From NMaio at urbn.com Tue Jan 15 13:59:29 2013 From: NMaio at urbn.com (Nick Maio) Date: Tue, 15 Jan 2013 13:59:29 +0000 Subject: [tac_plus] Multiple Keys Message-ID: <17AD0BCD3C5C3B4B85BF93C3432F835D0BCC7E@SUSHQPEXMB2.urbanout.com> Hi, I was wondering if the following link is still the correct way to add support for multiple keys? I'd like to start a key change but can't easily do it with the current version (tacacs+-F4.0.4.26.tar.gz) of TACPLUS I am running. https://groups.google.com/forum/?fromgroups=#!topic/event-driven-servers/ZFAeE3bwk-g Thanks, Nick Maio Engineering Manager, Network Systems ____________________________ URBN Urban Outfitters Inc. 5000 South Broad Street Philadelphia, PA 19112-1495 tel: 215.454.7732 fax: 215.454.7191 ____________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.albert at gip.com Wed Jan 16 16:19:27 2013 From: patrick.albert at gip.com (Patrick Albert | GIP) Date: Wed, 16 Jan 2013 17:19:27 +0100 Subject: [tac_plus] Problem with TAC_PLUS and S/Key Message-ID: <50F6D30F.9050505@gip.com> Hello, Like ninjabytes (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I have some trouble with "tac_plus with S/Key". Unfortunately, the documentation about "tac_plus and S/Key" isn't really detailed. The positive aspect: tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext password: Done) and the libskey seems to work as well ("configure [...] --with-skey" and the following "make" without error and the config snippet "login = skey" was accepted while starting tac_plus). I use the following config user = fred { default service = permit login = skey enable = skey } My question is now: When I try to login as "fred" on my NAS, I see the message "Cannot generate skey prompt for fred" in the tac_plus log file. In my opinion, it's no wonder that this doesn't work because there is no password configued for the user "fred" - and a skey challenge is build on a sequence_no, seed and the users password, right? The user itself can then calculate the response with the challenge string and its password. So: Where can I enter the user's password for an skey authentication in the tac_plus.conf? Thanks in advance for your help, Best regards, Patrick Albert -- Patrick Albert __________________ *GIP Exyr GmbH* Hechtsheimer Str. 35-37 | 55131 Mainz Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 E-Mail: patrick.albert at gip.com | Web: www.gip.com Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes Handelsregister: HRB 6870 - Amtsgericht Mainz -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Jan 16 21:10:30 2013 From: heas at shrubbery.net (heasley) Date: Wed, 16 Jan 2013 21:10:30 +0000 Subject: [tac_plus] Problem with TAC_PLUS and S/Key In-Reply-To: <50F6D30F.9050505@gip.com> References: <50F6D30F.9050505@gip.com> Message-ID: <20130116211030.GH12528@shrubbery.net> Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP: > Hello, > > Like ninjabytes > (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I > have some trouble with "tac_plus with S/Key". Unfortunately, the > documentation about "tac_plus and S/Key" isn't really detailed. > > The positive aspect: > tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext > password: Done) and the libskey seems to work as well ("configure [...] > --with-skey" and the following "make" without error and the config > snippet "login = skey" was accepted while starting tac_plus). > > I use the following config > > user = fred { > default service = permit > login = skey > enable = skey > } > > My question is now: > When I try to login as "fred" on my NAS, I see the message "Cannot > generate skey prompt for fred" in the tac_plus log file. In my opinion, > it's no wonder that this doesn't work because there is no password this would be skeychallenge() failing. iirc, that would include the challenge number; its been a while since i've tested this or used skey, so memory is foggy. > configued for the user "fred" - and a skey challenge is build on a > sequence_no, seed and the users password, right? The user itself can > then calculate the response with the challenge string and its password. seed? the password is the OTP, which would be returned after skeychallenge()'s return was sent to the device for the prompt. the question is why skeychallenge() fails. i'd suspect that it can't open