From bkos at fast-stable-secure.net Thu Jul 10 12:16:38 2014 From: bkos at fast-stable-secure.net (Bartlomiej Kos) Date: Thu, 10 Jul 2014 14:16:38 +0200 Subject: [tac_plus] A question concerning the availability of the tac_plus complete command reference chart Message-ID: Dear Shrubbery Inc., First of all, thank you for developing your flavour of the TACACS server. It is an invaluable tool for one needing to set up a centralised AAA system when one's funds are limited. I have already had some success establishing a working environment with your server using the version available in the standard 7.5.0 Debian Wheezy package repository, but would like to get the most from your server, so that my users could enjoy a seamless working environment. Unfortunately, I have found out the hard way that the decumentation concerning your server's configuration directives is rather scarce, and even though the manpages do offer some command reference, the server configuration is mostly a trial-and-error process. I believe that if I had a complete command reference chart at hand I could do a better job with configuring the server, and so I would like to ask you if such a chart is available. If it is, could you point me the way to it, or tell me what I should do to obtain one? Best regards - Bartlomiej Kos -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Jul 10 14:57:09 2014 From: heas at shrubbery.net (heasley) Date: Thu, 10 Jul 2014 14:57:09 +0000 Subject: [tac_plus] A question concerning the availability of the tac_plus complete command reference chart In-Reply-To: References: Message-ID: <20140710145709.GE5846@shrubbery.net> Thu, Jul 10, 2014 at 02:16:38PM +0200, Bartlomiej Kos: > I have already had some success establishing a working environment with > your server using the version available in the standard 7.5.0 Debian Wheezy > package repository, but would like to get the most from your server, so > that my users could enjoy a seamless working environment. Unfortunately, I > have found out the hard way that the decumentation concerning your server's > configuration directives is rather scarce, and even though the manpages do > offer some command reference, the server configuration is mostly a > trial-and-error process. I believe that if I had a complete command > reference chart at hand I could do a better job with configuring the > server, and so I would like to ask you if such a chart is available. If it > is, could you point me the way to it, or tell me what I should do to obtain > one? Thats a fair cop. But, it appears that the version in Debian is 4.0.4.19, which is rather old. I believe documentation has been improved since then. Download 4.0.4.27a and see the manpage and the user_guide file. From alan.mckinnon at gmail.com Thu Jul 10 14:58:49 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 10 Jul 2014 16:58:49 +0200 Subject: [tac_plus] A question concerning the availability of the tac_plus complete command reference chart In-Reply-To: References: Message-ID: <53BEAA29.8060901@gmail.com> On 10/07/2014 14:16, Bartlomiej Kos wrote: > Dear Shrubbery Inc., > > First of all, thank you for developing your flavour of the TACACS server. > It is an invaluable tool for one needing to set up a centralised AAA system > when one's funds are limited. > > I have already had some success establishing a working environment with > your server using the version available in the standard 7.5.0 Debian Wheezy > package repository, but would like to get the most from your server, so > that my users could enjoy a seamless working environment. Unfortunately, I > have found out the hard way that the decumentation concerning your server's > configuration directives is rather scarce, and even though the manpages do > offer some command reference, the server configuration is mostly a > trial-and-error process. I believe that if I had a complete command > reference chart at hand I could do a better job with configuring the > server, and so I would like to ask you if such a chart is available. If it > is, could you point me the way to it, or tell me what I should do to obtain > one? Nothing like the docs you are looking for has come to light here in the past 6 years, so I doubt such a thing exists. Do keep in mind that the original code base and docs come from Cisco all those years ago, all that shrubbery has done is extend the code base. There are two areas that cause folks trouble with tac_plus: - the tacacs protocol itself has docs but they are hard to find - there is one draft RFC out there that expired ages ago but Cisco's kit at least still mostly follows it. It can be really hard to figure out what Tacacs itself allows you to do. - the server config file is limited in what it can do. For example, there's concept of a group but a user can only belong to one group, and that group can only belong to one group, etc. Both of these concepts cause folk endless trouble if you start out with assumptions that are incorrect. What specific aspects of using tac_plus are you having trouble with? -- Alan McKinnon alan.mckinnon at gmail.com From vadud3 at gmail.com Tue Jul 22 19:55:40 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 22 Jul 2014 15:55:40 -0400 Subject: [tac_plus] source IP is not in tacacs log for failed logins Message-ID: Is there a way to get the source IP of a failed login in tacacs log? I see few different debug levels, and not sure which one, if at all, would carry the source IP in the log for failed logins. Thanks for the help -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Jul 22 20:06:47 2014 From: heas at shrubbery.net (heasley) Date: Tue, 22 Jul 2014 20:06:47 +0000 Subject: [tac_plus] source IP is not in tacacs log for failed logins In-Reply-To: References: Message-ID: <20140722200647.GF3388@shrubbery.net> Tue, Jul 22, 2014 at 03:55:40PM -0400, Asif Iqbal: > Is there a way to get the source IP of a failed login in tacacs log? > > I see few different debug levels, and not sure which one, if at all, would > carry the source > IP in the log for failed logins. the IP of the tacacs client is in the logs. if you mean of the devices' client, it tends to only send that if its a PPP/SLIP client. you can look for it in the AVPs sent by the tacacs client. From vadud3 at gmail.com Tue Jul 22 20:13:20 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 22 Jul 2014 16:13:20 -0400 Subject: [tac_plus] source IP is not in tacacs log for failed logins In-Reply-To: <20140722200647.GF3388@shrubbery.net> References: <20140722200647.GF3388@shrubbery.net> Message-ID: On Tue, Jul 22, 2014 at 4:06 PM, heasley wrote: > Tue, Jul 22, 2014 at 03:55:40PM -0400, Asif Iqbal: > > Is there a way to get the source IP of a failed login in tacacs log? > > > > I see few different debug levels, and not sure which one, if at all, > would > > carry the source > > IP in the log for failed logins. > > the IP of the tacacs client is in the logs. if you mean of the devices' > client, it tends to only send that if its a PPP/SLIP client. you can > look for it in the AVPs sent by the tacacs client. > Right, the tacacs client IP is there and you are correct I was looking for the device IP. These tacacs clients/ network elements are cisco devices. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Jul 22 20:17:03 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 22 Jul 2014 16:17:03 -0400 Subject: [tac_plus] source IP is not in tacacs log for failed logins In-Reply-To: References: <20140722200647.GF3388@shrubbery.net> Message-ID: On Tue, Jul 22, 2014 at 4:13 PM, Asif Iqbal wrote: > > > > On Tue, Jul 22, 2014 at 4:06 PM, heasley wrote: > >> Tue, Jul 22, 2014 at 03:55:40PM -0400, Asif Iqbal: >> > Is there a way to get the source IP of a failed login in tacacs log? >> > >> > I see few different debug levels, and not sure which one, if at all, >> would >> > carry the source >> > IP in the log for failed logins. >> >> the IP of the tacacs client is in the logs. if you mean of the devices' >> client, it tends to only send that if its a PPP/SLIP client. you can >> look for it in the AVPs sent by the tacacs client. >> > > Right, the tacacs client IP is there and you are correct I was looking > for the device IP. These tacacs clients/ network elements are cisco > devices. > > I am wondering why successful logins will have the device IPs in the log, but not failed logins. > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Jul 23 19:15:23 2014 From: heas at shrubbery.net (heasley) Date: Wed, 23 Jul 2014 19:15:23 +0000 Subject: [tac_plus] source IP is not in tacacs log for failed logins In-Reply-To: References: <20140722200647.GF3388@shrubbery.net> Message-ID: <20140723191523.GE35786@shrubbery.net> Tue, Jul 22, 2014 at 04:17:03PM -0400, Asif Iqbal: > On Tue, Jul 22, 2014 at 4:13 PM, Asif Iqbal wrote: > > > > > > > > > On Tue, Jul 22, 2014 at 4:06 PM, heasley wrote: > > > >> Tue, Jul 22, 2014 at 03:55:40PM -0400, Asif Iqbal: > >> > Is there a way to get the source IP of a failed login in tacacs log? > >> > > >> > I see few different debug levels, and not sure which one, if at all, > >> would > >> > carry the source > >> > IP in the log for failed logins. > >> > >> the IP of the tacacs client is in the logs. if you mean of the devices' > >> client, it tends to only send that if its a PPP/SLIP client. you can > >> look for it in the AVPs sent by the tacacs client. > >> > > > > Right, the tacacs client IP is there and you are correct I was looking > > for the device IP. These tacacs clients/ network elements are cisco > > devices. > > > > > I am wondering why successful logins will have the device IPs in the log, > but not failed logins. these are from the device connecting to the server, 1 success and 1 failure: Jul 23 19:13:12 mgmt tac_plus[40475]: 198.58.5.127 tty3: fd 3 eof (connection closed) Jul 23 19:07:42 mgmt tac_plus[40312]: login failure: heas 198.58.5.127 (198.58.5.127) tty2 this is an accounting record: Jul 23 19:13:12 mgmt tac_plus[40477]: 198.58.5.127 heas tty2 198.168.100.69 start task_id=137367 timezone=UTC service=shell start_time=1406142792 > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? From mdequenes at uperto.com Tue Jul 29 16:18:05 2014 From: mdequenes at uperto.com (Marc Dequenes) Date: Tue, 29 Jul 2014 18:18:05 +0200 Subject: [tac_plus] Patch for a crash when using long commands In-Reply-To: <20140121201502.GM6256@shrubbery.net> References: <20140121201502.GM6256@shrubbery.net> Message-ID: Coin, Sorry for the delay. I've not been able to work more on the subject and the client is unwilling to give any information. I still got the trace i made when looking for a solution, and as there is nothing sensitive i attached it here. As i remember it the configuration was pretty simple but using PAM for AD authentication. Sorry i could not help more. Regards. -------------- next part -------------- A non-text attachment was scrubbed... Name: gdb.log Type: text/x-log Size: 7122 bytes Desc: not available URL: From heas at shrubbery.net Thu Jul 31 20:07:43 2014 From: heas at shrubbery.net (heasley) Date: Thu, 31 Jul 2014 20:07:43 +0000 Subject: [tac_plus] Patch for a crash when using long commands In-Reply-To: <20140731174125.444384640B36@ni.shrubbery.net> Message-ID: <20140731200743.GE19142@shrubbery.net> Tue, Jul 29, 2014 at 06:18:05PM +0200, Marc Dequenes: > Coin, > > Sorry for the delay. I've not been able to work more on the subject > and the client is unwilling to give any information. > > I still got the trace i made when looking for a solution, and as there > is nothing sensitive i attached it here. > > As i remember it the configuration was pretty simple but using PAM for > AD authentication. > > Sorry i could not help more. > Regards. > #0 0x00000037aaa30265 in raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 > pid = ... this helped. I believe this will fix your problem. Index: do_author.c =================================================================== --- do_author.c (revision 3652) +++ do_author.c (working copy) @@ -354,7 +354,7 @@ { while (*s != '\0' && *s != '=' && *s != '*') s++; - if (*s == '\0') + if (*s != '\0') return(++s); return(NULL); } @@ -374,8 +374,11 @@ len = 0; for (i = 0; i < data->num_in_args; i++) { nas_arg = data->input_args[i]; - if (strncmp(nas_arg, "cmd-arg", strlen("cmd-arg")) == 0) - len += strlen(value(nas_arg)) + 1; + if (strncmp(nas_arg, "cmd-arg", strlen("cmd-arg")) == 0) { + v = value(nas_arg); + if (v != NULL) + len += strlen(v) + 1; + } } if (len <= 0) { @@ -395,9 +398,12 @@ free(buf); return(NULL); } - strcat(buf, v); - if (i < (data->num_in_args - 1)) - strcat(buf, " "); + strncat(buf, v, len - 1); + len -= strlen(v); + if (i < (data->num_in_args - 1)) { + strncat(buf, " ", len - 1); + len -= 1; + } } return(buf); }