam config file under /etc/pam.d. A quick > and easy way to do so, is to "cp /etc/pam.d/ssh /etc/pam.d/tac_plus" which > would copy the same method of authentication for SSH as for TACACS. Of course > you can tweak the authentication settings for PAM so it does something > different for tac_plus. For example, our system uses Kerberos for ssh, but > for TACACS authentication, we want it to use RSA for two factor > authentication. > > perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sun Dec 29 16:10:50 2013 From: heas at shrubbery.net (heasley) Date: Sun, 29 Dec 2013 16:10:50 +0000 Subject: [tac_plus] tac_plus and PAM In-Reply-To: References: <20131223173943.GD92808@shrubbery.net> Message-ID: <20131229161050.GB3351@shrubbery.net> Sat, Dec 28, 2013 at 07:21:48PM -0500, Tucker Jones: > So it sounds like I can just use the pam_tally2 instead? When I used that I was able to authenticate but, each time a person logged in successfully via tacacs using pam_tally2 it was counting each of my logins as failed and my user was being locked out after a period of time? Any thoughts on what I may have done wrong to have pam_tally2 track the login as failed though it was allowing the user to login in and work? no - have you read the manuals for pam and pam_tally2? pam_tally provides a function - one piece of the authentication task, an optional piece that is not needed. remove it and your tacacs auth through pam should work. why pam_tally2 is failing for you, i do not know. possibly a bug, a missing PAM prerequisite, missing file, permissions problem? pam offers debugging options, enable them and figure out the cause. > > Date: Sat, 28 Dec 2013 14:37:56 -0800 > > From: krux at thcnet.net > > To: ttjones2013 at hotmail.com > > CC: heas at shrubbery.net; tac_plus at shrubbery.net > > Subject: Re: [tac_plus] tac_plus and PAM > > > > > Please excuse my newbie questions. To utilize PAM do I need to use the > > > pam_tacplus module? I currently was only using pam_tally2 but after looking > > > > No, I think that's a module to have PAM use TACACS+ for authentication. > > You'll have to create a tac_plus pam config file under /etc/pam.d. A quick > > and easy way to do so, is to "cp /etc/pam.d/ssh /etc/pam.d/tac_plus" which > > would copy the same method of authentication for SSH as for TACACS. Of course > > you can tweak the authentication settings for PAM so it does something > > different for tac_plus. For example, our system uses Kerberos for ssh, but > > for TACACS authentication, we want it to use RSA for two factor > > authentication. > > > > perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' > > >