or find the OTP database. > So: Where can I enter the user's password for an skey authentication in > the tac_plus.conf? > > Thanks in advance for your help, > > Best regards, > > Patrick Albert > > -- > > Patrick Albert > __________________ > *GIP Exyr GmbH* > Hechtsheimer Str. 35-37 | 55131 Mainz > > Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 > E-Mail: patrick.albert at gip.com | Web: > www.gip.com > > Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes > Handelsregister: HRB 6870 - Amtsgericht Mainz > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From patrick.albert at gip.com Thu Jan 17 07:52:32 2013 From: patrick.albert at gip.com (Patrick Albert | GIP) Date: Thu, 17 Jan 2013 08:52:32 +0100 Subject: [tac_plus] Problem with TAC_PLUS and S/Key In-Reply-To: <20130116211030.GH12528@shrubbery.net> References: <50F6D30F.9050505@gip.com> <20130116211030.GH12528@shrubbery.net> Message-ID: <50F7ADC0.5080808@gip.com> Thanks a lot for your fast response! It seems we don't talk about exactly the same thing. In my opinion, S/Key works as follows: 1) The User opens a telnet session on a NAS, e.g. a router 2) The User enters his username which is forwarded by the NAS to the tac_plus server 3) Now the tac_plus creates the challenge string on the basis of a random string (seed, salt) and the users password. The challenge string looks like "98 seed123". 4) tac_plus sends the challenge string to the NAS where it will be forwarded to the users telnet screen. Example: Trying 129.105.5.105 ... Connected to delta.ece.nwu.edu. Escape character is '^]'. SunOS UNIX (delta) login: chris s/key 98 pe61662 Password: 5) The user calculates locally on the basis of the challenge string ("s/key [...]") and its password the challenge response. It looks like "LILA FEST BONG LOSE TINY WINE" - this is the OTP. 6) The user enters the calculated OTP in the telnet window ("Password: ") and has now access to the NAS. The calculation of such a response can be tested at http://www.ocf.berkeley.edu/~jjlin/jsotp/ At http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html, you can also find an explanation of this procedure (chapter "Login Authentication with S/KEY"). So, I don't understand yet how tac_plus would be able to create such a skey challange without the users password.... . Best regards, Patrick Albert Patrick Albert __________________ *GIP Exyr GmbH* Hechtsheimer Str. 35-37 | 55131 Mainz Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 E-Mail: patrick.albert at gip.com | Web: www.gip.com Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes Handelsregister: HRB 6870 - Amtsgericht Mainz Am 16.01.2013 22:10, schrieb heasley: > Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP: >> Hello, >> >> Like ninjabytes >> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I >> have some trouble with "tac_plus with S/Key". Unfortunately, the >> documentation about "tac_plus and S/Key" isn't really detailed. >> >> The positive aspect: >> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext >> password: Done) and the libskey seems to work as well ("configure [...] >> --with-skey" and the following "make" without error and the config >> snippet "login = skey" was accepted while starting tac_plus). >> >> I use the following config >> >> user = fred { >> default service = permit >> login = skey >> enable = skey >> } >> >> My question is now: >> When I try to login as "fred" on my NAS, I see the message "Cannot >> generate skey prompt for fred" in the tac_plus log file. In my opinion, >> it's no wonder that this doesn't work because there is no password > this would be skeychallenge() failing. iirc, that would include the > challenge number; its been a while since i've tested this or used skey, > so memory is foggy. > >> configued for the user "fred" - and a skey challenge is build on a >> sequence_no, seed and the users password, right? The user itself can >> then calculate the response with the challenge string and its password. > seed? the password is the OTP, which would be returned after skeychallenge()'s > return was sent to the device for the prompt. the question is why > skeychallenge() fails. i'd suspect that it can't open or find the OTP > database. > >> So: Where can I enter the user's password for an skey authentication in >> the tac_plus.conf? >> >> Thanks in advance for your help, >> >> Best regards, >> >> Patrick Albert >> >> -- >> >> Patrick Albert >> __________________ >> *GIP Exyr GmbH* >> Hechtsheimer Str. 35-37 | 55131 Mainz >> >> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 >> E-Mail: patrick.albert at gip.com | Web: >> www.gip.com >> >> Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes >> Handelsregister: HRB 6870 - Amtsgericht Mainz >> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Patrick Albert __________________ *GIP Exyr GmbH* Hechtsheimer Str. 35-37 | 55131 Mainz Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 E-Mail: patrick.albert at gip.com | Web: www.gip.com Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes Handelsregister: HRB 6870 - Amtsgericht Mainz -------------- next part -------------- An HTML attachment was scrubbed... URL: From B.Mahoney at f5.com Thu Jan 17 14:03:45 2013 From: B.Mahoney at f5.com (Bill Mahoney) Date: Thu, 17 Jan 2013 14:03:45 +0000 Subject: [tac_plus] No download avail Message-ID: I was trying to download the tacacs+ software you have on your site and cannot seem to, do you still host it? William Mahoney | Sr Network Engineer F5 Networks www.f5.com USA/Canada: 1-888-882-7535 International: +800 11-275435 or +1-206-272-6888 www.f5.com [Description: Description: Description: Description: Description: C:\Users\rossick\Desktop\Assets for email signature\f5_logo_email_noline.png] [Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: C:\Users\rossick\Desktop\social badges\twitter.png][Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: C:\Users\rossick\Desktop\social badges\linkedin.png][Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: C:\Users\rossick\Desktop\social badges\facebook.png][Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: C:\Users\rossick\Desktop\social badges\youtube.png][Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: C:\Users\rossick\Desktop\social badges\dc.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 931 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 1659 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 1620 bytes Desc: image004.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.png Type: image/png Size: 1712 bytes Desc: image005.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.png Type: image/png Size: 2045 bytes Desc: image006.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image007.png Type: image/png Size: 1776 bytes Desc: image007.png URL: From heas at shrubbery.net Thu Jan 17 18:34:05 2013 From: heas at shrubbery.net (heasley) Date: Thu, 17 Jan 2013 18:34:05 +0000 Subject: [tac_plus] Problem with TAC_PLUS and S/Key In-Reply-To: <50F7ADC0.5080808@gip.com> References: <50F6D30F.9050505@gip.com> <20130116211030.GH12528@shrubbery.net> <50F7ADC0.5080808@gip.com> Message-ID: <20130117183405.GE63214@shrubbery.net> Thu, Jan 17, 2013 at 08:52:32AM +0100, Patrick Albert | GIP: > Thanks a lot for your fast response! > > It seems we don't talk about exactly the same thing. > > In my opinion, S/Key works as follows: > > 1) The User opens a telnet session on a NAS, e.g. a router > 2) The User enters his username which is forwarded by the NAS to the > tac_plus server > 3) Now the tac_plus creates the challenge string on the basis of a > random string (seed, salt) and the users password. The challenge string > looks like "98 seed123". > 4) tac_plus sends the challenge string to the NAS where it will be > forwarded to the users telnet screen. > > Example: > Trying 129.105.5.105 ... > Connected to delta.ece.nwu.edu. > Escape character is '^]'. > > SunOS UNIX (delta) > > login: chris > s/key 98 pe61662 > Password: > > 5) The user calculates locally on the basis of the challenge string > ("s/key [...]") and its password the challenge response. It looks like > "LILA FEST BONG LOSE TINY WINE" - this is the OTP. > 6) The user enters the calculated OTP in the telnet window ("Password: > ") and has now access to the NAS. Ah, the manner that I am familiar with is: 1) user creates list of skey passwords and keeps these on-hand and so does the unix box/tacacs host. instead of this paper list of passwords, the user could have a device or program that computes the hash. 2) user opens session to NAS 3) user enters username 4) receives password prompt with skey index 5) user enters password at the index in the list generated in #1 that looks like your OTP example. > The calculation of such a response can be tested at > http://www.ocf.berkeley.edu/~jjlin/jsotp/ > > At http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html, you can > also find an explanation of this procedure (chapter "Login > Authentication with S/KEY"). > > So, I don't understand yet how tac_plus would be able to create such a > skey challange without the users password.... . it has it already from when you initilized the user with (or in) skey; see keyinit in the URL above. > Best regards, > Patrick Albert > > Patrick Albert > __________________ > *GIP Exyr GmbH* > Hechtsheimer Str. 35-37 | 55131 Mainz > > Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 > E-Mail: patrick.albert at gip.com | Web: > www.gip.com > > Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes > Handelsregister: HRB 6870 - Amtsgericht Mainz > > Am 16.01.2013 22:10, schrieb heasley: > > Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP: > >> Hello, > >> > >> Like ninjabytes > >> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I > >> have some trouble with "tac_plus with S/Key". Unfortunately, the > >> documentation about "tac_plus and S/Key" isn't really detailed. > >> > >> The positive aspect: > >> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext > >> password: Done) and the libskey seems to work as well ("configure [...] > >> --with-skey" and the following "make" without error and the config > >> snippet "login = skey" was accepted while starting tac_plus). > >> > >> I use the following config > >> > >> user = fred { > >> default service = permit > >> login = skey > >> enable = skey > >> } > >> > >> My question is now: > >> When I try to login as "fred" on my NAS, I see the message "Cannot > >> generate skey prompt for fred" in the tac_plus log file. In my opinion, > >> it's no wonder that this doesn't work because there is no password > > this would be skeychallenge() failing. iirc, that would include the > > challenge number; its been a while since i've tested this or used skey, > > so memory is foggy. > > > >> configued for the user "fred" - and a skey challenge is build on a > >> sequence_no, seed and the users password, right? The user itself can > >> then calculate the response with the challenge string and its password. > > seed? the password is the OTP, which would be returned after skeychallenge()'s > > return was sent to the device for the prompt. the question is why > > skeychallenge() fails. i'd suspect that it can't open or find the OTP > > database. > > > >> So: Where can I enter the user's password for an skey authentication in > >> the tac_plus.conf? > >> > >> Thanks in advance for your help, > >> > >> Best regards, > >> > >> Patrick Albert > >> > >> -- > >> > >> Patrick Albert > >> __________________ > >> *GIP Exyr GmbH* > >> Hechtsheimer Str. 35-37 | 55131 Mainz > >> > >> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 > >> E-Mail: patrick.albert at gip.com | Web: > >> www.gip.com > >> > >> Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes > >> Handelsregister: HRB 6870 - Amtsgericht Mainz > >> > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: > >> _______________________________________________ > >> tac_plus mailing list > >> tac_plus at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > -- > > Patrick Albert > __________________ > *GIP Exyr GmbH* > Hechtsheimer Str. 35-37 | 55131 Mainz > > Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 > E-Mail: patrick.albert at gip.com | Web: > www.gip.com > > Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes > Handelsregister: HRB 6870 - Amtsgericht Mainz > From heas at shrubbery.net Fri Jan 18 09:29:07 2013 From: heas at shrubbery.net (heasley) Date: Fri, 18 Jan 2013 09:29:07 +0000 Subject: [tac_plus] Multiple Keys In-Reply-To: <17AD0BCD3C5C3B4B85BF93C3432F835D0BCC7E@SUSHQPEXMB2.urbanout.com> References: <17AD0BCD3C5C3B4B85BF93C3432F835D0BCC7E@SUSHQPEXMB2.urbanout.com> Message-ID: <20130118092907.GE5330@shrubbery.net> Tue, Jan 15, 2013 at 01:59:29PM +0000, Nick Maio: > Hi, > I was wondering if the following link is still the correct way to add support for multiple keys? I'd like to start a key change but can't easily do it with the current version (tacacs+-F4.0.4.26.tar.gz) of TACPLUS I am running. > > https://groups.google.com/forum/?fromgroups=#!topic/event-driven-servers/ZFAeE3bwk-g i believe so. its a good idea; i dont know if the author intended to donate the code. what is the author's email address? > Thanks, > > > Nick Maio > Engineering Manager, Network Systems > ____________________________ > > URBN Urban Outfitters Inc. > 5000 South Broad Street > Philadelphia, PA 19112-1495 > tel: 215.454.7732 > fax: 215.454.7191 > ____________________________ > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From NMaio at urbn.com Fri Jan 18 11:15:35 2013 From: NMaio at urbn.com (Nick Maio) Date: Fri, 18 Jan 2013 11:15:35 +0000 Subject: [tac_plus] Multiple Keys In-Reply-To: <20130118092907.GE5330@shrubbery.net> References: <17AD0BCD3C5C3B4B85BF93C3432F835D0BCC7E@SUSHQPEXMB2.urbanout.com> <20130118092907.GE5330@shrubbery.net> Message-ID: <17AD0BCD3C5C3B4B85BF93C3432F835D0C5E8C@SUSHQPEXMB2.urbanout.com> His email is on the following page. http://www.pro-bono-publico.de/about.html And he appears to keep up with development. http://www.pro-bono-publico.de/projects/tac_plus.html -----Original Message----- From: heasley [mailto:heas at shrubbery.net] Sent: Friday, January 18, 2013 4:29 AM To: Nick Maio Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Multiple Keys Tue, Jan 15, 2013 at 01:59:29PM +0000, Nick Maio: > Hi, > I was wondering if the following link is still the correct way to add support for multiple keys? I'd like to start a key change but can't easily do it with the current version (tacacs+-F4.0.4.26.tar.gz) of TACPLUS I am running. > > https://groups.google.com/forum/?fromgroups=#!topic/event-driven-servers/ZFAeE3bwk-g i believe so. its a good idea; i dont know if the author intended to donate the code. what is the author's email address? > Thanks, > > > Nick Maio > Engineering Manager, Network Systems > ____________________________ > > URBN Urban Outfitters Inc. > 5000 South Broad Street > Philadelphia, PA 19112-1495 > tel: 215.454.7732 > fax: 215.454.7191 > ____________________________ > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From patrick.albert at gip.com Wed Jan 23 16:35:15 2013 From: patrick.albert at gip.com (Patrick Albert | GIP) Date: Wed, 23 Jan 2013 17:35:15 +0100 Subject: [tac_plus] Problem with TAC_PLUS and S/Key In-Reply-To: <20130117183405.GE63214@shrubbery.net> References: <50F6D30F.9050505@gip.com> <20130116211030.GH12528@shrubbery.net> <50F7ADC0.5080808@gip.com> <20130117183405.GE63214@shrubbery.net> Message-ID: <51001143.3090203@gip.com> Hi, Thanks for your support! Finally, everything works fine - but on Debian. On RHEL, it was not possible to do the complete S/Key roundtrip - compiling the sources was succesful, but the generated skey response has not been accepted. Kind regards, Patrick -- Patrick Albert __________________ *GIP Exyr GmbH* Hechtsheimer Str. 35-37 | 55131 Mainz Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 E-Mail: patrick.albert at gip.com | Web: www.gip.com Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes Handelsregister: HRB 6870 - Amtsgericht Mainz Am 17.01.2013 19:34, schrieb heasley: > Thu, Jan 17, 2013 at 08:52:32AM +0100, Patrick Albert | GIP: >> Thanks a lot for your fast response! >> >> It seems we don't talk about exactly the same thing. >> >> In my opinion, S/Key works as follows: >> >> 1) The User opens a telnet session on a NAS, e.g. a router >> 2) The User enters his username which is forwarded by the NAS to the >> tac_plus server >> 3) Now the tac_plus creates the challenge string on the basis of a >> random string (seed, salt) and the users password. The challenge string >> looks like "98 seed123". >> 4) tac_plus sends the challenge string to the NAS where it will be >> forwarded to the users telnet screen. >> >> Example: >> Trying 129.105.5.105 ... >> Connected to delta.ece.nwu.edu. >> Escape character is '^]'. >> >> SunOS UNIX (delta) >> >> login: chris >> s/key 98 pe61662 >> Password: >> >> 5) The user calculates locally on the basis of the challenge string >> ("s/key [...]") and its password the challenge response. It looks like >> "LILA FEST BONG LOSE TINY WINE" - this is the OTP. >> 6) The user enters the calculated OTP in the telnet window ("Password: >> ") and has now access to the NAS. > Ah, the manner that I am familiar with is: > 1) user creates list of skey passwords and keeps these on-hand and so does the > unix box/tacacs host. instead of this paper list of passwords, the user > could have a device or program that computes the hash. > 2) user opens session to NAS > 3) user enters username > 4) receives password prompt with skey index > 5) user enters password at the index in the list generated in #1 that looks > like your OTP example. > >> The calculation of such a response can be tested at >> http://www.ocf.berkeley.edu/~jjlin/jsotp/ >> >> At http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html, you can >> also find an explanation of this procedure (chapter "Login >> Authentication with S/KEY"). >> >> So, I don't understand yet how tac_plus would be able to create such a >> skey challange without the users password.... . > it has it already from when you initilized the user with (or in) skey; see > keyinit in the URL above. > >> Best regards, >> Patrick Albert >> >> Patrick Albert >> __________________ >> *GIP Exyr GmbH* >> Hechtsheimer Str. 35-37 | 55131 Mainz >> >> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 >> E-Mail: patrick.albert at gip.com | Web: >> www.gip.com >> >> Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes >> Handelsregister: HRB 6870 - Amtsgericht Mainz >> >> Am 16.01.2013 22:10, schrieb heasley: >>> Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP: >>>> Hello, >>>> >>>> Like ninjabytes >>>> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I >>>> have some trouble with "tac_plus with S/Key". Unfortunately, the >>>> documentation about "tac_plus and S/Key" isn't really detailed. >>>> >>>> The positive aspect: >>>> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext >>>> password: Done) and the libskey seems to work as well ("configure [...] >>>> --with-skey" and the following "make" without error and the config >>>> snippet "login = skey" was accepted while starting tac_plus). >>>> >>>> I use the following config >>>> >>>> user = fred { >>>> default service = permit >>>> login = skey >>>> enable = skey >>>> } >>>> >>>> My question is now: >>>> When I try to login as "fred" on my NAS, I see the message "Cannot >>>> generate skey prompt for fred" in the tac_plus log file. In my opinion, >>>> it's no wonder that this doesn't work because there is no password >>> this would be skeychallenge() failing. iirc, that would include the >>> challenge number; its been a while since i've tested this or used skey, >>> so memory is foggy. >>> >>>> configued for the user "fred" - and a skey challenge is build on a >>>> sequence_no, seed and the users password, right? The user itself can >>>> then calculate the response with the challenge string and its password. >>> seed? the password is the OTP, which would be returned after skeychallenge()'s >>> return was sent to the device for the prompt. the question is why >>> skeychallenge() fails. i'd suspect that it can't open or find the OTP >>> database. >>> >>>> So: Where can I enter the user's password for an skey authentication in >>>> the tac_plus.conf? >>>> >>>> Thanks in advance for your help, >>>> >>>> Best regards, >>>> >>>> Patrick Albert >>>> >>>> -- >>>> >>>> Patrick Albert >>>> __________________ >>>> *GIP Exyr GmbH* >>>> Hechtsheimer Str. 35-37 | 55131 Mainz >>>> >>>> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 >>>> E-Mail: patrick.albert at gip.com | Web: >>>> www.gip.com >>>> >>>> Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes >>>> Handelsregister: HRB 6870 - Amtsgericht Mainz >>>> >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> -- >> >> Patrick Albert >> __________________ >> *GIP Exyr GmbH* >> Hechtsheimer Str. 35-37 | 55131 Mainz >> >> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 >> E-Mail: patrick.albert at gip.com | Web: >> www.gip.com >> >> Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes >> Handelsregister: HRB 6870 - Amtsgericht Mainz >> -- Patrick Albert __________________ *GIP Exyr GmbH* Hechtsheimer Str. 35-37 | 55131 Mainz Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24 E-Mail: patrick.albert at gip.com | Web: www.gip.com Gesch?ftsf?hrer: Dr. Bernd Reifenh?user, Dr. Alexander Ebbes Handelsregister: HRB 6870 - Amtsgericht Mainz -------------- next part -------------- An HTML attachment was scrubbed... URL: