From dwnek at dollartree.com Mon Dec 1 19:42:13 2014 From: dwnek at dollartree.com (dwnek at dollartree.com) Date: Mon, 1 Dec 2014 14:42:13 -0500 Subject: [tac_plus] Certain Permissions on some IP's and wide open Permissions on other IP's for same user-group-acl Message-ID: I would like to have two separate ACL's for one group. One ACL will allow a network security group to run any command they want on switches they are responsible for managing and the other ACL will only allow them to run some show commands on any other network switch. Is this possible? Can I configure one group in the tac_plus.cfg with two nested ACL's? Please provide a short config example. Thank You, Derek From alan.mckinnon at gmail.com Mon Dec 1 20:32:02 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 01 Dec 2014 22:32:02 +0200 Subject: [tac_plus] Certain Permissions on some IP's and wide open Permissions on other IP's for same user-group-acl In-Reply-To: References: Message-ID: <547CD042.3030605@gmail.com> On 01/12/2014 21:42, dwnek at dollartree.com wrote: > > I would like to have two separate ACL's for one group. One ACL will allow a > network security group to run any command they want on switches they are > responsible for managing and the other ACL will only allow them to run some > show commands on any other network switch. Is this possible? Can I > configure one group in the tac_plus.cfg with two nested ACL's? Please > provide a short config example. > > > Thank You, Derek It is possible using tac_plus.conf, but to do it you have to jump through many painful hoops that you will not understand tomorrow. many of us have gone down this road already and felt the pain. You want Dan Schmidt's do_auth.py script, bundled with recent versions of tac_plus. It comes with very clear complete docs, read them just once and it will be obvious how to solve the problem you face. -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Tue Dec 2 02:58:43 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 1 Dec 2014 19:58:43 -0700 Subject: [tac_plus] Certain Permissions on some IP's and wide open Permissions on other IP's for same user-group-acl In-Reply-To: <547CD042.3030605@gmail.com> References: <547CD042.3030605@gmail.com> Message-ID: You may see here for more info: http://blogs.sackheads.org/tacacsplus/page/2/ And thanks for the nice recommendation, Alan On Mon, Dec 1, 2014 at 1:32 PM, Alan McKinnon wrote: > On 01/12/2014 21:42, dwnek at dollartree.com wrote: > > > > I would like to have two separate ACL's for one group. One ACL will > allow a > > network security group to run any command they want on switches they are > > responsible for managing and the other ACL will only allow them to run > some > > show commands on any other network switch. Is this possible? Can I > > configure one group in the tac_plus.cfg with two nested ACL's? Please > > provide a short config example. > > > > > > Thank You, Derek > > It is possible using tac_plus.conf, but to do it you have to jump > through many painful hoops that you will not understand tomorrow. many > of us have gone down this road already and felt the pain. > > > You want Dan Schmidt's do_auth.py script, bundled with recent versions > of tac_plus. It comes with very clear complete docs, read them just once > and it will be obvious how to solve the problem you face. > > > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.syzdek at acsalaska.net Tue Dec 2 18:20:40 2014 From: david.syzdek at acsalaska.net (David M. Syzdek) Date: Tue, 2 Dec 2014 09:20:40 -0900 Subject: [tac_plus] contributing patched to tac_plus Message-ID: Shrubbery Networks, I am a systems engineer at a telco in Alaska. We maintain a geographically large and diverse voice and data network consisting of thousands of devices. Our TACACS+ server recently died and we are planning to replace it with your port of tac_plus, however it is missing a few features which we require, namely allowing different keys to be assigned per network rather than per individual hosts. We are willing and capable of modifying the code to support the features we need, however to simplify maintenance in the future, we would like to contribute the patches back into your tree so we do not have to patch the source code in the future. Do you accept patches for new features in tac_plus? If so, what patch format do you prefer and which version should I use for the baseline? What documentation/comments do you look for in patches? Any information you can provide will be greatly appreciated. Sincerely, David M. Syzdek ---------------------------------------------------------------------- David M. Syzdek david.syzdek at acsalaska.net IP Engineering Work: +1 907 550 8389 Cell: +1 907 980 1151 Alaska Communications Systems, Inc MS #53 600 Telephone Avenue Anchorage, Alaska 99503 ---------------------------------------------------------------------- From heas at shrubbery.net Wed Dec 3 17:38:47 2014 From: heas at shrubbery.net (heasley) Date: Wed, 3 Dec 2014 17:38:47 +0000 Subject: [tac_plus] contributing patched to tac_plus In-Reply-To: References: Message-ID: <20141203173847.GC41440@shrubbery.net> Tue, Dec 02, 2014 at 09:20:40AM -0900, David M. Syzdek: > Shrubbery Networks, > > I am a systems engineer at a telco in Alaska. We maintain a geographically large and diverse voice and data network consisting of thousands of devices. Our TACACS+ server recently died and we are planning to replace it with your port of tac_plus, however it is missing a few features which we require, namely allowing different keys to be assigned per network rather than per individual hosts. We are willing and capable of modifying the code to support the features we need, however to simplify maintenance in the future, we would like to contribute the patches back into your tree so we do not have to patch the source code in the future. > > Do you accept patches for new features in tac_plus? If so, what patch format do you prefer and which version should I use for the baseline? What documentation/comments do you look for in patches? certainly; bonus points and quicker response if you keep the formatting consistent and also update documentation :) From david.syzdek at acsalaska.net Wed Dec 3 19:45:15 2014 From: david.syzdek at acsalaska.net (David M. Syzdek) Date: Wed, 3 Dec 2014 10:45:15 -0900 Subject: [tac_plus] RFC: refactoring hashing algorithm (was: contributing patched to tac_plus) In-Reply-To: <20141203173847.GC41440@shrubbery.net> References: <20141203173847.GC41440@shrubbery.net> Message-ID: Heasly, Looking at the hashing algorithm used for storing devices, users, groups, and ACLs, it appears that at most 157 entries can be stored in each hash table (less if the key strings create a collision). My organization currently has 1,428 devices with unique keys. So I need a method which allows more than 157 entries to be stored in each hash table. Refer to the following code from hash.c to see the limitation: tac_plus.h: 220 #define HASH_TAB_SIZE 157 /* user and group hash table sizes */ hash.c: 32 /* Calculate hash value from a string */ 33 static int 34 calculate_hash(char *name) 35 { 36 int i; 37 int len = strlen(name); 38 int hashval = 0; 39 40 for (i = 0; i < len; i++) { 41 hashval += name[i] * (i + 1); 42 } 43 hashval += name[0]; 44 hashval = hashval > 0 ? hashval : -hashval; 45 return(hashval); 46 } 47 48 /* Lookup a name in a hash table. Return its node if it exists, else NULL * / 49 void * 50 hash_lookup(void **hashtab, char *name) 51 { 52 ENTRY *entry; 53 int hashval = calculate_hash(name); 54 55 entry = hashtab[hashval % HASH_TAB_SIZE]; 56 57 while (entry) { 58 if (STREQ(name, entry->name)) 59 /* Node exists in table. return it */ 60 return(entry); 61 entry = entry->hash; 62 } 63 return(NULL); 64 } I would like refactor hash.c to use a sorted array and binary search rather than a fixed length reallocated hash table. This would incur a performance hit on start-up and slightly increase the time required to lookup items within the hash, I can add an autoconf option which will allow tac_plus to be compiled with the old hashing methods or the new hashing methods. Does anyone foresee an issue with the proposed change? --David M. Syzdek ---------------------------------------------------------------------- David M. Syzdek david.syzdek at acsalaska.net IP Engineering Work: +1 907 550 8389 Cell: +1 907 980 1151 Alaska Communications Systems, Inc MS #53 600 Telephone Avenue Anchorage, Alaska 99503 ---------------------------------------------------------------------- > On Dec 3, 2014, at 8:38 AM, heasley wrote: > > Tue, Dec 02, 2014 at 09:20:40AM -0900, David M. Syzdek: >> Shrubbery Networks, >> >> I am a systems engineer at a telco in Alaska. We maintain a geographically large and diverse voice and data network consisting of thousands of devices. Our TACACS+ server recently died and we are planning to replace it with your port of tac_plus, however it is missing a few features which we require, namely allowing different keys to be assigned per network rather than per individual hosts. We are willing and capable of modifying the code to support the features we need, however to simplify maintenance in the future, we would like to contribute the patches back into your tree so we do not have to patch the source code in the future. >> >> Do you accept patches for new features in tac_plus? If so, what patch format do you prefer and which version should I use for the baseline? What documentation/comments do you look for in patches? > > certainly; bonus points and quicker response if you keep the formatting > consistent and also update documentation :) From david.syzdek at acsalaska.net Wed Dec 3 21:08:48 2014 From: david.syzdek at acsalaska.net (David M. Syzdek) Date: Wed, 3 Dec 2014 12:08:48 -0900 Subject: [tac_plus] [PATCH] Replacing angled include statements with quoted include statements for config.h Message-ID: <6C37D9A6-CDD4-4826-B575-3B1330F208B9@acsalaska.net> The attached patch replaces angled include statements with quoted include statements so the local directory is searched for config.h rather than the system include directories. Topic Branch of Git Repository: https://github.com/alaskacommunications/tac_plus/tree/ds/fixing-angled-includes Aggregated Patches: https://github.com/alaskacommunications/tac_plus/tree/pu -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Replacing-angled-include-statements-with-quoted-incl.patch Type: application/octet-stream Size: 1078 bytes Desc: not available URL: -------------- next part -------------- ---------------------------------------------------------------------- David M. Syzdek david.syzdek at acsalaska.net IP Engineering Work: +1 907 550 8389 Cell: +1 907 980 1151 Alaska Communications Systems, Inc MS #53 600 Telephone Avenue Anchorage, Alaska 99503 ---------------------------------------------------------------------- From heas at shrubbery.net Wed Dec 3 22:10:46 2014 From: heas at shrubbery.net (heasley) Date: Wed, 3 Dec 2014 22:10:46 +0000 Subject: [tac_plus] RFC: refactoring hashing algorithm (was: contributing patched to tac_plus) In-Reply-To: References: <20141203173847.GC41440@shrubbery.net> Message-ID: <20141203221046.GM28330@shrubbery.net> Wed, Dec 03, 2014 at 10:45:15AM -0900, David M. Syzdek: > Heasly, > > Looking at the hashing algorithm used for storing devices, users, groups, and ACLs, it appears that at most 157 entries can be stored in each hash table (less if the key strings create a collision). My organization currently has 1,428 devices with unique keys. So I need a method which allows more than 157 entries to be stored in each hash table. > > Refer to the following code from hash.c to see the limitation: > > tac_plus.h: > 220 #define HASH_TAB_SIZE 157 /* user and group hash table sizes */ > > hash.c: > 32 /* Calculate hash value from a string */ > 33 static int > 34 calculate_hash(char *name) > 35 { > 36 int i; > 37 int len = strlen(name); > 38 int hashval = 0; > 39 > 40 for (i = 0; i < len; i++) { > 41 hashval += name[i] * (i + 1); > 42 } > 43 hashval += name[0]; > 44 hashval = hashval > 0 ? hashval : -hashval; > 45 return(hashval); > 46 } > 47 > 48 /* Lookup a name in a hash table. Return its node if it exists, else NULL * / > 49 void * > 50 hash_lookup(void **hashtab, char *name) > 51 { > 52 ENTRY *entry; > 53 int hashval = calculate_hash(name); > 54 > 55 entry = hashtab[hashval % HASH_TAB_SIZE]; > 56 > 57 while (entry) { > 58 if (STREQ(name, entry->name)) > 59 /* Node exists in table. return it */ > 60 return(entry); > 61 entry = entry->hash; > 62 } > 63 return(NULL); > 64 } > > > I would like refactor hash.c to use a sorted array and binary search rather than a fixed length reallocated hash table. This would incur a performance hit on start-up and slightly increase the time required to lookup items within the hash, I can add an autoconf option which will allow tac_plus to be compiled with the old hashing methods or the new hashing methods. > > Does anyone foresee an issue with the proposed change? nope; i wouldnt bother with the autoconf knob either. From david.syzdek at acsalaska.net Wed Dec 3 23:55:22 2014 From: david.syzdek at acsalaska.net (David M. Syzdek) Date: Wed, 3 Dec 2014 14:55:22 -0900 Subject: [tac_plus] [PATCH] fixing some compiler warnings in tac_plus Message-ID: <23659CEA-AD3F-4685-97B0-0235440D4C46@acsalaska.net> The attached patches remove unused variables, initialize uninitialized variables with default values before they are used, and change variables which store buffer lengths from type int to type size_t or ssize_t as appropriate, Topic Branch of Git Repository: https://github.com/alaskacommunications/tac_plus/tree/ds/fixing-warnings Aggregated Patches: https://github.com/alaskacommunications/tac_plus/tree/pu -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Removing-unused-variables-from-functions.patch Type: application/octet-stream Size: 665 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fixing-implicit-conversions-in-expire.c-by-using-cor.patch Type: application/octet-stream Size: 1136 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Changing-size-variables-from-int-to-either-size_t-or.patch Type: application/octet-stream Size: 9525 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Initializing-declared-but-uninitialized-variables.patch Type: application/octet-stream Size: 1266 bytes Desc: not available URL: -------------- next part -------------- ---------------------------------------------------------------------- David M. Syzdek david.syzdek at acsalaska.net IP Engineering Work: +1 907 550 8389 Cell: +1 907 980 1151 Alaska Communications Systems, Inc MS #53 600 Telephone Avenue Anchorage, Alaska 99503 ---------------------------------------------------------------------- From Jetmir.Sulmina at albtelecom.al Fri Dec 26 10:12:04 2014 From: Jetmir.Sulmina at albtelecom.al (Jetmir Sulmina) Date: Fri, 26 Dec 2014 10:12:04 +0000 Subject: [tac_plus] Tacacs problem with packets Message-ID: Hello Shrubbery staff, I have this problem with your tool, firstly it works well, but after some times it begins to not authenticate users. The errors shown are as in attach. I noticed that the attached logs appear on the tac_plus file before switch login appears. I tried uninstalling/re-installing the application, situation is the same. Only another Centos 6.4 Final clean install repairs it, but again after some days the problem reappears. Instead when I test aaa from the same switch it works: Switch1_QTU# test aaa group tacacs+ jetmir !nd0nd legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated. Can you help me to figure out what is causing this? Have you faced the same problem from any previous customer? BR Jetmir SULMINA Supervisor Planning & Optimization Unit Datacom Department Albtelecom & Eagle Mobile Autostrada TR-DR Km. 7 Kashar-Tirane, Albania Mobile: +355672644110 E-Mail: jetmir.sulmina at albtelecom.al Website: www.albtelecom.al ________________________________ Albtelecom & Eagle Mobile invite you to protect together the Environment. Please do not print the e-mail unless really necessary. Albtelecom & Eagle Mobile iu ftojn? t? mbrojm? s? bashku Mjedisin. Lutemi t? mos e printoni k?t? komunikim elektronik n?se nuk ?sht? v?rtet i nevojsh?m. ________________________________ This e-mail and any files transmitted with it are confidential and intended solely for the use of the addressee/s. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited. If you receive this e-mail in error, please notify the sender immediately and delete it! Albtelecom makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the information transmission, reception, storage or use of such in any way whatsoever. The opinions expressed in this message may belong to sender alone and may not necessarily reflect the opinions of Albtelecom. Albtelecom shall bear no liability for any loss or damage caused by software or e-mail viruses. Ky mesazh dhe ?do informacion i transmetuar n? p?rmbajtje te k?tij mesazhi ?sht? konfidencial dhe ?sht? i destinuar vet?m p?r marr?sin e destinuar. N?se nuk jeni marr?si i destinuar, Ju b?jm? me dije se ?do p?rhapje, transmetim, kopjim apo p?rdorim i ?do informacioni ?sht? i ndaluar. N?se e merrni k?t? mesazh gabimisht, ju lutem kontaktoni urgjentisht nis?sin e tij dhe fshijeni at?. Albtelecom nuk jep asnj? garanci p?r sakt?sin? apo plot?sin? e informacionit n? p?rmbajtje t? k?tij mesazhi dhe nuk mban asnj? p?rgjegj?si p?r informacionin e p?rmbajtur, transmetimin, marrjen, ruajtjen apo p?rdorimin e tij n? ?far?dolloj m?nyre. Mendimet e shprehura n? k?t? mesazh mund t'i p?rkasin vet? nis?sit dhe nuk mund t? reflektojn? domosdoshm?risht q?ndrimet e Albtelecom. Albtelecom nuk do t? mbaje asnj? p?rgjegj?si p?r humbje ose d?me te shkaktuara nga programet apo viruset. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Tacacs Error.txt URL: From heas at shrubbery.net Fri Dec 26 18:31:41 2014 From: heas at shrubbery.net (heasley) Date: Fri, 26 Dec 2014 18:31:41 +0000 Subject: [tac_plus] Tacacs problem with packets In-Reply-To: References: Message-ID: <20141226183141.GB96701@shrubbery.net> Fri, Dec 26, 2014 at 10:12:04AM +0000, Jetmir Sulmina: > Hello Shrubbery staff, > > I have this problem with your tool, firstly it works well, but after some times it begins to not authenticate users. > The errors shown are as in attach. I noticed that the attached logs appear on the tac_plus file before switch login appears. > > I tried uninstalling/re-installing the application, situation is the same. Only another Centos 6.4 Final clean install repairs it, but again after some days the problem reappears. Do you mean after re-installing the O/S or just reinstalling tacacs? What appears in the logs when it begins failing? Can you install from sourcecode instead of the Centos package? > > Instead when I test aaa from the same switch it works: > > Switch1_QTU# test aaa group tacacs+ jetmir !nd0nd legacy > Attempting authentication test to server-group tacacs+ using tacacs+ > User was successfully authenticated. > > > Can you help me to figure out what is causing this? Have you faced the same problem from any previous customer? You have not attached the configuration & logs. From Jetmir.Sulmina at albtelecom.al Fri Dec 26 19:42:22 2014 From: Jetmir.Sulmina at albtelecom.al (Jetmir Sulmina) Date: Fri, 26 Dec 2014 19:42:22 +0000 Subject: [tac_plus] Tacacs problem with packets In-Reply-To: <20141226183141.GB96701@shrubbery.net> References: <20141226183141.GB96701@shrubbery.net> Message-ID: Hi Heasley, The configuration file is as in attach. The log file is tac_plus.log is very big to be sent via my mail. The portion of log I sent you was from that file (if you refer to tac_plus.log file). If you need it I'll send tomorrow a part of it since we have finished work for today. The installation was done from source file: ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz The problem disappears when I re-instal a fresh copy of OS, but after some days happens again. If I re-install only the tacacs service the problem remains, does not disappear. Jetmir SULMINA Supervisor Planning & Optimization Unit Datacom Department Albtelecom & Eagle Mobile Autostrada TR-DR Km. 7 Kashar-Tirane, Albania Mobile: +355672644110 E-Mail: jetmir.sulmina at albtelecom.al Website: www.albtelecom.al -----Original Message----- From: heasley [mailto:heas at shrubbery.net] Sent: Friday, December 26, 2014 7:32 PM To: Jetmir Sulmina Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Tacacs problem with packets Fri, Dec 26, 2014 at 10:12:04AM +0000, Jetmir Sulmina: > Hello Shrubbery staff, > > I have this problem with your tool, firstly it works well, but after some times it begins to not authenticate users. > The errors shown are as in attach. I noticed that the attached logs appear on the tac_plus file before switch login appears. > > I tried uninstalling/re-installing the application, situation is the same. Only another Centos 6.4 Final clean install repairs it, but again after some days the problem reappears. Do you mean after re-installing the O/S or just reinstalling tacacs? What appears in the logs when it begins failing? Can you install from sourcecode instead of the Centos package? > > Instead when I test aaa from the same switch it works: > > Switch1_QTU# test aaa group tacacs+ jetmir !nd0nd legacy Attempting > authentication test to server-group tacacs+ using tacacs+ User was > successfully authenticated. > > > Can you help me to figure out what is causing this? Have you faced the same problem from any previous customer? You have not attached the configuration & logs. ________________________________ Albtelecom & Eagle Mobile ju ftojn? t? mbrojm? s? bashku Mjedisin. Lutemi t? mos e printoni k?t? komunikim elektronik n?se nuk ?sht? me t? v?rtet? i nevojsh?m. Albtelecom & Eagle Mobile invite you to protect together the Environment. Please do not print this e-mail unless really necessary. ________________________________ This e-mail and any files transmitted with it are confidential and intended solely for the use of the addressee/s. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited. If you receive this e-mail in error, please notify the sender immediately and delete it! Albtelecom makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the information transmission, reception, storage or use of such in any way whatsoever. The opinions expressed in this message may belong to sender alone and may not necessarily reflect the opinions of Albtelecom. Albtelecom shall bear no liability for any loss or damage caused by software or e-mail viruses. Ky mesazh dhe ?do informacion i transmetuar n? p?rmbajtje te k?tij mesazhi ?sht? konfidencial dhe ?sht? i destinuar vet?m p?r marr?sin e destinuar. N?se nuk jeni marr?si i destinuar, Ju b?jm? me dije se ?do p?rhapje, transmetim, kopjim apo p?rdorim i ?do informacioni ?sht? i ndaluar. N?se e merrni k?t? mesazh gabimisht, ju lutem kontaktoni urgjentisht nis?sin e tij dhe fshijeni at?. Albtelecom nuk jep asnj? garanci p?r sakt?sin? apo plot?sin? e informacionit n? p?rmbajtje t? k?tij mesazhi dhe nuk mban asnj? p?rgjegj?si p?r informacionin e p?rmbajtur, transmetimin, marrjen, ruajtjen apo p?rdorimin e tij n? ?far?dolloj m?nyre. Mendimet e shprehura n? k?t? mesazh mund t'i p?rkasin vet? nis?sit dhe nuk mund t? reflektojn? domosdoshm?risht q?ndrimet e Albtelecom. Albtelecom nuk do t? mbaje asnj? p?rgjegj?si p?r humbje ose d?me te shkaktuara nga programet apo viruset. -------------- next part -------------- A non-text attachment was scrubbed... Name: tac_plus.cfg Type: application/octet-stream Size: 2483 bytes Desc: tac_plus.cfg URL: From heas at shrubbery.net Fri Dec 26 22:04:20 2014 From: heas at shrubbery.net (heasley) Date: Fri, 26 Dec 2014 22:04:20 +0000 Subject: [tac_plus] Tacacs problem with packets In-Reply-To: References: <20141226183141.GB96701@shrubbery.net> Message-ID: <20141226220420.GB1182@shrubbery.net> Fri, Dec 26, 2014 at 07:42:22PM +0000, Jetmir Sulmina: > Hi Heasley, > > The configuration file is as in attach. The log file is tac_plus.log is very big to be sent via my mail. The portion of log I sent you was from that file (if you refer to tac_plus.log file). If you need it I'll send tomorrow a part of it since we have finished work for today. > > The installation was done from source file: ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz > > The problem disappears when I re-instal a fresh copy of OS, but after some days happens again. > If I re-install only the tacacs service the problem remains, does not disappear. Just rebooting the host does not fix the problem? Are patches being installed that might affect tacacs? From Jetmir.Sulmina at albtelecom.al Fri Dec 26 23:02:22 2014 From: Jetmir.Sulmina at albtelecom.al (Jetmir Sulmina) Date: Fri, 26 Dec 2014 23:02:22 +0000 Subject: [tac_plus] Tacacs problem with packets In-Reply-To: <20141226220420.GB1182@shrubbery.net> References: <20141226183141.GB96701@shrubbery.net> <20141226220420.GB1182@shrubbery.net> Message-ID: No just rebooting does not resolve it. The same error log appears after reboot. The packet is received from tacacs before the login fields are displayed to enter username and password. That?s why the user field is empty at below logs. Fri Dec 26 23:58:16 2014 [1590]: Reading config Fri Dec 26 23:58:16 2014 [1590]: Version F4.0.4.26 Initialized 1 Fri Dec 26 23:58:16 2014 [1590]: tac_plus server F4.0.4.26 starting Fri Dec 26 23:58:16 2014 [1591]: Backgrounded Fri Dec 26 23:58:16 2014 [1592]: uid=0 euid=0 gid=0 egid=0 s=0 Fri Dec 26 23:58:50 2014 [1592]: session request from 10.2.18.53 sock=2 Fri Dec 26 23:58:50 2014 [1596]: connect from 10.2.18.53 [10.2.18.53] Fri Dec 26 23:58:50 2014 [1596]: Waiting for packet Fri Dec 26 23:58:50 2014 [1596]: Read AUTHEN/START size=36 Fri Dec 26 23:58:50 2014 [1596]: validation request from 10.2.18.53 Fri Dec 26 23:58:50 2014 [1596]: PACKET: key=3l3ct!0ns Fri Dec 26 23:58:50 2014 [1596]: version 192 (0xc0), type 1, seq no 1, flags 0x1 Fri Dec 26 23:58:50 2014 [1596]: session_id 1704442042 (0x6597b8ba), Data length 24 (0x18) Fri Dec 26 23:58:50 2014 [1596]: End header Fri Dec 26 23:58:50 2014 [1596]: type=AUTHEN/START, priv_lvl = 1 Fri Dec 26 23:58:50 2014 [1596]: action=login Fri Dec 26 23:58:50 2014 [1596]: authen_type=ascii Fri Dec 26 23:58:50 2014 [1596]: service=login Fri Dec 26 23:58:50 2014 [1596]: user_len=0 port_len=4 (0x4), rem_addr_len=12 (0xc) Fri Dec 26 23:58:50 2014 [1596]: data_len=0 Fri Dec 26 23:58:50 2014 [1596]: User: Fri Dec 26 23:58:50 2014 [1596]: port: Fri Dec 26 23:58:50 2014 [1596]: tty1 Fri Dec 26 23:58:50 2014 [1596]: rem_addr: Fri Dec 26 23:58:50 2014 [1596]: 172.27.1.153 Fri Dec 26 23:58:50 2014 [1596]: data: Fri Dec 26 23:58:50 2014 [1596]: End packet Fri Dec 26 23:58:50 2014 [1596]: Authen Start request Fri Dec 26 23:58:50 2014 [1596]: choose_authen returns 1 Fri Dec 26 23:58:50 2014 [1596]: Writing AUTHEN/GETUSER size=55 Fri Dec 26 23:58:50 2014 [1596]: PACKET: key=3l3ct!0ns Fri Dec 26 23:58:50 2014 [1596]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Fri Dec 26 23:58:50 2014 [1596]: session_id 1704442042 (0x6597b8ba), Data length 43 (0x2b) Fri Dec 26 23:58:50 2014 [1596]: End header Fri Dec 26 23:58:50 2014 [1596]: type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 Fri Dec 26 23:58:50 2014 [1596]: msg_len=37, data_len=0 Fri Dec 26 23:58:50 2014 [1596]: msg: Fri Dec 26 23:58:50 2014 [1596]: 0xa User Access Verification 0xa Fri Dec 26 23:58:50 2014 [1596]: data: Fri Dec 26 23:58:50 2014 [1596]: End packet Fri Dec 26 23:58:50 2014 [1596]: Waiting for packet Fri Dec 26 23:58:50 2014 [1596]: 10.2.18.53 tty1: fd 2 eof (connection closed) Fri Dec 26 23:58:50 2014 [1596]: Read -1 bytes from 10.2.18.53 tty1, expecting 12 Fri Dec 26 23:58:50 2014 [1596]: Error 10.2.18.53 tty1: Null reply packet, expecting CONTINUE Fri Dec 26 23:58:50 2014 [1596]: 10.2.18.53: disconnect BR Jetmir SULMINA Supervisor Planning & Optimization Unit Datacom Department Albtelecom & Eagle Mobile Autostrada TR-DR Km. 7 Kashar-Tirane, Albania Mobile: +355672644110 E-Mail: jetmir.sulmina at albtelecom.al Website: www.albtelecom.al -----Original Message----- From: heasley [mailto:heas at shrubbery.net] Sent: Friday, December 26, 2014 11:04 PM To: Jetmir Sulmina Cc: heasley; tac_plus at shrubbery.net Subject: Re: [tac_plus] Tacacs problem with packets Fri, Dec 26, 2014 at 07:42:22PM +0000, Jetmir Sulmina: > Hi Heasley, > > The configuration file is as in attach. The log file is tac_plus.log is very big to be sent via my mail. The portion of log I sent you was from that file (if you refer to tac_plus.log file). If you need it I'll send tomorrow a part of it since we have finished work for today. > > The installation was done from source file: > ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz > > The problem disappears when I re-instal a fresh copy of OS, but after some days happens again. > If I re-install only the tacacs service the problem remains, does not disappear. Just rebooting the host does not fix the problem? Are patches being installed that might affect tacacs? ________________________________ Albtelecom & Eagle Mobile ju ftojn? t? mbrojm? s? bashku Mjedisin. Lutemi t? mos e printoni k?t? komunikim elektronik n?se nuk ?sht? me t? v?rtet? i nevojsh?m. Albtelecom & Eagle Mobile invite you to protect together the Environment. Please do not print this e-mail unless really necessary. ________________________________ This e-mail and any files transmitted with it are confidential and intended solely for the use of the addressee/s. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited. If you receive this e-mail in error, please notify the sender immediately and delete it! Albtelecom makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the information transmission, reception, storage or use of such in any way whatsoever. The opinions expressed in this message may belong to sender alone and may not necessarily reflect the opinions of Albtelecom. Albtelecom shall bear no liability for any loss or damage caused by software or e-mail viruses. Ky mesazh dhe ?do informacion i transmetuar n? p?rmbajtje te k?tij mesazhi ?sht? konfidencial dhe ?sht? i destinuar vet?m p?r marr?sin e destinuar. N?se nuk jeni marr?si i destinuar, Ju b?jm? me dije se ?do p?rhapje, transmetim, kopjim apo p?rdorim i ?do informacioni ?sht? i ndaluar. N?se e merrni k?t? mesazh gabimisht, ju lutem kontaktoni urgjentisht nis?sin e tij dhe fshijeni at?. Albtelecom nuk jep asnj? garanci p?r sakt?sin? apo plot?sin? e informacionit n? p?rmbajtje t? k?tij mesazhi dhe nuk mban asnj? p?rgjegj?si p?r informacionin e p?rmbajtur, transmetimin, marrjen, ruajtjen apo p?rdorimin e tij n? ?far?dolloj m?nyre. Mendimet e shprehura n? k?t? mesazh mund t'i p?rkasin vet? nis?sit dhe nuk mund t? reflektojn? domosdoshm?risht q?ndrimet e Albtelecom. Albtelecom nuk do t? mbaje asnj? p?rgjegj?si p?r humbje ose d?me te shkaktuara nga programet apo viruset. From Jetmir.Sulmina at albtelecom.al Fri Dec 26 23:05:11 2014 From: Jetmir.Sulmina at albtelecom.al (Jetmir Sulmina) Date: Fri, 26 Dec 2014 23:05:11 +0000 Subject: [tac_plus] Tacacs problem with packets References: <20141226183141.GB96701@shrubbery.net> <20141226220420.GB1182@shrubbery.net> Message-ID: And there is no patch update done on the OS. I just use the same Centos version 6.4. After the clean install it works, than after some days the problem appears and remains permanent. Jetmir SULMINA Supervisor Planning & Optimization Unit Datacom Department Albtelecom & Eagle Mobile Autostrada TR-DR Km. 7 Kashar-Tirane, Albania Mobile: +355672644110 E-Mail: jetmir.sulmina at albtelecom.al Website: www.albtelecom.al -----Original Message----- From: Jetmir Sulmina Sent: Saturday, December 27, 2014 12:02 AM To: 'heasley' Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Tacacs problem with packets No just rebooting does not resolve it. The same error log appears after reboot. The packet is received from tacacs before the login fields are displayed to enter username and password. That?s why the user field is empty at below logs. Fri Dec 26 23:58:16 2014 [1590]: Reading config Fri Dec 26 23:58:16 2014 [1590]: Version F4.0.4.26 Initialized 1 Fri Dec 26 23:58:16 2014 [1590]: tac_plus server F4.0.4.26 starting Fri Dec 26 23:58:16 2014 [1591]: Backgrounded Fri Dec 26 23:58:16 2014 [1592]: uid=0 euid=0 gid=0 egid=0 s=0 Fri Dec 26 23:58:50 2014 [1592]: session request from 10.2.18.53 sock=2 Fri Dec 26 23:58:50 2014 [1596]: connect from 10.2.18.53 [10.2.18.53] Fri Dec 26 23:58:50 2014 [1596]: Waiting for packet Fri Dec 26 23:58:50 2014 [1596]: Read AUTHEN/START size=36 Fri Dec 26 23:58:50 2014 [1596]: validation request from 10.2.18.53 Fri Dec 26 23:58:50 2014 [1596]: PACKET: key=3l3ct!0ns Fri Dec 26 23:58:50 2014 [1596]: version 192 (0xc0), type 1, seq no 1, flags 0x1 Fri Dec 26 23:58:50 2014 [1596]: session_id 1704442042 (0x6597b8ba), Data length 24 (0x18) Fri Dec 26 23:58:50 2014 [1596]: End header Fri Dec 26 23:58:50 2014 [1596]: type=AUTHEN/START, priv_lvl = 1 Fri Dec 26 23:58:50 2014 [1596]: action=login Fri Dec 26 23:58:50 2014 [1596]: authen_type=ascii Fri Dec 26 23:58:50 2014 [1596]: service=login Fri Dec 26 23:58:50 2014 [1596]: user_len=0 port_len=4 (0x4), rem_addr_len=12 (0xc) Fri Dec 26 23:58:50 2014 [1596]: data_len=0 Fri Dec 26 23:58:50 2014 [1596]: User: Fri Dec 26 23:58:50 2014 [1596]: port: Fri Dec 26 23:58:50 2014 [1596]: tty1 Fri Dec 26 23:58:50 2014 [1596]: rem_addr: Fri Dec 26 23:58:50 2014 [1596]: 172.27.1.153 Fri Dec 26 23:58:50 2014 [1596]: data: Fri Dec 26 23:58:50 2014 [1596]: End packet Fri Dec 26 23:58:50 2014 [1596]: Authen Start request Fri Dec 26 23:58:50 2014 [1596]: choose_authen returns 1 Fri Dec 26 23:58:50 2014 [1596]: Writing AUTHEN/GETUSER size=55 Fri Dec 26 23:58:50 2014 [1596]: PACKET: key=3l3ct!0ns Fri Dec 26 23:58:50 2014 [1596]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Fri Dec 26 23:58:50 2014 [1596]: session_id 1704442042 (0x6597b8ba), Data length 43 (0x2b) Fri Dec 26 23:58:50 2014 [1596]: End header Fri Dec 26 23:58:50 2014 [1596]: type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 Fri Dec 26 23:58:50 2014 [1596]: msg_len=37, data_len=0 Fri Dec 26 23:58:50 2014 [1596]: msg: Fri Dec 26 23:58:50 2014 [1596]: 0xa User Access Verification 0xa Fri Dec 26 23:58:50 2014 [1596]: data: Fri Dec 26 23:58:50 2014 [1596]: End packet Fri Dec 26 23:58:50 2014 [1596]: Waiting for packet Fri Dec 26 23:58:50 2014 [1596]: 10.2.18.53 tty1: fd 2 eof (connection closed) Fri Dec 26 23:58:50 2014 [1596]: Read -1 bytes from 10.2.18.53 tty1, expecting 12 Fri Dec 26 23:58:50 2014 [1596]: Error 10.2.18.53 tty1: Null reply packet, expecting CONTINUE Fri Dec 26 23:58:50 2014 [1596]: 10.2.18.53: disconnect BR Jetmir SULMINA Supervisor Planning & Optimization Unit Datacom Department Albtelecom & Eagle Mobile Autostrada TR-DR Km. 7 Kashar-Tirane, Albania Mobile: +355672644110 E-Mail: jetmir.sulmina at albtelecom.al Website: www.albtelecom.al -----Original Message----- From: heasley [mailto:heas at shrubbery.net] Sent: Friday, December 26, 2014 11:04 PM To: Jetmir Sulmina Cc: heasley; tac_plus at shrubbery.net Subject: Re: [tac_plus] Tacacs problem with packets Fri, Dec 26, 2014 at 07:42:22PM +0000, Jetmir Sulmina: > Hi Heasley, > > The configuration file is as in attach. The log file is tac_plus.log is very big to be sent via my mail. The portion of log I sent you was from that file (if you refer to tac_plus.log file). If you need it I'll send tomorrow a part of it since we have finished work for today. > > The installation was done from source file: > ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz > > The problem disappears when I re-instal a fresh copy of OS, but after some days happens again. > If I re-install only the tacacs service the problem remains, does not disappear. Just rebooting the host does not fix the problem? Are patches being installed that might affect tacacs? ________________________________ Albtelecom & Eagle Mobile ju ftojn? t? mbrojm? s? bashku Mjedisin. Lutemi t? mos e printoni k?t? komunikim elektronik n?se nuk ?sht? me t? v?rtet? i nevojsh?m. Albtelecom & Eagle Mobile invite you to protect together the Environment. Please do not print this e-mail unless really necessary. ________________________________ This e-mail and any files transmitted with it are confidential and intended solely for the use of the addressee/s. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited. If you receive this e-mail in error, please notify the sender immediately and delete it! Albtelecom makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the information transmission, reception, storage or use of such in any way whatsoever. The opinions expressed in this message may belong to sender alone and may not necessarily reflect the opinions of Albtelecom. Albtelecom shall bear no liability for any loss or damage caused by software or e-mail viruses. Ky mesazh dhe ?do informacion i transmetuar n? p?rmbajtje te k?tij mesazhi ?sht? konfidencial dhe ?sht? i destinuar vet?m p?r marr?sin e destinuar. N?se nuk jeni marr?si i destinuar, Ju b?jm? me dije se ?do p?rhapje, transmetim, kopjim apo p?rdorim i ?do informacioni ?sht? i ndaluar. N?se e merrni k?t? mesazh gabimisht, ju lutem kontaktoni urgjentisht nis?sin e tij dhe fshijeni at?. Albtelecom nuk jep asnj? garanci p?r sakt?sin? apo plot?sin? e informacionit n? p?rmbajtje t? k?tij mesazhi dhe nuk mban asnj? p?rgjegj?si p?r informacionin e p?rmbajtur, transmetimin, marrjen, ruajtjen apo p?rdorimin e tij n? ?far?dolloj m?nyre. Mendimet e shprehura n? k?t? mesazh mund t'i p?rkasin vet? nis?sit dhe nuk mund t? reflektojn? domosdoshm?risht q?ndrimet e Albtelecom. Albtelecom nuk do t? mbaje asnj? p?rgjegj?si p?r humbje ose d?me te shkaktuara nga programet apo viruset. From heas at shrubbery.net Fri Dec 26 23:24:40 2014 From: heas at shrubbery.net (heasley) Date: Fri, 26 Dec 2014 23:24:40 +0000 Subject: [tac_plus] Tacacs problem with packets In-Reply-To: References: <20141226183141.GB96701@shrubbery.net> <20141226220420.GB1182@shrubbery.net> Message-ID: <20141226232440.GB2938@shrubbery.net> Fri, Dec 26, 2014 at 11:02:22PM +0000, Jetmir Sulmina: > No just rebooting does not resolve it. The same error log appears after reboot. based on that, it seems clearly not a tacacs problem. i would suspect either o/s patches installs changing libraries, a packet filter bug or misconfiguration, a hardware problem, a malicious co-worker or your machine is compromised. > The packet is received from tacacs before the login fields are displayed to enter username and password. That?s why the user field is empty at below logs. that is normal. see the IETF draft for the tacacs protocol. From lboccass at Brocade.com Mon Dec 29 16:49:53 2014 From: lboccass at Brocade.com (Luca Boccassi) Date: Mon, 29 Dec 2014 17:49:53 +0100 Subject: [tac_plus] [PATCH] log successful login attempts Message-ID: <1419871793.4065.13.camel@BRA-6G85P12.vyatta.com> Hi, This small patch makes tac_plus log successful login attempts, which is useful in our case for test automation purposes. Please let me know in case the preferred format for patches is different. Kind regards, Luca Boccassi Brocade Communications Systems --- default_fn.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/default_fn.c +++ b/default_fn.c @@ -206,7 +206,17 @@ default_fn(struct authen_data *data) report(LOG_NOTICE, "login failure: %s %s %s", name == NULL ? "unknown" : name, session.peerip, session.port); + return(0); + case TAC_PLUS_AUTHEN_STATUS_PASS: + if (session.peer) + report(LOG_NOTICE, "login success: %s %s (%s) %s", + name == NULL ? "unknown" : name, + session.peer, session.peerip, session.port); + else + report(LOG_NOTICE, "login success: %s %s %s", + name == NULL ? "unknown" : name, + session.peerip, session.port); return(0); default: From lboccass at Brocade.com Mon Dec 29 16:49:45 2014 From: lboccass at Brocade.com (Luca Boccassi) Date: Mon, 29 Dec 2014 17:49:45 +0100 Subject: [tac_plus] [PATCH] fix ipv6 addresses logging Message-ID: <1419871785.4065.12.camel@BRA-6G85P12.vyatta.com> Hi, This small patch fixes printing IPv6 addresses in the log. Hope it can be useful. Please let me know in case the preferred format for patches is different. Kind regards, Luca Boccassi Brocade Communications Systems --- tac_plus.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 46 insertions(+), 8 deletions(-) --- a/tac_plus.c +++ b/tac_plus.c @@ -262,6 +262,28 @@ open_logfile(void) } /* + * Checks if the sockaddr_storage is IPv4 mapped in IPv6 sockaddr, and if so + * converts it back in place to IPv4 sockaddr_in. This is done to avoid + * printing an IPv4 address in the unfriendly format ::ffff:192.168.0.1 + */ +static void +sockaddr_v6_mapped_convert_to_v4 (struct sockaddr_storage *name, + socklen_t *name_len) { + struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)name; + + if (IN6_IS_ADDR_V4MAPPED(&from6->sin6_addr)) { + struct sockaddr_in addr4; + memset(&addr4, 0, sizeof(addr4)); + addr4.sin_family = AF_INET; + addr4.sin_port = from6->sin6_port; + memcpy(&addr4.sin_addr.s_addr, from6->sin6_addr.s6_addr + 12, + sizeof(addr4.sin_addr.s_addr)); + memcpy(name, &addr4, sizeof(addr4)); + *name_len = sizeof(addr4); + } +} + +/* * We will eventually be called from inetd or via the rc scripts directly * Parse arguments and act appropiately. */ @@ -374,9 +396,9 @@ main(int argc, char **argv) if (!standalone) { /* running under inetd */ - char host[NI_MAXHOST]; + char host[NI_MAXHOST], host_ip[INET6_ADDRSTRLEN]; int on; - struct sockaddr_in name; + struct sockaddr_storage name; socklen_t name_len; name_len = sizeof(name); @@ -402,8 +424,16 @@ main(int argc, char **argv) if (session.peerip) free(session.peerip); - session.peerip = tac_strdup((char *)inet_ntop(name.sin_family, - &name.sin_addr, host, name_len)); + + if (name.ss_family == AF_INET6) + sockaddr_v6_mapped_convert_to_v4(&name, &name_len); + if (getnameinfo((struct sockaddr *)&name, name_len, host_ip, + INET6_ADDRSTRLEN, NULL, 0, NI_NUMERICHOST)) { + strncpy(host_ip, "unknown", INET6_ADDRSTRLEN - 1); + host_ip[INET6_ADDRSTRLEN - 1] = '\0'; + } + session.peerip = tac_strdup(host_ip); + if (debug & DEBUG_AUTHEN_FLAG) report(LOG_INFO, "session.peerip is %s", session.peerip); } @@ -585,8 +615,8 @@ main(int argc, char **argv) #else int pid; #endif - char host[NI_MAXHOST]; - struct sockaddr_in from; + char host[NI_MAXHOST], host_ip[INET6_ADDRSTRLEN]; + struct sockaddr_storage from; socklen_t from_len; int newsockfd, status; int flags; @@ -637,8 +667,16 @@ main(int argc, char **argv) if (session.peerip) free(session.peerip); - session.peerip = tac_strdup((char *)inet_ntop(from.sin_family, - &from.sin_addr, host, from_len)); + + if (from.ss_family == AF_INET6) + sockaddr_v6_mapped_convert_to_v4(&from, &from_len); + if (getnameinfo((struct sockaddr *)&from, from_len, host_ip, + INET6_ADDRSTRLEN, NULL, 0, NI_NUMERICHOST)) { + strncpy(host_ip, "unknown", INET6_ADDRSTRLEN - 1); + host_ip[INET6_ADDRSTRLEN - 1] = '\0'; + } + session.peerip = tac_strdup(host_ip); + if (debug & DEBUG_PACKET_FLAG) report(LOG_DEBUG, "session request from %s sock=%d", session.peer, newsockfd); From rdrake at direcpath.com Sat Dec 27 16:22:54 2014 From: rdrake at direcpath.com (Robert Drake) Date: Sat, 27 Dec 2014 11:22:54 -0500 Subject: [tac_plus] updating configure.in(ac) for automake 1.14 Message-ID: <549EDCDE.1090605@direcpath.com> I'm attaching another patch. This one for something I half did for the debian version then decided to submit upstream. modern versions of automake fail specifically about a line called AM_C_PROTOTYPES which was designated a long time ago to be about an ansi2knr converter macro. They give alternatives, but in the end it seems that it's perfectly acceptable to leave the line out completely. There are other issues though. A hard failure caused by m4 not knowing where the macro directory is leaves it saying AC_DEFINE() doesn't exist. The fix is to say AC_CONFIG_MACRO_DIR([.]). Finally, they changed a couple of things about the initialization parts AC_INIT() and AC_INIT_AUTOMAKE(), so I've rewritten those to satisfy the new requirements and hopefully also continue working as you expect. -------------- next part -------------- From d1de96f9b80cdbbc856e99f6b41f4ba7cf34a064 Mon Sep 17 00:00:00 2001 From: Robert Drake Date: Sat, 27 Dec 2014 11:04:08 -0500 Subject: [PATCH 6/6] updating configure.in(ac) for automake 1.14 This removes several obsolete commands from the configure.in file and tries to get it back to the way it's currently used without breaking anything. The m4 files could be moved into their own directory, but right now some (only the ones libtool doesn't download I think) are being shipped with make dist and the others aren't. I didn't want to touch any of those in case their directories are hardcoded anywhere. This can probably be backported to tacacs+ 4.0.4 without errors. I believe all the obsolete automake commands have been deprecated since at least 2010 so most people should be safe, and those that don't have new automake should be able to continue using the shipped configure file. The main goal, aside from making sure things work is to regenerate config.guess and config.sub since they're used to detect weird stuff and apparently someone wanted to run the code on something weird. --- Makefile.am | 4 +- configure.ac | 1005 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ configure.in | 995 --------------------------------------------------------- 3 files changed, 1007 insertions(+), 997 deletions(-) create mode 100644 configure.ac delete mode 100644 configure.in diff --git a/Makefile.am b/Makefile.am index 30ff691..de44a75 100644 --- a/Makefile.am +++ b/Makefile.am @@ -28,9 +28,9 @@ libtacacs_la_LDFLAGS += @LDFLAGS@ @PROFLIBS@ # profiling CFLAGS += $(WARN) $(DBG) $(PROFLAGS) LDADD = $(PROFLIBS) -INCLUDES = $(WRAPINCS) +AM_CPPFLAGS = $(WRAPINCS) # CPPFLAGS += @PG_CPPFLAGS@ -# INCLUDES += -I$(top_srcdir)/include @PG_CPPFLAGS@ +# AM_CPPFLAGS += -I$(top_srcdir)/include @PG_CPPFLAGS@ include_HEADERS = tacacs.h noinst_HEADERS= fdes.h des_iip.h des_ip.h des_key.h des_s_p.h md4.h mschap.h \ diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..2563047 --- /dev/null +++ b/configure.ac @@ -0,0 +1,1005 @@ +dnl Process this file with autoconf to produce a configure script. +dnl A configure script is provided, in cause you do not have autoconf. + +AC_PREREQ(2.13) + +dnl Keeping these in case they're used by something further down. Autoconf +dnl might not be run for every release. These are updated when "./configure" +dnl runs. +PACKAGE=`sed -n 's/.*package.*"\(.*\)".*/\1/p' $srcdir/version.h.in|tr -d ' '` +VERSION=`sed -n 's/.*version.*"\(.*\)".*/\1/p' $srcdir/version.h.in|tr -d ' '` + + +dnl VERSION needs to be updated in version.h.in such that 'make dist' +dnl uses the correct filename for the directory name and tarball and binaries +dnl get the right version numbers. +AC_INIT( [tacacs+], + m4_esyscmd([sed -n 's/.*version.*"\(.*\)".*/\1/p' ./version.h.in|tr -d ' \n']), + [tac_plus at shrubbery.net], + [tacacs+], + [http://www.shrubbery.net/tac_plus]) + +AM_INIT_AUTOMAKE + +AC_CONFIG_MACRO_DIR([.]) + +AM_MAINTAINER_MODE() + +dnl AC_CONFIG_SUBDIRS(etc man share) + +# what OS +dnl ---- XXX: these really should deal with the individual reasons why +dnl linux/whatever is different, rather than a blanket stmt +dnl is this crack, i mean linux? +AH_TEMPLATE(AIX, [define this if your o/s is AIX]) +AH_TEMPLATE(FREEBSD, [define this if your o/s is FreeBSD]) +AH_TEMPLATE(NETBSD, [define this if your o/s is NetBSD]) +AH_TEMPLATE(SOLARIS, [define this if your o/s is Solaris]) +AH_TEMPLATE(HPUX, [define this if your o/s is HPux]) +AH_TEMPLATE(LINUX, [define this if your o/s is Linux]) +AH_TEMPLATE(MIPS, [define this if your o/s is MIPS]) +AC_CANONICAL_HOST +case "${host_os}" in + *aix* ) + # For AIX + echo "See /usr/lpp/bos/bsdport on your system for details of how " \ + "to define bsdcc." + CC=bsdcc; export CC + # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + # LIBS="-lcrypt $LIBS"; export LIBS + AC_DEFINE(AIX) + ;; + *freebsd* ) + #CPPFLAGS="$CFLAGS -I/usr/pkg/include"; export CPPFLAGS + #LDFLAGS="$LDFLAGS -L/usr/pkg/lib -Xlinker -rpath -Xlinker /usr/pkg/lib" + #export LDFLAGS + LIBS="-lcrypt $LIBS"; export LIBS + AC_DEFINE(FREEBSD) + ;; + *netbsd* ) + #CPPFLAGS="$CFLAGS -I/usr/pkg/include"; export CPPFLAGS + #LDFLAGS="$LDFLAGS -L/usr/pkg/lib -Xlinker -rpath -Xlinker /usr/pkg/lib" + #export LDFLAGS + LIBS="-lcrypt $LIBS"; export LIBS + AC_DEFINE(NETBSD) + ;; + *solaris* ) + #CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + #LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + LIBS="-lnsl -lsocket"; export LIBS + AC_DEFINE(SOLARIS) + ;; + *hpux* ) + # For HP/UX + # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + # LIBS="-lcrypt $LIBS"; export LIBS + AC_DEFINE(HPUX) + ;; + *linux* ) + # XXX: not sure if /usr/local is necessary. + # XXX: linux libwrap needs -lnsl. configure should check for + # existence of libnsl instead of hard-coding + CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS + LIBS="-lnsl -lcrypt $LIBS"; export LIBS + AC_DEFINE(LINUX) + + # XXX: does linux need glibc: -DGLIBC + ;; + *mips* ) + CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + LIBS="-lcrypt $LIBS"; export LIBS + AC_DEFINE(MIPS) + ;; + * ) + CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + ;; +esac + +################## + +#PATH=${PATH}:/usr/local/bin + +dnl default install location +AC_PREFIX_DEFAULT(/usr/local) + +dnl this doesnt work well if the program has not been installed before. +dnl # guess the --prefix setting +dnl AC_PREFIX_PROGRAM(tac_plus) + +# make sure MAKE sets ${MAKE} +AC_PATH_PROG(MAKE,gmake,no) +if test $MAKE = no; then + unset ac_cv_path_MAKE + AC_PATH_PROG(MAKE,make,no) + if test $MAKE = no; then + AC_MSG_ERROR([can't locate a make.]) + exit 1 + fi +fi +AC_PROG_MAKE_SET() + +AM_MAINTAINER_MODE() + +dnl AC_DISABLE_SHARED() +dnl use libtool, not ranlib +dnl AC_PROG_RANLIB +AC_LIBTOOL_DLOPEN() +AC_PROG_LIBTOOL() + +ACX_PTHREAD([CC=$PTHREAD_CC; CFLAGS="$CFLAGS $PTHREAD_CFLAGS"; + LIBS="$PTHREAD_LIBS $LIBS" + AC_DEFINE(HAVE_PTHREAD)]) + +# compiler specifics +AC_PROG_CC +AC_PROG_CPP +AC_C_CONST +AC_C_INLINE +AC_C_STRINGIZE + +# compiler compiler specifics +AM_PROG_LEX +dnl XXX sets LEX and LEXLIB == -fl and YYTEXT? +# see if 'lex' is flex in disguise +if test "$LEX" != "flex" ; then + AC_MSG_CHECKING([whether lex is flex in disguise]) + # this may not be a valid way to test for flex, but it's cheap. + $LEX --version > /dev/null 2>&1 + if test $? -ne 0 ; then + AC_MSG_RESULT() + AC_MSG_ERROR([registry requires gnu flex. sorry]) + fi + AC_MSG_RESULT(yes) +fi +AC_PROG_YACC +# see if 'yacc' is bison in disguise +if test "$YACC" != "bison" ; then + AC_MSG_CHECKING([whether yacc is bison in disguise]) + # this may not be a valid way to test for bison, but it's cheap. + $YACC --version > /dev/null 2>&1 + if test $? -ne 0 ; then + AC_MSG_RESULT() + AC_MSG_ERROR([registry requires gnu bison. sorry]) + fi + AC_MSG_RESULT(yes) +fi + +# platform specifics +AC_WORDS_BIGENDIAN +AC_LONG_64_BITS + +AC_PROG_INSTALL + +dnl configure options +dnl +dnl debug - aka compiler symbols +dnl +AC_MSG_CHECKING(whether to include symbols) +AH_TEMPLATE(DBG, [define this to include debugging support]) +AC_ARG_ENABLE(debug, +[ + --enable-debug include compiler symbols], +[ case "$enable_debug" in + no) + AC_MSG_RESULT(no) + ;; + yes) + AC_MSG_RESULT(yes) + DBG="-g" + AC_DEFINE(DBG) + ;; + *) + AC_MSG_RESULT(no) + ;; + esac ], + # ie: no --{enable,disable}-debug option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(DBG) +dnl +dnl warn - aka gcc warnings +dnl +dnl XXX: this should only be set for gcc.... +AC_MSG_CHECKING(whether to set gcc warnings) +AH_TEMPLATE(WARN, [define this to set pedantic gcc warnings]) +AC_ARG_ENABLE(warn, +[ + --enable-warn pedantic gcc warnings], +[ case "$enable_debug" in + no) + AC_MSG_RESULT(no) + WARN="" + AC_DEFINE(WARN) + ;; + yes) + AC_MSG_RESULT([yes -Wall]) + WARN="-Wall" + AC_DEFINE(WARN) + ;; + *) + AC_MSG_RESULT(no) + WARN="" + AC_DEFINE(WARN) + ;; + esac ], + # ie: no --{enable,disable}-warn option, withval == "" + WARN="" + AC_DEFINE(WARN) + AC_MSG_RESULT(no) +) +AC_SUBST(WARN) + +dnl +dnl libwarp - aka tcp_wrappers +dnl hijacked this from ssh, but mimiced the '*' "clause" for 'yes' +dnl +AC_MSG_CHECKING(whether to use libwrap) +AH_TEMPLATE(LIBWRAP, [define this to include libwrap (tcp_wrappers) support]) +AH_TEMPLATE(HAVE_LIBWRAP, []) +AC_ARG_WITH(libwrap, +[ + --with-libwrap[[=PATH]] libwrap (tcp_wrappers) support. PATH is dir above + lib, eg: /usr/local. (default)], +[ case "$withval" in + no) + AC_MSG_RESULT(no) + ;; + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + WRAPLIBS="-lwrap" + OLDLIBS="$LIBS" + LIBS="$WRAPLIBS $LIBS" + AC_TRY_LINK([ int allow_severity; int deny_severity; ], + [ hosts_access(); ], + [AC_DEFINE(LIBWRAP) + WRAPLIBS="-lwrap" + AC_DEFINE(HAVE_LIBWRAP) ], + [ AC_MSG_ERROR(Could not find libwrap. You must first install tcp_wrappers.) ]) + LIBS="$OLDLIBS" + ;; + *) + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + if test -d "$withval"; then + WRAPINCS="-I$withval/include" + WRAPLIBS="-L$withval/lib -lwrap -R$withval/lib" + else + WRAPLIBS="$withval" + fi + OLDLIBS="$LIBS" + OLDINCS="$INCLUDES" + LIBS="$WRAPLIBS $LIBS" + INCLUDES="$WRAPINCS" + AC_TRY_LINK([ int allow_severity; int deny_severity; ], + [ hosts_access(); ], + [], + [ AC_MSG_ERROR(Could not find libwrap. You must first install tcp_wrappers.) ]) + LIBS="$OLDLIBS" + INCLUDES="$OLDINCS" + ;; + esac ], + # XXX: is "no" correct? + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + WRAPLIBS="-lwrap" + OLDLIBS="$LIBS" + LIBS="$WRAPLIBS $LIBS" + AC_TRY_LINK([ int allow_severity; int deny_severity; ], + [ hosts_access(); ], + [AC_DEFINE(LIBWRAP) + WRAPLIBS="-lwrap" + AC_DEFINE(HAVE_LIBWRAP) ], + [ AC_MSG_ERROR(Could not find libwrap. You must first install tcp_wrappers.) ]) + LIBS="$OLDLIBS" +) +AC_SUBST(WRAPINCS) +AC_SUBST(WRAPLIBS) + +dnl +dnl skey - aka One Time Password mechanism +dnl +AC_MSG_CHECKING([whether to include skey support]) +AH_TEMPLATE(SKEY, [define this to include support for skey]) +AC_ARG_WITH(skey, +[ --with-skey[[=PATH]] libskey (skey) support. PATH is dir above lib, + eg: /usr/local], +[ case "$withval" in + no) + AC_MSG_RESULT(no) + ;; + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(SKEY) + AC_SEARCH_LIBS([skeychallenge], [skey], + [ ], + [AC_MSG_ERROR(Could not find libskey. You must first install skey or provide a hint to the location of library and includes, as in --with-skey=/usr/local.)]) + ;; + *) + AC_MSG_RESULT(yes) + AC_DEFINE(SKEY) + if test -d "$withval" ; then + LDFAGS="$LDFLAGS -L$withval/lib" + CFLAGS="$CFLAGS -I$withval/include" + AC_SEARCH_LIBS([skeychallenge], [skey], + [ ], + [AC_MSG_ERROR([Could not find libskey.]) + ]) + else + AC_SEARCH_LIBS([skeychallenge], [$withval], + [ ], + [AC_MSG_ERROR([Could not find lib$withval.]) + ]) + fi + ;; + esac ], + AC_MSG_RESULT(no) + with_skey="no" +) +AC_SUBST(SKEY) +AM_CONDITIONAL([TACSKEY], [test "${with_skey}" != "no"]) + +dnl +dnl XXX: might be good to have these as config file options +dnl or just options for running scripts +dnl userid - aka TACPLUS_USERID +dnl +AC_MSG_CHECKING([whether to setuid()]) +AH_TEMPLATE(TACPLUS_USERID, [define this to a UID for setuid() at run-time]) +AC_ARG_WITH(userid, +[ --with-userid=UID tacacs will setuid(UID) after it binds the tcp port], +[ case "$withval" in + no) + AC_MSG_RESULT(no) + ;; + yes) + AC_MSG_ERROR([--with-userid requires a UID argument.]) + ;; + *) + expr $withval + 1 > /dev/null 2>&1 + if test $? != 0 ; then + AC_MSG_ERROR([--with-userid requires a numeric UID argument.]) + fi + AC_MSG_RESULT($withval) + AC_DEFINE_UNQUOTED(TACPLUS_USERID, $withval) + ;; + esac ], + # ie: no --{with,without}-userid option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(TACPLUS_USERID) + +dnl +dnl groupid - aka TACPLUS_GROUPID +dnl +AC_MSG_CHECKING(whether to setgid()) +AH_TEMPLATE(TACPLUS_GROUPID, [define this to a GID for setgid() at run-time]) +AC_ARG_WITH(groupid, +[ --with-groupid=UID tacacs will setgid(GID) after it binds the tcp port], +[ case "$withval" in + no) + AC_MSG_RESULT(no) + ;; + yes) + AC_MSG_ERROR([--with-groupid requires a GID argument.]) + ;; + *) + expr $withval + 1 > /dev/null 2>&1 + if test $? != 0 ; then + AC_MSG_ERROR([--with-groupid requires a numeric GID argument.]) + fi + AC_MSG_RESULT($withval) + AC_DEFINE_UNQUOTED(TACPLUS_GROUPID, $withval) + ;; + esac ], + # ie: no --{with,without}-userid option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(TACPLUS_GROUPID) + +dnl +dnl ACLs - aka tacacs config ACLs +dnl +AC_MSG_CHECKING(whether to include ACL support) +AH_TEMPLATE(ACLS, [define this to include ACL support]) +AC_ARG_ENABLE(acls, +[ --enable-acls tacacs config ACL support (default)], +[ case "$enable_acls" in + no) + AC_MSG_RESULT(no) + use_acls=0 + ;; + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(ACLS) + use_acls=1 + ;; + *) + AC_MSG_RESULT(yes) + AC_DEFINE(ACLS) + use_acls=1 + ;; + esac ], + # ie: no --{enable,disable}-acls option, withval == "" + AC_MSG_RESULT(yes) + AC_DEFINE(ACLS) + use_acls=1 +) +AC_SUBST(ACLS) + +dnl +dnl UENABLE - aka tacacs config user enable. UENABLE requires ACLS. +dnl +AC_MSG_CHECKING(whether to include user-enable support) +AH_TEMPLATE(UENABLE, [define this to include user-specific enable password support]) +AC_ARG_ENABLE(uenable, +[ --enable-uenable tacacs config per-user enable support (default)], +[ case "$enable_uenable" in + no) + AC_MSG_RESULT(no) + use_uenable=0 + ;; + yes | *) + AC_MSG_RESULT(yes) + AC_DEFINE(UENABLE) + use_uenable=1 + ;; + esac ], + # ie: no --{enable,disable}-uenable option, withval == "" + AC_MSG_RESULT(yes) + AC_DEFINE(UENABLE) + use_uenable=1 +) +AC_SUBST(UENABLE) +if test $use_acls -eq 0 -a $use_uenable -eq 1; then + AC_MSG_WARN([unenable (user enable) option requires the acls option.]) + AC_DEFINE(ACLS) + AC_SUBST(ACLS) +fi + +dnl +dnl MAXSESS - Enforce a limit on maximum sessions per user +dnl +AC_MSG_CHECKING(whether to include maximum sessions (maxsess) support) +AH_TEMPLATE(MAXSESS, [define this to include MAXSESS support to enforce a limit on maximum sessions per user ]) +AC_ARG_ENABLE(maxsess, +[ --enable-maxsess Enforce a limit on maximum sessions per user], +[ case "$enable_maxsess" in + no) + AC_MSG_RESULT(no) + ;; + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(MAXSESS) + ;; + *) + AC_MSG_RESULT(no) + ;; + esac ], + # ie: no --{enable,disable}-maxsess option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(MAXSESS) +dnl +dnl ENABLE_FINGER - use finger(1) to check number of sessions a user has on +dnl a NAS. +dnl +AC_MSG_CHECKING(whether to include maxsess finger support) +AH_TEMPLATE(MAXSESS_FINGER, [define this to include support to finger NASes for +the number of sessions a user is using]) +AC_ARG_ENABLE(finger, +[ --enable-finger finger NAS for number of sessions a user is using], +[ case "$enable_finger" in + no) + AC_MSG_RESULT(no) + use_finger=0 + ;; + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(MAXSESS_FINGER) + use_finger=1 + ;; + *) + AC_MSG_RESULT(no) + ;; + esac ], + # ie: no --{enable,disable}-finger option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(MAXSESS_FINGER) +dnl +dnl ARAP_DES - enable DES for ARAP +dnl +AC_MSG_CHECKING(whether to include ARAP DES support) +AH_TEMPLATE(ARAP_DES, [Define this if you have DES routines you can link to for ARAP (See the user guide for more details)]) +AC_ARG_ENABLE(arapdes, +[ --enable-arapdes enable DES for ARAP], +[ case "$enable_arapdes" in + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(ARAP_DES) + ;; + * | no) + AC_MSG_RESULT(no) + ;; + esac ], + # ie: no --{enable,disable}-arapdes option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(ARAP_DES) +dnl +dnl MSCHAP - enable MSCHAP +dnl +AC_MSG_CHECKING(whether to include MSCHAP support) +AH_TEMPLATE(MSCHAP, [Define this if you need MSCHAP support]) +AC_ARG_ENABLE(mschap, +[ --enable-mschap enable MSCHAP], +[ case "$enable_mschap" in + yes) + AC_CHECK_HEADER(mschap_.h) + AC_MSG_RESULT(yes) + AC_DEFINE(MSCHAP) + ;; + * | no) + AC_MSG_RESULT(no) + ;; + esac ], + # ie: no --{enable,disable}-mschap option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(MSCHAP_) +dnl +dnl MSCHAP_DES - enable DES for MSCHAP +dnl +AC_MSG_CHECKING(whether to include MSCHAP DES support) +AH_TEMPLATE(MSCHAP_DES, [Define this if you have DES routines you can link to for MSCHAP (See the user guide for more details)]) +AC_ARG_ENABLE(mschapdes, +[ --enable-mschapdes enable DES for MSCHAP], +[ case "$enable_mschapdes" in + yes) + AC_CHECK_HEADER(mschap_des.h) + AC_MSG_RESULT(yes) + AC_DEFINE(MSCHAP_DES) + ;; + * | no) + AC_MSG_RESULT(no) + ;; + esac ], + # ie: no --{enable,disable}-mschapdes option, withval == "" + AC_MSG_RESULT(no) +) +AC_SUBST(MSCHAP_DES) + +dnl +dnl pid file location +dnl +AC_MSG_CHECKING(for alt pid file FQPN) +if test -d /var/run; then + TACPLUS_PIDFILE="/var/run/tac_plus.pid" +else + TACPLUS_PIDFILE="/etc/tac_plus.pid" +fi +AC_ARG_WITH(pidfile, +[ --with-pidfile=PATH alternate pidfile FQPN], +[ case "$withval" in + *) + AC_MSG_RESULT($withval) + TACPLUS_PIDFILE=$withval + ;; + esac ], + AC_MSG_RESULT($TACPLUS_PIDFILE) +) +AC_SUBST(TACPLUS_PIDFILE) + +dnl +dnl default accounting file location +dnl +AC_MSG_CHECKING(for alt accounting file FQPN) +if test -d /var/log; then + TACPLUS_ACCTFILE="/var/log/tac_plus.acct" +else + TACPLUS_ACCTFILE="/var/tmp/tac_plus.acct" +fi +AC_ARG_WITH(acctfile, +[ --with-acctfile=PATH alternate accounting file FQPN], +[ case "$withval" in + *) + AC_MSG_RESULT($withval) + TACPLUS_ACCTFILE=$withval + ;; + esac ], + AC_MSG_RESULT($TACPLUS_ACCTFILE) +) +AC_SUBST(TACPLUS_ACCTFILE) + +dnl +dnl default log file location +dnl +AC_MSG_CHECKING(for alt log file FQPN) +if test -d /var/log; then + TACPLUS_LOGFILE="/var/log/tac_plus.log" +else + TACPLUS_LOGFILE="/var/tmp/tac_plus.log" +fi +AC_ARG_WITH(logfile, +[ --with-logfile=PATH alternate log file FQPN], +[ case "$withval" in + *) + AC_MSG_RESULT($withval) + TACPLUS_LOGFILE=$withval + ;; + esac ], + AC_MSG_RESULT($TACPLUS_LOGFILE) +) +AC_SUBST(TACPLUS_LOGFILE) + +dnl +dnl default wholog file location +dnl +AC_MSG_CHECKING(for alt wholog file FQPN) +if test -d /var/log; then + TACPLUS_WHOLOGFILE="/var/log/tacwho.log" +else + TACPLUS_WHOLOGFILE="/var/tmp/tacwho.log" +fi +AC_ARG_WITH(whologfile, +[ --with-whologfile=PATH alternate wholog file FQPN], +[ case "$withval" in + *) + AC_MSG_RESULT($withval) + TACPLUS_WHOLOGFILE=$withval + ;; + esac ], + AC_MSG_RESULT($TACPLUS_WHOLOGFILE) +) +AC_SUBST(TACPLUS_WHOLOGFILE) + +dnl +dnl profiling +dnl +AC_MSG_CHECKING(whether to profile) +AH_TEMPLATE(PROFILE, [define this to include profiling]) +AC_ARG_WITH(prof, +[ --with-prof Compile in profiling.], +[ case "$withval" in + yes) + AC_MSG_RESULT(yes) + #AC_DEFINE(PROF) + PROFLAGS="-pg"; export PROFLAGS + PROFLIBS="-lc_p -lc"; export PROFLIBS + OLDCFLAGS="$CFLAGS" + OLDLIBS="$LIBS" + CFLAGS="$PROFLAGS $CFLAGS" + LIBS="$PROFLIBS $LIBS" + AC_TRY_LINK([ ], + [ moncontrol(0); ], + [AC_DEFINE(PROFILE) ], + [ AC_MSG_ERROR(Could not compile with -pg.) ]) + CFLAGS="$OLDCFLAGS" + LIBS="$OLDLIBS" + ;; + *) + AC_MSG_RESULT(no) + ;; + esac ], + AC_MSG_RESULT(no) +) +AC_SUBST(PROFLAGS) +AC_SUBST(PROFLIBS) + +# look for PAM +AH_TEMPLATE(HAVE_PAM, [define if your system has libpam]) +AC_CHECK_LIB([pam], [pam_start], + [AC_DEFINE(HAVE_PAM) + LIBS="-lpam $LIBS"]) + +# check includes/headers +AC_HEADER_STDC +AC_HEADER_TIME +AC_CHECK_HEADERS(crypt.h ctype.h errno.h fcntl.h malloc.h shadow.h stdlib.h \ + stdint.h string.h strings.h sys/resource.h sys/socket.h \ + sys/types.h sys/wait.h sysexits.h syslog.h termios.h unistd.h \ + wait.h) + +AH_TEMPLATE([SHADOW_PASSWORDS], + [define if your system has a shadow password file]) +if test $ac_cv_header_shadow_h = yes ; then + AC_DEFINE(SHADOW_PASSWORDS) +fi + +# type checks +dnl AC_TYPE_MODE_T +dnl AC_TYPE_OFF_T +dnl AC_TYPE_PID_T +AC_TYPE_SIGNAL +dnl AC_TYPE_SIZE_T +# Do we have socklen_t definition? +AC_CHECK_TYPES([socklen_t], [], [], [#if HAVE_SYS_TYPES_H +# include +#endif +#if HAVE_SYS_SOCKET_H +# include +#endif]) +# Do we have pid_t definition? +AC_CHECK_TYPES([pid_t], [], [], [#if HAVE_SYS_TYPES_H +# include +#endif +#if HAVE_UNISTD_H +# include +#endif]) + +# check functions +AC_CHECK_FUNCS([getdtablesize memcpy memset strchr strcspn strerror strrchr \ + wait3 wait4 waitpid]) +AC_FUNC_SETPGRP + +# Is the wait(2) status an int or union +AH_TEMPLATE([UNIONWAIT], + [define this if your waitpid() takes an union wait status pointer]) +AC_MSG_CHECKING([if waitpid takes a union wait]) +AC_TRY_COMPILE([#if HAVE_SYS_WAIT_H +# include +#endif +#if HAVE_WAIT_H +# include +#endif], [union wait status; +int pid; +pid = wait (&status); +#ifdef WEXITSTATUS +/* Some POSIX systems have both the new-style macros and the old + union wait type, and they do not work together. If union wait + conflicts with WEXITSTATUS et al, we dont want to use it. + */ +if (WEXITSTATUS(status) != 0) + pid = -1; +#ifdef WTERMSIG + /* If we have WEXITSTATUS and WTERMSIG, just use them on ints. */ + -- blow chunks here -- +#endif +#endif +#ifdef HAVE_WAITPID + /* Make sure union wait works with waitpid. */ + pid = waitpid(-1, &status, 0); +#endif], +[AC_MSG_RESULT(yes) + AC_DEFINE(UNIONWAIT)], +[AC_MSG_RESULT(no)]) + +# Check for re-arming signal +AH_TEMPLATE([REARMSIGNAL], + [define this if you find that your daemon quits after being sent + more than one SIGUSR1. Some systems need to explicitly re-arm + signals after they've been used once]) +AC_MSG_CHECKING([if signals need to be re-armed]) +AC_TRY_RUN([#include +#if HAVE_STDLIB_H +#include +#endif +#if HAVE_UNISTD_H +#include +#endif +int hit = 0; +RETSIGTYPE +handler(n) +int n; +{ + hit++; +} +int main() +{ + signal(SIGUSR1, handler); + kill(getpid(), SIGUSR1); + kill(getpid(), SIGUSR1); + if (hit == 2) + exit(0); + else + exit(114); +}], +[AC_MSG_RESULT(no)], +[AC_MSG_RESULT(yes);AC_DEFINE(REARMSIGNAL)], +[AC_MSG_WARN([tac_plus may be less efficient when cross-compiled]) + AC_DEFINE(REARMSIGNAL)], +) + +# Check for need to reap children when the default is to ignore SIGCHLD +AH_TEMPLATE([REAPCHILD], + [define this if your o/s needs children reaped even though the + SIGCHLD default is SIG_IGN]) +AH_TEMPLATE([REAPSIGIGN], + [define this if your o/s needs children reaped even with an + explicit SIG_IGN]) +AC_MSG_CHECKING([if children need to be reaped]) +AC_TRY_RUN([#include +#if HAVE_STDLIB_H +#include +#endif +#if HAVE_UNISTD_H +#include +#endif +#if HAVE_SYS_WAIT_H +#include +#endif +#if HAVE_SYS_RESOURCE_H +#include +#endif +#include +pid_t child, pid; +int main() +{ + int status; + child = vfork(); + if (child == 0) + exit(1); +#if HAVE_WAIT4 + pid = wait4(child, &status, WNOHANG, NULL); +#else + do { + pid = wait3(&status, WNOHANG, NULL); + } while (pid != child && pid != -1); +#endif + if (pid == -1 && errno == ECHILD) + exit(0); + exit(114); +}], +[AC_MSG_RESULT(no)], +[AC_MSG_RESULT(yes) + AC_DEFINE(REAPCHILD) + # try again with SIG_IGN + AC_MSG_CHECKING([if children need to be reaped with SIG_IGN]) + AC_TRY_RUN([#include +#if HAVE_STDLIB_H +#include +#endif +#if HAVE_UNISTD_H +#include +#endif +#if HAVE_SYS_WAIT_H +#include +#endif +#if HAVE_SYS_RESOURCE_H +#include +#endif +#include +pid_t child, pid; +int main() +{ + int status; + signal(SIGCHLD, SIG_IGN); + child = vfork(); + if (child == 0) + exit(1); +#if HAVE_WAIT4 + pid = wait4(child, &status, WNOHANG, NULL); +#else + do { + pid = wait3(&status, WNOHANG, NULL); + } while (pid != child && pid != -1); +#endif + if (pid == -1 && errno == ECHILD) + exit(0); + exit(114); +}], + [AC_MSG_RESULT(no)], + [AC_MSG_RESULT(yes);AC_DEFINE(REAPSIGIGN)])], +[AC_MSG_WARN([tac_plus may be less efficient when cross-compiled]) + AC_DEFINE(REAPCHILD)], +) + +# Find an appropriate tar for use in "dist" targets. A "best guess" +# is good enough -- if we can't find GNU tar, we don't really care. +AC_CHECK_PROGS(TAR, gnutar gtar tar) + +AC_SUBST(INST_PROGS) +INST_PROGS=$progs + +dnl locate perl 5 +AC_PROG_INSTALL +AC_PATH_PROG(PERLV_PATH,perl5,no) +if test $PERLV_PATH = no; then + unset ac_cv_path_PERLV_PATH + AC_PATH_PROG(PERLV_PATH,perl,no) + if test $PERLV_PATH = no; then + AC_MSG_ERROR([can't locate a suitable perl5.]) + exit 1 + else + $PERLV_PATH -e 'require 5;' + if test $? -ne 0 ; then + AC_MSG_ERROR([can't locate a suitable perl5.]) + exit 1 + fi + fi +fi +AC_SUBST(PERLV_PATH) + +AC_SUBST(CFLAGS) +AC_SUBST(CPPFLAGS) +AC_SUBST(LDFLAGS) +dnl AC_SUBST(PG_LDFLAGS) +dnl AC_SUBST(PG_CPPFLAGS) + +# i did this so that i could end up w/ a #define for the config file */ +if test "x$prefix" = xNONE; then + prefix_save=$prefix + prefix=$ac_default_prefix + MYSYSCONFDIR=`eval echo $sysconfdir` + prefix=$prefix_save +else + MYSYSCONFDIR=`eval echo $sysconfdir` +fi +AC_SUBST(MYSYSCONFDIR) + +# autoheader bits +AH_TOP([ +#ifndef CONFIG_H +#define CONFIG_H 1 +]) +AH_BOTTOM([ +/* UENABLE requires ACLS */ +#ifdef UENABLE +# ifndef ACLS +# define ACLS 1 +# endif +#endif + +/* MAXSESS_FINGER requires MAXSESS */ +#ifdef MAXSESS_FINGER +# ifndef MAXSESS +# define MAXSESS 1 +# endif +#endif + +/* Some, eg: solaris 2.6, dont have socklen_t */ +#ifndef HAVE_SOCKLEN_T +# define socklen_t int +#endif + +/* host specifics */ +/* Define this if your password file does not contain age and comment fields. */ +#define NO_PWAGE + +#if AIX +/* + * The only way to properly compile BSD stuff on AIX is to define a + * "bsdcc" compiler on your system. See /usr/lpp/bos/bsdport on your + * system for details. People who do NOT do this tell me that the code + * still compiles but that it then doesn't behave correctly e.g. child + * processes are not reaped correctly. Don't expect much sympathy if + * you do this. + */ +# define _BSD 1 +# define _BSD_INCLUDES +# define NO_PWAGE +#endif /* AIX */ + +#if LINUX +# define NO_PWAGE +# include +# ifdef GLIBC +# define CONST_SYSERRLIST +# endif +#endif /* LINUX */ + +#if NETBSD +# define NO_PWAGE +# define CONST_SYSERRLIST +#endif + +#if FREEBSD +# define CONST_SYSERRLIST +# define NO_PWAGE +#endif + +#if BSDI +# define NO_PWAGE +#endif +#endif /* CONFIG_H */ +]) +AC_CONFIG_HEADERS(config.h) +AC_CONFIG_FILES(Makefile version.h pathsl.h tac_plus.8 tac_plus.conf.5) + +AC_OUTPUT() diff --git a/configure.in b/configure.in deleted file mode 100644 index 43cafc7..0000000 --- a/configure.in +++ /dev/null @@ -1,995 +0,0 @@ -dnl Process this file with autoconf to produce a configure script. -dnl A configure script is provided, in cause you do not have autoconf. - -AC_PREREQ(2.13) -AC_INIT(CHANGES) - -PACKAGE=`sed -n 's/.*package.*"\(.*\)".*/\1/p' $srcdir/version.h.in|tr -d ' '` -VERSION=`sed -n 's/.*version.*"\(.*\)".*/\1/p' $srcdir/version.h.in|tr -d ' '` - -dnl VERSION needs to be updated in version.h.in such that 'make dist' -dnl uses the correct filename for the directory name and tarball and binaries -dnl get the right version numbers. -AM_INIT_AUTOMAKE($PACKAGE, $VERSION, tac_plus at shrubbery.net) - -AM_MAINTAINER_MODE() - -dnl AC_CONFIG_SUBDIRS(etc man share) - -# what OS -dnl ---- XXX: these really should deal with the individual reasons why -dnl linux/whatever is different, rather than a blanket stmt -dnl is this crack, i mean linux? -AH_TEMPLATE(AIX, [define this if your o/s is AIX]) -AH_TEMPLATE(FREEBSD, [define this if your o/s is FreeBSD]) -AH_TEMPLATE(NETBSD, [define this if your o/s is NetBSD]) -AH_TEMPLATE(SOLARIS, [define this if your o/s is Solaris]) -AH_TEMPLATE(HPUX, [define this if your o/s is HPux]) -AH_TEMPLATE(LINUX, [define this if your o/s is Linux]) -AH_TEMPLATE(MIPS, [define this if your o/s is MIPS]) -AC_CANONICAL_HOST -case "${host_os}" in - *aix* ) - # For AIX - echo "See /usr/lpp/bos/bsdport on your system for details of how " \ - "to define bsdcc." - CC=bsdcc; export CC - # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS - # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS - # LIBS="-lcrypt $LIBS"; export LIBS - AC_DEFINE(AIX) - ;; - *freebsd* ) - #CPPFLAGS="$CFLAGS -I/usr/pkg/include"; export CPPFLAGS - #LDFLAGS="$LDFLAGS -L/usr/pkg/lib -Xlinker -rpath -Xlinker /usr/pkg/lib" - #export LDFLAGS - LIBS="-lcrypt $LIBS"; export LIBS - AC_DEFINE(FREEBSD) - ;; - *netbsd* ) - #CPPFLAGS="$CFLAGS -I/usr/pkg/include"; export CPPFLAGS - #LDFLAGS="$LDFLAGS -L/usr/pkg/lib -Xlinker -rpath -Xlinker /usr/pkg/lib" - #export LDFLAGS - LIBS="-lcrypt $LIBS"; export LIBS - AC_DEFINE(NETBSD) - ;; - *solaris* ) - #CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS - #LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS - LIBS="-lnsl -lsocket"; export LIBS - AC_DEFINE(SOLARIS) - ;; - *hpux* ) - # For HP/UX - # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS - # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS - # LIBS="-lcrypt $LIBS"; export LIBS - AC_DEFINE(HPUX) - ;; - *linux* ) - # XXX: not sure if /usr/local is necessary. - # XXX: linux libwrap needs -lnsl. configure should check for - # existence of libnsl instead of hard-coding - CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS - LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS - LIBS="-lnsl -lcrypt $LIBS"; export LIBS - AC_DEFINE(LINUX) - - # XXX: does linux need glibc: -DGLIBC - ;; - *mips* ) - CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS - LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS - LIBS="-lcrypt $LIBS"; export LIBS - AC_DEFINE(MIPS) - ;; - * ) - CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS - LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS - ;; -esac - -################## - -#PATH=${PATH}:/usr/local/bin - -dnl default install location -AC_PREFIX_DEFAULT(/usr/local) - -dnl this doesnt work well if the program has not been installed before. -dnl # guess the --prefix setting -dnl AC_PREFIX_PROGRAM(tac_plus) - -# make sure MAKE sets ${MAKE} -AC_PATH_PROG(MAKE,gmake,no) -if test $MAKE = no; then - unset ac_cv_path_MAKE - AC_PATH_PROG(MAKE,make,no) - if test $MAKE = no; then - AC_MSG_ERROR([can't locate a make.]) - exit 1 - fi -fi -AC_PROG_MAKE_SET() - -AM_MAINTAINER_MODE() - -dnl AC_DISABLE_SHARED() -dnl use libtool, not ranlib -dnl AC_PROG_RANLIB -AC_LIBTOOL_DLOPEN() -AC_PROG_LIBTOOL() - -ACX_PTHREAD([CC=$PTHREAD_CC; CFLAGS="$CFLAGS $PTHREAD_CFLAGS"; - LIBS="$PTHREAD_LIBS $LIBS" - AC_DEFINE(HAVE_PTHREAD)]) - -# compiler specifics -AC_PROG_CC -AM_C_PROTOTYPES -AC_PROG_CPP -AC_C_CONST -AC_C_INLINE -AC_C_STRINGIZE - -# compiler compiler specifics -AM_PROG_LEX -dnl XXX sets LEX and LEXLIB == -fl and YYTEXT? -# see if 'lex' is flex in disguise -if test "$LEX" != "flex" ; then - AC_MSG_CHECKING([whether lex is flex in disguise]) - # this may not be a valid way to test for flex, but it's cheap. - $LEX --version > /dev/null 2>&1 - if test $? -ne 0 ; then - AC_MSG_RESULT() - AC_MSG_ERROR([registry requires gnu flex. sorry]) - fi - AC_MSG_RESULT(yes) -fi -AC_PROG_YACC -# see if 'yacc' is bison in disguise -if test "$YACC" != "bison" ; then - AC_MSG_CHECKING([whether yacc is bison in disguise]) - # this may not be a valid way to test for bison, but it's cheap. - $YACC --version > /dev/null 2>&1 - if test $? -ne 0 ; then - AC_MSG_RESULT() - AC_MSG_ERROR([registry requires gnu bison. sorry]) - fi - AC_MSG_RESULT(yes) -fi - -# platform specifics -AC_WORDS_BIGENDIAN -AC_LONG_64_BITS - -AC_PROG_INSTALL - -dnl configure options -dnl -dnl debug - aka compiler symbols -dnl -AC_MSG_CHECKING(whether to include symbols) -AH_TEMPLATE(DBG, [define this to include debugging support]) -AC_ARG_ENABLE(debug, -[ - --enable-debug include compiler symbols], -[ case "$enable_debug" in - no) - AC_MSG_RESULT(no) - ;; - yes) - AC_MSG_RESULT(yes) - DBG="-g" - AC_DEFINE(DBG) - ;; - *) - AC_MSG_RESULT(no) - ;; - esac ], - # ie: no --{enable,disable}-debug option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(DBG) -dnl -dnl warn - aka gcc warnings -dnl -dnl XXX: this should only be set for gcc.... -AC_MSG_CHECKING(whether to set gcc warnings) -AH_TEMPLATE(WARN, [define this to set pedantic gcc warnings]) -AC_ARG_ENABLE(warn, -[ - --enable-warn pedantic gcc warnings], -[ case "$enable_debug" in - no) - AC_MSG_RESULT(no) - WARN="" - AC_DEFINE(WARN) - ;; - yes) - AC_MSG_RESULT([yes -Wall]) - WARN="-Wall" - AC_DEFINE(WARN) - ;; - *) - AC_MSG_RESULT(no) - WARN="" - AC_DEFINE(WARN) - ;; - esac ], - # ie: no --{enable,disable}-warn option, withval == "" - WARN="" - AC_DEFINE(WARN) - AC_MSG_RESULT(no) -) -AC_SUBST(WARN) - -dnl -dnl libwarp - aka tcp_wrappers -dnl hijacked this from ssh, but mimiced the '*' "clause" for 'yes' -dnl -AC_MSG_CHECKING(whether to use libwrap) -AH_TEMPLATE(LIBWRAP, [define this to include libwrap (tcp_wrappers) support]) -AH_TEMPLATE(HAVE_LIBWRAP, []) -AC_ARG_WITH(libwrap, -[ - --with-libwrap[[=PATH]] libwrap (tcp_wrappers) support. PATH is dir above - lib, eg: /usr/local. (default)], -[ case "$withval" in - no) - AC_MSG_RESULT(no) - ;; - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(LIBWRAP) - WRAPLIBS="-lwrap" - OLDLIBS="$LIBS" - LIBS="$WRAPLIBS $LIBS" - AC_TRY_LINK([ int allow_severity; int deny_severity; ], - [ hosts_access(); ], - [AC_DEFINE(LIBWRAP) - WRAPLIBS="-lwrap" - AC_DEFINE(HAVE_LIBWRAP) ], - [ AC_MSG_ERROR(Could not find libwrap. You must first install tcp_wrappers.) ]) - LIBS="$OLDLIBS" - ;; - *) - AC_MSG_RESULT(yes) - AC_DEFINE(LIBWRAP) - if test -d "$withval"; then - WRAPINCS="-I$withval/include" - WRAPLIBS="-L$withval/lib -lwrap -R$withval/lib" - else - WRAPLIBS="$withval" - fi - OLDLIBS="$LIBS" - OLDINCS="$INCLUDES" - LIBS="$WRAPLIBS $LIBS" - INCLUDES="$WRAPINCS" - AC_TRY_LINK([ int allow_severity; int deny_severity; ], - [ hosts_access(); ], - [], - [ AC_MSG_ERROR(Could not find libwrap. You must first install tcp_wrappers.) ]) - LIBS="$OLDLIBS" - INCLUDES="$OLDINCS" - ;; - esac ], - # XXX: is "no" correct? - AC_MSG_RESULT(yes) - AC_DEFINE(LIBWRAP) - WRAPLIBS="-lwrap" - OLDLIBS="$LIBS" - LIBS="$WRAPLIBS $LIBS" - AC_TRY_LINK([ int allow_severity; int deny_severity; ], - [ hosts_access(); ], - [AC_DEFINE(LIBWRAP) - WRAPLIBS="-lwrap" - AC_DEFINE(HAVE_LIBWRAP) ], - [ AC_MSG_ERROR(Could not find libwrap. You must first install tcp_wrappers.) ]) - LIBS="$OLDLIBS" -) -AC_SUBST(WRAPINCS) -AC_SUBST(WRAPLIBS) - -dnl -dnl skey - aka One Time Password mechanism -dnl -AC_MSG_CHECKING([whether to include skey support]) -AH_TEMPLATE(SKEY, [define this to include support for skey]) -AC_ARG_WITH(skey, -[ --with-skey[[=PATH]] libskey (skey) support. PATH is dir above lib, - eg: /usr/local], -[ case "$withval" in - no) - AC_MSG_RESULT(no) - ;; - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(SKEY) - AC_SEARCH_LIBS([skeychallenge], [skey], - [ ], - [AC_MSG_ERROR(Could not find libskey. You must first install skey or provide a hint to the location of library and includes, as in --with-skey=/usr/local.)]) - ;; - *) - AC_MSG_RESULT(yes) - AC_DEFINE(SKEY) - if test -d "$withval" ; then - LDFAGS="$LDFLAGS -L$withval/lib" - CFLAGS="$CFLAGS -I$withval/include" - AC_SEARCH_LIBS([skeychallenge], [skey], - [ ], - [AC_MSG_ERROR([Could not find libskey.]) - ]) - else - AC_SEARCH_LIBS([skeychallenge], [$withval], - [ ], - [AC_MSG_ERROR([Could not find lib$withval.]) - ]) - fi - ;; - esac ], - AC_MSG_RESULT(no) - with_skey="no" -) -AC_SUBST(SKEY) -AM_CONDITIONAL([TACSKEY], [test "${with_skey}" != "no"]) - -dnl -dnl XXX: might be good to have these as config file options -dnl or just options for running scripts -dnl userid - aka TACPLUS_USERID -dnl -AC_MSG_CHECKING([whether to setuid()]) -AH_TEMPLATE(TACPLUS_USERID, [define this to a UID for setuid() at run-time]) -AC_ARG_WITH(userid, -[ --with-userid=UID tacacs will setuid(UID) after it binds the tcp port], -[ case "$withval" in - no) - AC_MSG_RESULT(no) - ;; - yes) - AC_MSG_ERROR([--with-userid requires a UID argument.]) - ;; - *) - expr $withval + 1 > /dev/null 2>&1 - if test $? != 0 ; then - AC_MSG_ERROR([--with-userid requires a numeric UID argument.]) - fi - AC_MSG_RESULT($withval) - AC_DEFINE_UNQUOTED(TACPLUS_USERID, $withval) - ;; - esac ], - # ie: no --{with,without}-userid option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(TACPLUS_USERID) - -dnl -dnl groupid - aka TACPLUS_GROUPID -dnl -AC_MSG_CHECKING(whether to setgid()) -AH_TEMPLATE(TACPLUS_GROUPID, [define this to a GID for setgid() at run-time]) -AC_ARG_WITH(groupid, -[ --with-groupid=UID tacacs will setgid(GID) after it binds the tcp port], -[ case "$withval" in - no) - AC_MSG_RESULT(no) - ;; - yes) - AC_MSG_ERROR([--with-groupid requires a GID argument.]) - ;; - *) - expr $withval + 1 > /dev/null 2>&1 - if test $? != 0 ; then - AC_MSG_ERROR([--with-groupid requires a numeric GID argument.]) - fi - AC_MSG_RESULT($withval) - AC_DEFINE_UNQUOTED(TACPLUS_GROUPID, $withval) - ;; - esac ], - # ie: no --{with,without}-userid option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(TACPLUS_GROUPID) - -dnl -dnl ACLs - aka tacacs config ACLs -dnl -AC_MSG_CHECKING(whether to include ACL support) -AH_TEMPLATE(ACLS, [define this to include ACL support]) -AC_ARG_ENABLE(acls, -[ --enable-acls tacacs config ACL support (default)], -[ case "$enable_acls" in - no) - AC_MSG_RESULT(no) - use_acls=0 - ;; - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(ACLS) - use_acls=1 - ;; - *) - AC_MSG_RESULT(yes) - AC_DEFINE(ACLS) - use_acls=1 - ;; - esac ], - # ie: no --{enable,disable}-acls option, withval == "" - AC_MSG_RESULT(yes) - AC_DEFINE(ACLS) - use_acls=1 -) -AC_SUBST(ACLS) - -dnl -dnl UENABLE - aka tacacs config user enable. UENABLE requires ACLS. -dnl -AC_MSG_CHECKING(whether to include user-enable support) -AH_TEMPLATE(UENABLE, [define this to include user-specific enable password support]) -AC_ARG_ENABLE(uenable, -[ --enable-uenable tacacs config per-user enable support (default)], -[ case "$enable_uenable" in - no) - AC_MSG_RESULT(no) - use_uenable=0 - ;; - yes | *) - AC_MSG_RESULT(yes) - AC_DEFINE(UENABLE) - use_uenable=1 - ;; - esac ], - # ie: no --{enable,disable}-uenable option, withval == "" - AC_MSG_RESULT(yes) - AC_DEFINE(UENABLE) - use_uenable=1 -) -AC_SUBST(UENABLE) -if test $use_acls -eq 0 -a $use_uenable -eq 1; then - AC_MSG_WARN([unenable (user enable) option requires the acls option.]) - AC_DEFINE(ACLS) - AC_SUBST(ACLS) -fi - -dnl -dnl MAXSESS - Enforce a limit on maximum sessions per user -dnl -AC_MSG_CHECKING(whether to include maximum sessions (maxsess) support) -AH_TEMPLATE(MAXSESS, [define this to include MAXSESS support to enforce a limit on maximum sessions per user ]) -AC_ARG_ENABLE(maxsess, -[ --enable-maxsess Enforce a limit on maximum sessions per user], -[ case "$enable_maxsess" in - no) - AC_MSG_RESULT(no) - ;; - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(MAXSESS) - ;; - *) - AC_MSG_RESULT(no) - ;; - esac ], - # ie: no --{enable,disable}-maxsess option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(MAXSESS) -dnl -dnl ENABLE_FINGER - use finger(1) to check number of sessions a user has on -dnl a NAS. -dnl -AC_MSG_CHECKING(whether to include maxsess finger support) -AH_TEMPLATE(MAXSESS_FINGER, [define this to include support to finger NASes for -the number of sessions a user is using]) -AC_ARG_ENABLE(finger, -[ --enable-finger finger NAS for number of sessions a user is using], -[ case "$enable_finger" in - no) - AC_MSG_RESULT(no) - use_finger=0 - ;; - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(MAXSESS_FINGER) - use_finger=1 - ;; - *) - AC_MSG_RESULT(no) - ;; - esac ], - # ie: no --{enable,disable}-finger option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(MAXSESS_FINGER) -dnl -dnl ARAP_DES - enable DES for ARAP -dnl -AC_MSG_CHECKING(whether to include ARAP DES support) -AH_TEMPLATE(ARAP_DES, [Define this if you have DES routines you can link to for ARAP (See the user guide for more details)]) -AC_ARG_ENABLE(arapdes, -[ --enable-arapdes enable DES for ARAP], -[ case "$enable_arapdes" in - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(ARAP_DES) - ;; - * | no) - AC_MSG_RESULT(no) - ;; - esac ], - # ie: no --{enable,disable}-arapdes option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(ARAP_DES) -dnl -dnl MSCHAP - enable MSCHAP -dnl -AC_MSG_CHECKING(whether to include MSCHAP support) -AH_TEMPLATE(MSCHAP, [Define this if you need MSCHAP support]) -AC_ARG_ENABLE(mschap, -[ --enable-mschap enable MSCHAP], -[ case "$enable_mschap" in - yes) - AC_CHECK_HEADER(mschap_.h) - AC_MSG_RESULT(yes) - AC_DEFINE(MSCHAP) - ;; - * | no) - AC_MSG_RESULT(no) - ;; - esac ], - # ie: no --{enable,disable}-mschap option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(MSCHAP_) -dnl -dnl MSCHAP_DES - enable DES for MSCHAP -dnl -AC_MSG_CHECKING(whether to include MSCHAP DES support) -AH_TEMPLATE(MSCHAP_DES, [Define this if you have DES routines you can link to for MSCHAP (See the user guide for more details)]) -AC_ARG_ENABLE(mschapdes, -[ --enable-mschapdes enable DES for MSCHAP], -[ case "$enable_mschapdes" in - yes) - AC_CHECK_HEADER(mschap_des.h) - AC_MSG_RESULT(yes) - AC_DEFINE(MSCHAP_DES) - ;; - * | no) - AC_MSG_RESULT(no) - ;; - esac ], - # ie: no --{enable,disable}-mschapdes option, withval == "" - AC_MSG_RESULT(no) -) -AC_SUBST(MSCHAP_DES) - -dnl -dnl pid file location -dnl -AC_MSG_CHECKING(for alt pid file FQPN) -if test -d /var/run; then - TACPLUS_PIDFILE="/var/run/tac_plus.pid" -else - TACPLUS_PIDFILE="/etc/tac_plus.pid" -fi -AC_ARG_WITH(pidfile, -[ --with-pidfile=PATH alternate pidfile FQPN], -[ case "$withval" in - *) - AC_MSG_RESULT($withval) - TACPLUS_PIDFILE=$withval - ;; - esac ], - AC_MSG_RESULT($TACPLUS_PIDFILE) -) -AC_SUBST(TACPLUS_PIDFILE) - -dnl -dnl default accounting file location -dnl -AC_MSG_CHECKING(for alt accounting file FQPN) -if test -d /var/log; then - TACPLUS_ACCTFILE="/var/log/tac_plus.acct" -else - TACPLUS_ACCTFILE="/var/tmp/tac_plus.acct" -fi -AC_ARG_WITH(acctfile, -[ --with-acctfile=PATH alternate accounting file FQPN], -[ case "$withval" in - *) - AC_MSG_RESULT($withval) - TACPLUS_ACCTFILE=$withval - ;; - esac ], - AC_MSG_RESULT($TACPLUS_ACCTFILE) -) -AC_SUBST(TACPLUS_ACCTFILE) - -dnl -dnl default log file location -dnl -AC_MSG_CHECKING(for alt log file FQPN) -if test -d /var/log; then - TACPLUS_LOGFILE="/var/log/tac_plus.log" -else - TACPLUS_LOGFILE="/var/tmp/tac_plus.log" -fi -AC_ARG_WITH(logfile, -[ --with-logfile=PATH alternate log file FQPN], -[ case "$withval" in - *) - AC_MSG_RESULT($withval) - TACPLUS_LOGFILE=$withval - ;; - esac ], - AC_MSG_RESULT($TACPLUS_LOGFILE) -) -AC_SUBST(TACPLUS_LOGFILE) - -dnl -dnl default wholog file location -dnl -AC_MSG_CHECKING(for alt wholog file FQPN) -if test -d /var/log; then - TACPLUS_WHOLOGFILE="/var/log/tacwho.log" -else - TACPLUS_WHOLOGFILE="/var/tmp/tacwho.log" -fi -AC_ARG_WITH(whologfile, -[ --with-whologfile=PATH alternate wholog file FQPN], -[ case "$withval" in - *) - AC_MSG_RESULT($withval) - TACPLUS_WHOLOGFILE=$withval - ;; - esac ], - AC_MSG_RESULT($TACPLUS_WHOLOGFILE) -) -AC_SUBST(TACPLUS_WHOLOGFILE) - -dnl -dnl profiling -dnl -AC_MSG_CHECKING(whether to profile) -AH_TEMPLATE(PROFILE, [define this to include profiling]) -AC_ARG_WITH(prof, -[ --with-prof Compile in profiling.], -[ case "$withval" in - yes) - AC_MSG_RESULT(yes) - #AC_DEFINE(PROF) - PROFLAGS="-pg"; export PROFLAGS - PROFLIBS="-lc_p -lc"; export PROFLIBS - OLDCFLAGS="$CFLAGS" - OLDLIBS="$LIBS" - CFLAGS="$PROFLAGS $CFLAGS" - LIBS="$PROFLIBS $LIBS" - AC_TRY_LINK([ ], - [ moncontrol(0); ], - [AC_DEFINE(PROFILE) ], - [ AC_MSG_ERROR(Could not compile with -pg.) ]) - CFLAGS="$OLDCFLAGS" - LIBS="$OLDLIBS" - ;; - *) - AC_MSG_RESULT(no) - ;; - esac ], - AC_MSG_RESULT(no) -) -AC_SUBST(PROFLAGS) -AC_SUBST(PROFLIBS) - -# look for PAM -AH_TEMPLATE(HAVE_PAM, [define if your system has libpam]) -AC_CHECK_LIB([pam], [pam_start], - [AC_DEFINE(HAVE_PAM) - LIBS="-lpam $LIBS"]) - -# check includes/headers -AC_HEADER_STDC -AC_HEADER_TIME -AC_CHECK_HEADERS(crypt.h ctype.h errno.h fcntl.h malloc.h shadow.h stdlib.h \ - stdint.h string.h strings.h sys/resource.h sys/socket.h \ - sys/types.h sys/wait.h sysexits.h syslog.h termios.h unistd.h \ - wait.h) - -AH_TEMPLATE([SHADOW_PASSWORDS], - [define if your system has a shadow password file]) -if test $ac_cv_header_shadow_h = yes ; then - AC_DEFINE(SHADOW_PASSWORDS) -fi - -# type checks -dnl AC_TYPE_MODE_T -dnl AC_TYPE_OFF_T -dnl AC_TYPE_PID_T -AC_TYPE_SIGNAL -dnl AC_TYPE_SIZE_T -# Do we have socklen_t definition? -AC_CHECK_TYPES([socklen_t], [], [], [#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_SOCKET_H -# include -#endif]) -# Do we have pid_t definition? -AC_CHECK_TYPES([pid_t], [], [], [#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_UNISTD_H -# include -#endif]) - -# check functions -AC_CHECK_FUNCS([getdtablesize memcpy memset strchr strcspn strerror strrchr \ - wait3 wait4 waitpid]) -AC_FUNC_SETPGRP - -# Is the wait(2) status an int or union -AH_TEMPLATE([UNIONWAIT], - [define this if your waitpid() takes an union wait status pointer]) -AC_MSG_CHECKING([if waitpid takes a union wait]) -AC_TRY_COMPILE([#if HAVE_SYS_WAIT_H -# include -#endif -#if HAVE_WAIT_H -# include -#endif], [union wait status; -int pid; -pid = wait (&status); -#ifdef WEXITSTATUS -/* Some POSIX systems have both the new-style macros and the old - union wait type, and they do not work together. If union wait - conflicts with WEXITSTATUS et al, we dont want to use it. - */ -if (WEXITSTATUS(status) != 0) - pid = -1; -#ifdef WTERMSIG - /* If we have WEXITSTATUS and WTERMSIG, just use them on ints. */ - -- blow chunks here -- -#endif -#endif -#ifdef HAVE_WAITPID - /* Make sure union wait works with waitpid. */ - pid = waitpid(-1, &status, 0); -#endif], -[AC_MSG_RESULT(yes) - AC_DEFINE(UNIONWAIT)], -[AC_MSG_RESULT(no)]) - -# Check for re-arming signal -AH_TEMPLATE([REARMSIGNAL], - [define this if you find that your daemon quits after being sent - more than one SIGUSR1. Some systems need to explicitly re-arm - signals after they've been used once]) -AC_MSG_CHECKING([if signals need to be re-armed]) -AC_TRY_RUN([#include -#if HAVE_STDLIB_H -#include -#endif -#if HAVE_UNISTD_H -#include -#endif -int hit = 0; -RETSIGTYPE -handler(n) -int n; -{ - hit++; -} -int main() -{ - signal(SIGUSR1, handler); - kill(getpid(), SIGUSR1); - kill(getpid(), SIGUSR1); - if (hit == 2) - exit(0); - else - exit(114); -}], -[AC_MSG_RESULT(no)], -[AC_MSG_RESULT(yes);AC_DEFINE(REARMSIGNAL)], -[AC_MSG_WARN([tac_plus may be less efficient when cross-compiled]) - AC_DEFINE(REARMSIGNAL)], -) - -# Check for need to reap children when the default is to ignore SIGCHLD -AH_TEMPLATE([REAPCHILD], - [define this if your o/s needs children reaped even though the - SIGCHLD default is SIG_IGN]) -AH_TEMPLATE([REAPSIGIGN], - [define this if your o/s needs children reaped even with an - explicit SIG_IGN]) -AC_MSG_CHECKING([if children need to be reaped]) -AC_TRY_RUN([#include -#if HAVE_STDLIB_H -#include -#endif -#if HAVE_UNISTD_H -#include -#endif -#if HAVE_SYS_WAIT_H -#include -#endif -#if HAVE_SYS_RESOURCE_H -#include -#endif -#include -pid_t child, pid; -int main() -{ - int status; - child = vfork(); - if (child == 0) - exit(1); -#if HAVE_WAIT4 - pid = wait4(child, &status, WNOHANG, NULL); -#else - do { - pid = wait3(&status, WNOHANG, NULL); - } while (pid != child && pid != -1); -#endif - if (pid == -1 && errno == ECHILD) - exit(0); - exit(114); -}], -[AC_MSG_RESULT(no)], -[AC_MSG_RESULT(yes) - AC_DEFINE(REAPCHILD) - # try again with SIG_IGN - AC_MSG_CHECKING([if children need to be reaped with SIG_IGN]) - AC_TRY_RUN([#include -#if HAVE_STDLIB_H -#include -#endif -#if HAVE_UNISTD_H -#include -#endif -#if HAVE_SYS_WAIT_H -#include -#endif -#if HAVE_SYS_RESOURCE_H -#include -#endif -#include -pid_t child, pid; -int main() -{ - int status; - signal(SIGCHLD, SIG_IGN); - child = vfork(); - if (child == 0) - exit(1); -#if HAVE_WAIT4 - pid = wait4(child, &status, WNOHANG, NULL); -#else - do { - pid = wait3(&status, WNOHANG, NULL); - } while (pid != child && pid != -1); -#endif - if (pid == -1 && errno == ECHILD) - exit(0); - exit(114); -}], - [AC_MSG_RESULT(no)], - [AC_MSG_RESULT(yes);AC_DEFINE(REAPSIGIGN)])], -[AC_MSG_WARN([tac_plus may be less efficient when cross-compiled]) - AC_DEFINE(REAPCHILD)], -) - -# Find an appropriate tar for use in "dist" targets. A "best guess" -# is good enough -- if we can't find GNU tar, we don't really care. -AC_CHECK_PROGS(TAR, gnutar gtar tar) - -AC_SUBST(INST_PROGS) -INST_PROGS=$progs - -dnl locate perl 5 -AC_PROG_INSTALL -AC_PATH_PROG(PERLV_PATH,perl5,no) -if test $PERLV_PATH = no; then - unset ac_cv_path_PERLV_PATH - AC_PATH_PROG(PERLV_PATH,perl,no) - if test $PERLV_PATH = no; then - AC_MSG_ERROR([can't locate a suitable perl5.]) - exit 1 - else - $PERLV_PATH -e 'require 5;' - if test $? -ne 0 ; then - AC_MSG_ERROR([can't locate a suitable perl5.]) - exit 1 - fi - fi -fi -AC_SUBST(PERLV_PATH) - -AC_SUBST(CFLAGS) -AC_SUBST(CPPFLAGS) -AC_SUBST(LDFLAGS) -dnl AC_SUBST(PG_LDFLAGS) -dnl AC_SUBST(PG_CPPFLAGS) - -# i did this so that i could end up w/ a #define for the config file */ -if test "x$prefix" = xNONE; then - prefix_save=$prefix - prefix=$ac_default_prefix - MYSYSCONFDIR=`eval echo $sysconfdir` - prefix=$prefix_save -else - MYSYSCONFDIR=`eval echo $sysconfdir` -fi -AC_SUBST(MYSYSCONFDIR) - -# autoheader bits -AH_TOP([ -#ifndef CONFIG_H -#define CONFIG_H 1 -]) -AH_BOTTOM([ -/* UENABLE requires ACLS */ -#ifdef UENABLE -# ifndef ACLS -# define ACLS 1 -# endif -#endif - -/* MAXSESS_FINGER requires MAXSESS */ -#ifdef MAXSESS_FINGER -# ifndef MAXSESS -# define MAXSESS 1 -# endif -#endif - -/* Some, eg: solaris 2.6, dont have socklen_t */ -#ifndef HAVE_SOCKLEN_T -# define socklen_t int -#endif - -/* host specifics */ -/* Define this if your password file does not contain age and comment fields. */ -#define NO_PWAGE - -#if AIX -/* - * The only way to properly compile BSD stuff on AIX is to define a - * "bsdcc" compiler on your system. See /usr/lpp/bos/bsdport on your - * system for details. People who do NOT do this tell me that the code - * still compiles but that it then doesn't behave correctly e.g. child - * processes are not reaped correctly. Don't expect much sympathy if - * you do this. - */ -# define _BSD 1 -# define _BSD_INCLUDES -# define NO_PWAGE -#endif /* AIX */ - -#if LINUX -# define NO_PWAGE -# include -# ifdef GLIBC -# define CONST_SYSERRLIST -# endif -#endif /* LINUX */ - -#if NETBSD -# define NO_PWAGE -# define CONST_SYSERRLIST -#endif - -#if FREEBSD -# define CONST_SYSERRLIST -# define NO_PWAGE -#endif - -#if BSDI -# define NO_PWAGE -#endif -#endif /* CONFIG_H */ -]) -AC_CONFIG_HEADERS(config.h) -AC_CONFIG_FILES(Makefile version.h pathsl.h tac_plus.8 tac_plus.conf.5) - -AC_OUTPUT() -- 1.9.1 From rdrake at direcpath.com Sat Dec 27 03:29:03 2014 From: rdrake at direcpath.com (Robert Drake) Date: Fri, 26 Dec 2014 22:29:03 -0500 Subject: [tac_plus] tacacs+ F5.0.0a patches Message-ID: <549E277F.8010208@direcpath.com> I'm attaching patches to fix a couple of minor bugs with compiling, and to add support for CLI options for setuid/setgid so that people can drop privileges at runtime instead of compile time. This is important for me because the OS I'm using distributes binary versions of most packages, so the normal method of installing a package is for the user to be created at install time. The uid couldn't be determined in advance unless they had some form of uid reservation policy for their internal use and did a good job of sticking to it. In any case, this is how most binaries seem to handle dropping privileges. bind or snmpd being examples. An alternative or additional option would be to place the user configuration in tac_plus.conf, which might be a bit harder to document. Thanks, Robert -------------- next part -------------- From 13b49714d14649f3d19b90a0dd5898ffa5572566 Mon Sep 17 00:00:00 2001 From: Robert Drake Date: Fri, 26 Dec 2014 21:04:29 -0500 Subject: [PATCH 2/5] can be built without MAXSESS being defined --- maxsessint.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/maxsessint.c b/maxsessint.c index b874f17..b8b3bd8 100644 --- a/maxsessint.c +++ b/maxsessint.c @@ -45,6 +45,7 @@ is_async(char *portname) return(0); } +#ifdef MAXSESS /* * See if this user can have more sessions. */ @@ -103,3 +104,4 @@ maxsess_check_count(char *user, struct author_data *data) } return(0); } +#endif /* MAXSESS */ -- 1.9.1 -------------- next part -------------- From 906749c3e4dba2c576dc54943f6e4a4eb6936c47 Mon Sep 17 00:00:00 2001 From: Robert Drake Date: Fri, 26 Dec 2014 20:54:42 -0500 Subject: [PATCH 3/5] changes to make setuid and setgid runtime --- tac_plus.8.in | 8 +++++++- tac_plus.c | 35 ++++++++++++++++++++++++++++++++++- 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/tac_plus.8.in b/tac_plus.8.in index 5210b19..62ad6ed 100644 --- a/tac_plus.8.in +++ b/tac_plus.8.in @@ -142,7 +142,7 @@ used in log messages, libwrap (tcp_wrappers) checks, and for matching host clauses of the configuration file. Also see .BR tac_plus.conf (5). .\" -.TP +.TP .B \-P Parse the configuration file, echo it to standard output while parsing, and then exit. @@ -159,6 +159,12 @@ for incoming tcp connections. Note: this changes the name of the pid file created by the daemon. .\" .TP +.B \-U +Specify the username that we will try to use to setuid() the process to. +.TP +.B \-Q +Specify the groupname that we will try to use to setgid() the process to. +.TP .B \-S Enables or allows client single-connection mode, where-by the client will create one connection and interleave queries. diff --git a/tac_plus.c b/tac_plus.c index cdf0ad6..bf4564c 100644 --- a/tac_plus.c +++ b/tac_plus.c @@ -28,6 +28,8 @@ #include #include #include +#include +#include #ifdef LIBWRAP # include @@ -56,6 +58,8 @@ int opt_S; /* enable single-connection */ int wtmpfd; /* for wtmp file logging */ char *wtmpfile = NULL; char *bind_address = NULL; +char *setuid_user = NULL; +char *setgid_group = NULL; struct timeval started_at; @@ -261,7 +265,7 @@ main(int argc, char **argv) tac_exit(1); } - while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:")) != EOF) + while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:U:Q:")) != EOF) switch (c) { case 'B': /* bind() address*/ bind_address = optarg; @@ -316,6 +320,12 @@ main(int argc, char **argv) case 'u': wtmpfile = tac_strdup(optarg); break; + case 'U': + setuid_user = tac_strdup(optarg); + break; + case 'Q': + setgid_group = tac_strdup(optarg); + break; default: fprintf(stderr, "%s: bad switch %c\n", progname, c); @@ -512,6 +522,27 @@ main(int argc, char **argv) childpid = 0; } } + + if (setuid_user) { + struct passwd *pw; + if ((pw = getpwnam(setuid_user)) == NULL) { + report(LOG_ERR, "Cannot set userid to %s. getpwname(setuid_user) failed.\n"); + } + if (setuid(pw->pw_uid)) + report(LOG_ERR, "Cannot set user id to %d %s", + pw->pw_uid, strerror(errno)); + } + + if (setgid_group) { + struct group *gr; + if ((gr = getgrnam(setgid_group)) == NULL) { + report(LOG_ERR, "Cannot set groupid to %s. getgrnme(setgid_group) failed.\n"); + } + if (setgid(gr->gr_gid)) + report(LOG_ERR, "Cannot set group id to %d %s", + gr->gr_gid, strerror(errno)); + } + #ifdef TACPLUS_GROUPID if (setgid(TACPLUS_GROUPID)) report(LOG_ERR, "Cannot set group id to %d %s", @@ -745,6 +776,8 @@ usage(void) " [-l ]" " [-p ]" " [-u ]" + " [-U ]" + " [-Q ]" #ifdef MAXSESS " [-w ]" #endif -- 1.9.1 -------------- next part -------------- From 66360ec7b178bff9c3e48fdebcad540e1c8e206a Mon Sep 17 00:00:00 2001 From: Robert Drake Date: Fri, 26 Dec 2014 22:18:22 -0500 Subject: [PATCH 4/5] users_guide not in clean or distclean --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 133dadd..3b84b8a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -57,7 +57,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = config.h -CONFIG_CLEAN_FILES = version.h pathsl.h tac_plus.8 tac_plus.conf.5 +CONFIG_CLEAN_FILES = version.h pathsl.h tac_plus.8 tac_plus.conf.5 users_guide CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ -- 1.9.1 -------------- next part -------------- From 956c89521d36f4938de509907f99d85111ccff68 Mon Sep 17 00:00:00 2001 From: Robert Drake Date: Fri, 26 Dec 2014 22:09:38 -0500 Subject: [PATCH 5/5] updated Changes with what I changed --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 7487c19..27880c6 100644 --- a/CHANGES +++ b/CHANGES @@ -408,3 +408,8 @@ F5.0.0a - use the fdes code for ARAP_DES and MSCHAP_DES - increase NAC address array size. affects the format of the tacacs wholog file (TACPLUS_WHOLOGFILE); existing file should be removed. + +F5.0.0a2 + - fixes so code will compile without MAXSESS defined + - added -U and -Q flags to allow runtime setuid/setgid change to drop + privilages - from Robert Drake -- 1.9.1 From heas at shrubbery.net Mon Dec 29 22:43:55 2014 From: heas at shrubbery.net (heasley) Date: Mon, 29 Dec 2014 22:43:55 +0000 Subject: [tac_plus] tacacs+ F5.0.0a patches In-Reply-To: <549E277F.8010208@direcpath.com> References: <549E277F.8010208@direcpath.com> Message-ID: <20141229224355.GB92899@shrubbery.net> Fri, Dec 26, 2014 at 10:29:03PM -0500, Robert Drake: > I'm attaching patches to fix a couple of minor bugs with compiling, and > to add support for CLI options for setuid/setgid so that people can drop > privileges at runtime instead of compile time. This is important for me > because the OS I'm using distributes binary versions of most packages, > so the normal method of installing a package is for the user to be > created at install time. The uid couldn't be determined in advance > unless they had some form of uid reservation policy for their internal > use and did a good job of sticking to it. > > In any case, this is how most binaries seem to handle dropping > privileges. bind or snmpd being examples. An alternative or additional > option would be to place the user configuration in tac_plus.conf, which > might be a bit harder to document. > > Thanks, > Robert > diff --git a/tac_plus.c b/tac_plus.c > index cdf0ad6..bf4564c 100644 > --- a/tac_plus.c > +++ b/tac_plus.c > @@ -28,6 +28,8 @@ > #include > #include > #include > +#include > +#include > > #ifdef LIBWRAP > # include > @@ -56,6 +58,8 @@ int opt_S; /* enable single-connection */ > int wtmpfd; /* for wtmp file logging */ > char *wtmpfile = NULL; > char *bind_address = NULL; > +char *setuid_user = NULL; > +char *setgid_group = NULL; > > struct timeval started_at; > > @@ -261,7 +265,7 @@ main(int argc, char **argv) > tac_exit(1); > } > > - while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:")) != EOF) > + while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:U:Q:")) != EOF) > switch (c) { > case 'B': /* bind() address*/ > bind_address = optarg; > @@ -316,6 +320,12 @@ main(int argc, char **argv) > case 'u': > wtmpfile = tac_strdup(optarg); > break; > + case 'U': > + setuid_user = tac_strdup(optarg); > + break; > + case 'Q': > + setgid_group = tac_strdup(optarg); > + break; > > default: > fprintf(stderr, "%s: bad switch %c\n", progname, c); > @@ -512,6 +522,27 @@ main(int argc, char **argv) > childpid = 0; > } > } > + > + if (setuid_user) { > + struct passwd *pw; > + if ((pw = getpwnam(setuid_user)) == NULL) { > + report(LOG_ERR, "Cannot set userid to %s. getpwname(setuid_user) failed.\n"); that error path is not right. i've fixed that, changed the formatting of code and manpage/etc to be consistent with existing and changed the code to override the compiled TACPLUS_GROUPID/USERID if it existed. already had the maxsess fix. prost > + } > + if (setuid(pw->pw_uid)) > + report(LOG_ERR, "Cannot set user id to %d %s", > + pw->pw_uid, strerror(errno)); > + } > + > + if (setgid_group) { > + struct group *gr; > + if ((gr = getgrnam(setgid_group)) == NULL) { > + report(LOG_ERR, "Cannot set groupid to %s. getgrnme(setgid_group) failed.\n"); > + } > + if (setgid(gr->gr_gid)) > + report(LOG_ERR, "Cannot set group id to %d %s", > + gr->gr_gid, strerror(errno)); > + } > + > #ifdef TACPLUS_GROUPID > if (setgid(TACPLUS_GROUPID)) > report(LOG_ERR, "Cannot set group id to %d %s", > @@ -745,6 +776,8 @@ usage(void) > " [-l ]" > " [-p ]" > " [-u ]" > + " [-U ]" > + " [-Q ]" > #ifdef MAXSESS > " [-w ]" > #endif > -- > 1.9.1 From heas at shrubbery.net Tue Dec 30 17:48:34 2014 From: heas at shrubbery.net (heasley) Date: Tue, 30 Dec 2014 17:48:34 +0000 Subject: [tac_plus] updating configure.in(ac) for automake 1.14 In-Reply-To: <549EDCDE.1090605@direcpath.com> References: <549EDCDE.1090605@direcpath.com> Message-ID: <20141230174834.GG35851@shrubbery.net> Sat, Dec 27, 2014 at 11:22:54AM -0500, Robert Drake: > I'm attaching another patch. This one for something I half did for the > debian version then decided to submit upstream. > > modern versions of automake fail specifically about a line called > AM_C_PROTOTYPES which was designated a long time ago to be about an > ansi2knr converter macro. They give alternatives, but in the end it > seems that it's perfectly acceptable to leave the line out completely. > > There are other issues though. A hard failure caused by m4 not knowing > where the macro directory is leaves it saying AC_DEFINE() doesn't > exist. The fix is to say AC_CONFIG_MACRO_DIR([.]). > > Finally, they changed a couple of things about the initialization parts > AC_INIT() and AC_INIT_AUTOMAKE(), so I've rewritten those to satisfy the > new requirements and hopefully also continue working as you expect. Incorporated the automake patch. I think that I already have everything, though not in the same manner, in your autoconf patch for 4.x, which i've now pulled-up to 5.x. thanks From david.syzdek at acsalaska.net Tue Dec 30 17:57:29 2014 From: david.syzdek at acsalaska.net (David M. Syzdek) Date: Tue, 30 Dec 2014 08:57:29 -0900 Subject: [tac_plus] updating configure.in(ac) for automake 1.14 In-Reply-To: <20141230174834.GG35851@shrubbery.net> References: <549EDCDE.1090605@direcpath.com> <20141230174834.GG35851@shrubbery.net> Message-ID: Heasley, Is there a public repository we can use to pull the combined patches? I'm and working on a series of patches to submit, and I'd like to keep them in sync with your repository as much as possible in order to make it easier to merge if you accept them. --David M. Syzdek ---------------------------------------------------------------------- David M. Syzdek david.syzdek at acsalaska.net IP Engineering Work: +1 907 550 8389 Cell: +1 907 980 1151 Alaska Communications Systems, Inc MS #53 600 Telephone Avenue Anchorage, Alaska 99503 ---------------------------------------------------------------------- > On Dec 30, 2014, at 8:48 AM, heasley wrote: > > Sat, Dec 27, 2014 at 11:22:54AM -0500, Robert Drake: >> I'm attaching another patch. This one for something I half did for the >> debian version then decided to submit upstream. >> >> modern versions of automake fail specifically about a line called >> AM_C_PROTOTYPES which was designated a long time ago to be about an >> ansi2knr converter macro. They give alternatives, but in the end it >> seems that it's perfectly acceptable to leave the line out completely. >> >> There are other issues though. A hard failure caused by m4 not knowing >> where the macro directory is leaves it saying AC_DEFINE() doesn't >> exist. The fix is to say AC_CONFIG_MACRO_DIR([.]). >> >> Finally, they changed a couple of things about the initialization parts >> AC_INIT() and AC_INIT_AUTOMAKE(), so I've rewritten those to satisfy the >> new requirements and hopefully also continue working as you expect. > > Incorporated the automake patch. I think that I already have everything, > though not in the same manner, in your autoconf patch for 4.x, which i've > now pulled-up to 5.x. thanks > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus