From vadud3 at gmail.com Mon Jun 16 00:13:02 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Sun, 15 Jun 2014 20:13:02 -0400 Subject: [tac_plus] Need help with do_auth config In-Reply-To: References: Message-ID: It is working now. On Sun, Jun 15, 2014 at 7:09 PM, Asif Iqbal wrote: > group = doauthaccess { > after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f > /root/do_auth/do_auth.ini" > } > I updated the group to reflect the example in github.com/jathanism/do_auth group = doauthaccess { default service = permit service = exec { priv-lvl = 15 idletime = 10 } after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini" } I guess that is minimum config for group with after authorization + do_auth.py to work -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Sun Jun 15 23:31:17 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Sun, 15 Jun 2014 19:31:17 -0400 Subject: [tac_plus] Need help with do_auth config In-Reply-To: References: Message-ID: Modified the config with right user name and still same error On Sun, Jun 15, 2014 at 7:09 PM, Asif Iqbal wrote: > Let me know if there is a separate mailing list for do_auth related > questions. > > So I am trying to follow the do_auth.ini syntax and need some help. > > I have setup the config file like below and failing to authorize. > > Here is the do_auth.ini file > > [users] > default = > noprivs > foo = > newgroup > iqbala = newgroup > > [newgroup] > host_allow = > .* > command_permit = > show configuration.* > device_permit = > .* > > [noprivs] > host_deny = > .* > device_deny = > .* > command_deny = > .* > > Here is the error message > > Username: iqbala > Password: > % Authorization failed. > Connection closed by foreign host. > > > Here is the relevant part in tacacs.conf > > group = doauthaccess { > after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f > /root/do_auth/do_auth.ini" > } > > user = foo { > login = PAM > member = doauthaccess > } > > user = iqbala { login = PAM member = doauthaccess } > If I change the member to another group which is regular group > and not using after authorization, user ``foo'' can login fine. > > I must not do doing something right. > > Please advise. > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Sun Jun 15 23:09:25 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Sun, 15 Jun 2014 19:09:25 -0400 Subject: [tac_plus] Need help with do_auth config Message-ID: Let me know if there is a separate mailing list for do_auth related questions. So I am trying to follow the do_auth.ini syntax and need some help. I have setup the config file like below and failing to authorize. Here is the do_auth.ini file [users] default = noprivs foo = newgroup [newgroup] host_allow = .* command_permit = show configuration.* device_permit = .* [noprivs] host_deny = .* device_deny = .* command_deny = .* Here is the error message Username: iqbala Password: % Authorization failed. Connection closed by foreign host. Here is the relevant part in tacacs.conf group = doauthaccess { after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini" } user = foo { login = PAM member = doauthaccess } If I change the member to another group which is regular group and not using after authorization, user ``foo'' can login fine. I must not do doing something right. Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Mon Jun 16 14:56:29 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 10:56:29 -0400 Subject: [tac_plus] github repository Message-ID: Hi Shrubbery, Do you have a github version of your latest stable tac_plus code publicly available? I am aware of the ftp site. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Mon Jun 16 18:38:26 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 14:38:26 -0400 Subject: [tac_plus] user DEFAULT Message-ID: Hi All. user = DEAFULT { login = PAM member = foo } I cannot login with my LDAP using this stanza. I needed to have my own account defined like below for a successful login. user = iqbala { login = PAM member = foo } Is that normal? I wanted to take advantage of the do_auth.py and define the user in the do_auth.ini file only. But with DEAFULT user block it fails to authenticate. Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Mon Jun 16 18:44:05 2014 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Mon, 16 Jun 2014 18:44:05 +0000 Subject: [tac_plus] user DEFAULT In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6D96@mbx030-w1-co-6.exch030.domain.local> In your example below, you mis-spelled DEFAULT. Not sure if you spelled it correctly in your tac_plus.conf file. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal Sent: Monday, June 16, 2014 12:38 PM To: tac_plus at shrubbery.net Subject: [tac_plus] user DEFAULT Hi All. user = DEAFULT { login = PAM member = foo } I cannot login with my LDAP using this stanza. I needed to have my own account defined like below for a successful login. user = iqbala { login = PAM member = foo } Is that normal? I wanted to take advantage of the do_auth.py and define the user in the do_auth.ini file only. But with DEAFULT user block it fails to authenticate. Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus From aaron.wasserott at viawest.com Mon Jun 16 19:02:05 2014 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Mon, 16 Jun 2014 19:02:05 +0000 Subject: [tac_plus] Need help with do_auth config In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> In both do_auth.ini and tac_plus.conf be sure to spell the special username as "DEFAULT" - minding the upper-case. Do you have any log entries for that failed attempt in /root/do_auth/do_auth.log? Does your group doauthaccess have the same settings as the other regular group, other than the addition of after auth? What device type did you test against? I would test against Cisco IOS to start with until you get it working. You also might want to try toggling off the "-fix_crs_bug" flag and test login against IOS just to be safe. I've not used that flag before personally. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal Sent: Sunday, June 15, 2014 5:09 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Need help with do_auth config Let me know if there is a separate mailing list for do_auth related questions. So I am trying to follow the do_auth.ini syntax and need some help. I have setup the config file like below and failing to authorize. Here is the do_auth.ini file [users] default = noprivs foo = newgroup [newgroup] host_allow = .* command_permit = show configuration.* device_permit = .* [noprivs] host_deny = .* device_deny = .* command_deny = .* Here is the error message Username: iqbala Password: % Authorization failed. Connection closed by foreign host. Here is the relevant part in tacacs.conf group = doauthaccess { after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini" } user = foo { login = PAM member = doauthaccess } If I change the member to another group which is regular group and not using after authorization, user ``foo'' can login fine. I must not do doing something right. Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus From vadud3 at gmail.com Mon Jun 16 19:03:27 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 15:03:27 -0400 Subject: [tac_plus] user DEFAULT In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6D96@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6D96@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Jun 16, 2014 at 2:44 PM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > In your example below, you mis-spelled DEFAULT. Not sure if you spelled it > correctly in your tac_plus.conf file. > doh! Thanks! > > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif > Iqbal > Sent: Monday, June 16, 2014 12:38 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] user DEFAULT > > Hi All. > > user = DEAFULT { > login = PAM > member = foo > } > > I cannot login with my LDAP using this stanza. > > I needed to have my own account defined like below for a successful login. > > user = iqbala { > login = PAM > member = foo > } > > Is that normal? > > I wanted to take advantage of the do_auth.py and define the user in the > do_auth.ini file only. But with DEAFULT user block it fails to authenticate. > > Please advise. > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/3babe586/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Mon Jun 16 19:30:43 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 15:30:43 -0400 Subject: [tac_plus] Need help with do_auth config In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > In both do_auth.ini and tac_plus.conf be sure to spell the special > username as "DEFAULT" - minding the upper-case. > > Do you have any log entries for that failed attempt in > /root/do_auth/do_auth.log? > 2014-06-16 16:54:30,195 [CRITICAL]: Did you forget "default service = permit" in tac_plus.conf? That was if I did not have "default service = permit" in the doauthaccess group. > Does your group doauthaccess have the same settings as the other regular > group, other than the addition of after auth? > Yes > > What device type did you test against? I would test against Cisco IOS to > start with until you get it working. > > Alcatel Lucent. OK let me try against cisco > You also might want to try toggling off the "-fix_crs_bug" flag and test > login against IOS just to be safe. I've not used that flag before > personally. > > OK Thanks > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif > Iqbal > Sent: Sunday, June 15, 2014 5:09 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] Need help with do_auth config > > Let me know if there is a separate mailing list for do_auth related > questions. > > So I am trying to follow the do_auth.ini syntax and need some help. > > I have setup the config file like below and failing to authorize. > > Here is the do_auth.ini file > > [users] > default = > noprivs > foo = > newgroup > > [newgroup] > host_allow = > .* > command_permit = > show configuration.* > device_permit = > .* > > [noprivs] > host_deny = > .* > device_deny = > .* > command_deny = > .* > > Here is the error message > > Username: iqbala > Password: > % Authorization failed. > Connection closed by foreign host. > > > Here is the relevant part in tacacs.conf > > group = doauthaccess { > after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f > /root/do_auth/do_auth.ini" > } > > user = foo { > login = PAM > member = doauthaccess > } > > If I change the member to another group which is regular group and not > using after authorization, user ``foo'' can login fine. > > I must not do doing something right. > > Please advise. > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Mon Jun 16 19:17:08 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 15:17:08 -0400 Subject: [tac_plus] user DEFAULT - anyone can login? Message-ID: So if I understand correctly with the following stanza in tac_plus.conf anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can login to a router? user = DEFAULT { login = PAM member = doauthaccess } I am guessing I cannot really use this should I want to limit who can login? I guess I cannot take advantage of do_auth to prevent login since it gets called after authorization? May be I can use do_auth with before authorization as well and define the allowed users under the [users] stanza and limti that way if I want to shrink my tac_plus conf user blocks to just DEFAULT? Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Mon Jun 16 20:20:49 2014 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Mon, 16 Jun 2014 20:20:49 +0000 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you could not restrict who can login to what. Only restriction there would be locking that user account in LDAP/AD to prevent any access for that user. But you could use DEFAULT in tac_plus.conf and then define users/groups in do_auth.ini you can restrict it that way who can login to what. I remember reading your emails before, and it sounds like you have a pretty complicated user base setup. The best way is to model user access around the tried-and-true tier groups, like tier1, tier2, tier3. Then you could have those three groups defined in tac_plus.conf pointing to different do_auth.ini files that control access to certain devices. The big issue for you will be something you mentioned a few weeks back, where you said you want users in different groups. You might want to think about letting more trusted/privileged users have access to things they don't necessary need, so you can just stick them in one group like tier2. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal Sent: Monday, June 16, 2014 1:17 PM To: tac_plus at shrubbery.net Subject: [tac_plus] user DEFAULT - anyone can login? So if I understand correctly with the following stanza in tac_plus.conf anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can login to a router? user = DEFAULT { login = PAM member = doauthaccess } I am guessing I cannot really use this should I want to limit who can login? I guess I cannot take advantage of do_auth to prevent login since it gets called after authorization? May be I can use do_auth with before authorization as well and define the allowed users under the [users] stanza and limti that way if I want to shrink my tac_plus conf user blocks to just DEFAULT? Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus From vadud3 at gmail.com Mon Jun 16 21:02:43 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 17:02:43 -0400 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you > could not restrict who can login to what. Only restriction there would be > locking that user account in LDAP/AD to prevent any access for that user. > > But you could use DEFAULT in tac_plus.conf and then define users/groups in > do_auth.ini you can restrict it that way who can login to what. > device_deny is not being honored. [users] DEFAULT = noprivs iqbala = noprivs [noprivs] host_deny = .* host_allow = device_deny = .* device_allow = command_deny = .* command_permit = user ``iqbala'' still can login to a router. command_deny works fine. I do not see any log > I remember reading your emails before, and it sounds like you have a > pretty complicated user base setup. The best way is to model user access > around the tried-and-true tier groups, like tier1, tier2, tier3. Then you > could have those three groups defined in tac_plus.conf pointing to > different do_auth.ini files that control access to certain devices. The big > issue for you will be something you mentioned a few weeks back, where you > said you want users in different groups. You might want to think about > letting more trusted/privileged users have access to things they don't > necessary need, so you can just stick them in one group like tier2. > > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif > Iqbal > Sent: Monday, June 16, 2014 1:17 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] user DEFAULT - anyone can login? > > So if I understand correctly with the following stanza in tac_plus.conf > anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can > login to a router? > > user = DEFAULT { > login = PAM > member = doauthaccess > } > > I am guessing I cannot really use this should I want to limit who can > login? > > I guess I cannot take advantage of do_auth to prevent login since it gets > called after authorization? > > May be I can use do_auth with before authorization as well and define the > allowed users under the [users] stanza and limti that way if I want to > shrink my tac_plus conf user blocks to just DEFAULT? > > Please advise. > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Mon Jun 16 21:20:28 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Jun 2014 17:20:28 -0400 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal wrote: > > > > On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott < > aaron.wasserott at viawest.com> wrote: > >> If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you >> could not restrict who can login to what. Only restriction there would be >> locking that user account in LDAP/AD to prevent any access for that user. >> >> But you could use DEFAULT in tac_plus.conf and then define users/groups >> in do_auth.ini you can restrict it that way who can login to what. >> > > device_deny is not being honored. > > [users] > DEFAULT = > noprivs > iqbala = > noprivs > [noprivs] > host_deny = > .* > host_allow = > device_deny = > .* > device_allow = > command_deny = > .* > command_permit = > > user ``iqbala'' still can login to a router. command_deny works fine. > > I do not see any log > Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then device_deny works. > >> I remember reading your emails before, and it sounds like you have a >> pretty complicated user base setup. The best way is to model user access >> around the tried-and-true tier groups, like tier1, tier2, tier3. Then you >> could have those three groups defined in tac_plus.conf pointing to >> different do_auth.ini files that control access to certain devices. The big >> issue for you will be something you mentioned a few weeks back, where you >> said you want users in different groups. You might want to think about >> letting more trusted/privileged users have access to things they don't >> necessary need, so you can just stick them in one group like tier2. >> >> So I have over 1500 network devices. Each vendor type gets it own instance of tac_plus which can point to separate do_auth.ini file like you suggested. Otherwise I have to consolidate all the devices in permit or deny block for different groups. That would be nightmare if I want to consolidate to one do_auth.ini file. Plus it will be slow to read through list of devices for each authorization request for 1000s of employees. May be there should be database option to read for device lists to make it perform well. > -----Original Message----- >> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif >> Iqbal >> Sent: Monday, June 16, 2014 1:17 PM >> To: tac_plus at shrubbery.net >> Subject: [tac_plus] user DEFAULT - anyone can login? >> >> So if I understand correctly with the following stanza in tac_plus.conf >> anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can >> login to a router? >> >> user = DEFAULT { >> login = PAM >> member = doauthaccess >> } >> >> I am guessing I cannot really use this should I want to limit who can >> login? >> >> I guess I cannot take advantage of do_auth to prevent login since it gets >> called after authorization? >> >> May be I can use do_auth with before authorization as well and define the >> allowed users under the [users] stanza and limti that way if I want to >> shrink my tac_plus conf user blocks to just DEFAULT? >> >> Please advise. >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Mon Jun 16 21:52:33 2014 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Mon, 16 Jun 2014 21:52:33 +0000 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6F08@mbx030-w1-co-6.exch030.domain.local> I think the issue you were seeing with still having access for that user is because you have DEFAULT user listed first. do_auth will act on the first match it finds. In my do_auth.ini files I put the DEFAULT user after all the specific users as a catch-all. From: Asif Iqbal [mailto:vadud3 at gmail.com] Sent: Monday, June 16, 2014 3:20 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] user DEFAULT - anyone can login? On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal > wrote: On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott > wrote: If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you could not restrict who can login to what. Only restriction there would be locking that user account in LDAP/AD to prevent any access for that user. But you could use DEFAULT in tac_plus.conf and then define users/groups in do_auth.ini you can restrict it that way who can login to what. device_deny is not being honored. [users] DEFAULT = noprivs iqbala = noprivs [noprivs] host_deny = .* host_allow = device_deny = .* device_allow = command_deny = .* command_permit = user ``iqbala'' still can login to a router. command_deny works fine. I do not see any log Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then device_deny works. I remember reading your emails before, and it sounds like you have a pretty complicated user base setup. The best way is to model user access around the tried-and-true tier groups, like tier1, tier2, tier3. Then you could have those three groups defined in tac_plus.conf pointing to different do_auth.ini files that control access to certain devices. The big issue for you will be something you mentioned a few weeks back, where you said you want users in different groups. You might want to think about letting more trusted/privileged users have access to things they don't necessary need, so you can just stick them in one group like tier2. So I have over 1500 network devices. Each vendor type gets it own instance of tac_plus which can point to separate do_auth.ini file like you suggested. Otherwise I have to consolidate all the devices in permit or deny block for different groups. That would be nightmare if I want to consolidate to one do_auth.ini file. Plus it will be slow to read through list of devices for each authorization request for 1000s of employees. May be there should be database option to read for device lists to make it perform well. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal Sent: Monday, June 16, 2014 1:17 PM To: tac_plus at shrubbery.net Subject: [tac_plus] user DEFAULT - anyone can login? So if I understand correctly with the following stanza in tac_plus.conf anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can login to a router? user = DEFAULT { login = PAM member = doauthaccess } I am guessing I cannot really use this should I want to limit who can login? I guess I cannot take advantage of do_auth to prevent login since it gets called after authorization? May be I can use do_auth with before authorization as well and define the allowed users under the [users] stanza and limti that way if I want to shrink my tac_plus conf user blocks to just DEFAULT? Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Mon Jun 16 22:07:14 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 17 Jun 2014 00:07:14 +0200 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: References: Message-ID: <539F6A92.7090409@gmail.com> On 16/06/2014 21:17, Asif Iqbal wrote: > So if I understand correctly with the following stanza in tac_plus.conf > anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) > can login to a router? > > user = DEFAULT { > login = PAM > member = doauthaccess > } > > I am guessing I cannot really use this should I want to limit > who can login? Yes and no - see below. As with all things in life, the truth is a little more complex than at first appears. > I guess I cannot take advantage of do_auth to prevent login since > it gets called after authorization? Yes you can use do_auth, but there is a lot to know about this area. First look at the standard tac_plus behaviour: 1. Authentication happens, this just verifies the username exists and the password matches. 2. Login authorization happens. This is simplicity itself - if the user has any permit clauses in a cmd stanza, the user is permitted to exec a shell (the docs express this as is it is pointless permitting the user to run a command if they can't get a shell) Summary: with tac_plus, if the user has an ldap account and at least one active cmd permit, then they can log in. Contrast with a post authorization script - this script always gets called with login as login is not purely an authentication action. IIRC Dan's script acts similarly to tac_plus default. But there's nothing stopping you from writing code to check whatever you wish in ldap and allow or disallow login based on that. You don't have such code yet, you must write it :-) tac_plus does this with a post-auth script: 1. If everything looks legit in tac_plus for this user, the script is called, tac_plus acts as if the authorization is going to be allowed. 2. If the script returns exit code 0 or 2, the action is authorized 3. If the script returns exit code 1, the action is not authorized > > May be I can use do_auth with before authorization as well and > define the allowed users under the [users] stanza and limti that > way if I want to shrink my tac_plus conf user blocks to just DEFAULT? That might work, you could use some form of groups in ldap (eg to be able to log in to routers you must be in group X). This involves 2 ldap lookups - one by the pre-auth script, one by tac_plus to authenticate the user Unfortunately, this area is fraught with problems and difficulties. It all looks so simple on paper but custom code gets real ugly real quick as you have to cover all bases and make no assumptions about behaviour. I'd advise you to read all the docs in the tarball several times as well as the draft RFC on TACACS+ that is out there -- Alan McKinnon alan.mckinnon at gmail.com From vadud3 at gmail.com Tue Jun 17 15:08:17 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 17 Jun 2014 11:08:17 -0400 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6F08@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6F08@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Jun 16, 2014 at 5:52 PM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > I think the issue you were seeing with still having access for that user > is because you have DEFAULT user listed first. do_auth will act on the > first match it finds. In my do_auth.ini files I put the DEFAULT user after > all the specific users as a catch-all. > I am failing to connect to any router with this config and not seeing any log do_auth.ini ======== [users] DEFAULT = opseng [opseng] host_allow = .* device_permit = .* command_deny = clear "^route-map counters" show "^list" debug "^all" mpls "traffic-eng attribute-flags" no "^ip routing" no "^router .*" write ^terminal command_permit = clear .* show .* debug .* ## prevent setting admin-group < 2^16... must be 6 decimal digits mpls "traffic-eng attribute-flags [0-9][0-9][0-9][0-9][0-9][0-9]" mpls .* no .* write .* tac_plus.conf =========== group = doauthaccess { default service = permit service = exec { priv-lvl = 15 idletime = 10 } after authorization "/usr/bin/python /root/do_auth/do_auth_orig.py -i $address -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini" } user = DEFAULT { pap = PAM login = PAM member = doauthaccess } enabled DEBUG on do_auth.py DEBUG = os.getenv('DEBUG', True) I am not seeing any log in do_auth.log What am I doing wrong? > > > *From:* Asif Iqbal [mailto:vadud3 at gmail.com] > *Sent:* Monday, June 16, 2014 3:20 PM > *To:* Aaron Wasserott > *Cc:* tac_plus at shrubbery.net > *Subject:* Re: [tac_plus] user DEFAULT - anyone can login? > > > > > > > > On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal wrote: > > > > > > On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott < > aaron.wasserott at viawest.com> wrote: > > If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you > could not restrict who can login to what. Only restriction there would be > locking that user account in LDAP/AD to prevent any access for that user. > > But you could use DEFAULT in tac_plus.conf and then define users/groups in > do_auth.ini you can restrict it that way who can login to what. > > > > device_deny is not being honored. > > > > [users] > > DEFAULT = > > noprivs > > iqbala = > > noprivs > > [noprivs] > > host_deny = > > .* > > host_allow = > > device_deny = > > .* > > device_allow = > > command_deny = > > .* > > command_permit = > > > > user ``iqbala'' still can login to a router. command_deny works fine. > > > > I do not see any log > > > > > > > > Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then > device_deny works. > > > > > > > > > > > I remember reading your emails before, and it sounds like you have a > pretty complicated user base setup. The best way is to model user access > around the tried-and-true tier groups, like tier1, tier2, tier3. Then you > could have those three groups defined in tac_plus.conf pointing to > different do_auth.ini files that control access to certain devices. The big > issue for you will be something you mentioned a few weeks back, where you > said you want users in different groups. You might want to think about > letting more trusted/privileged users have access to things they don't > necessary need, so you can just stick them in one group like tier2. > > > > > > > > So I have over 1500 network devices. Each vendor type gets it own instance > of tac_plus which can point to > > separate do_auth.ini file like you suggested. > > > > Otherwise I have to consolidate all the devices in permit or deny block > for different groups. That would be nightmare if I want to consolidate to > one do_auth.ini file. Plus it will be slow to read through list of devices > for each authorization request for 1000s of employees. May be there should > be database option to read for device lists to make it perform well. > > > > > > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif > Iqbal > Sent: Monday, June 16, 2014 1:17 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] user DEFAULT - anyone can login? > > So if I understand correctly with the following stanza in tac_plus.conf > anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can > login to a router? > > user = DEFAULT { > login = PAM > member = doauthaccess > } > > I am guessing I cannot really use this should I want to limit who can > login? > > I guess I cannot take advantage of do_auth to prevent login since it gets > called after authorization? > > May be I can use do_auth with before authorization as well and define the > allowed users under the [users] stanza and limti that way if I want to > shrink my tac_plus conf user blocks to just DEFAULT? > > Please advise. > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Jun 17 16:44:10 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 17 Jun 2014 12:44:10 -0400 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6F08@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Tue, Jun 17, 2014 at 11:08 AM, Asif Iqbal wrote: > > > > On Mon, Jun 16, 2014 at 5:52 PM, Aaron Wasserott < > aaron.wasserott at viawest.com> wrote: > >> I think the issue you were seeing with still having access for that >> user is because you have DEFAULT user listed first. do_auth will act on >> the first match it finds. In my do_auth.ini files I put the DEFAULT user >> after all the specific users as a catch-all. >> > > I am failing to connect to any router with this config and not seeing any > log > > do_auth.ini > ======== > [users] > DEFAULT = > opseng > [opseng] > host_allow = > .* > device_permit = > .* > command_deny = > clear "^route-map counters" > show "^list" > debug "^all" > mpls "traffic-eng attribute-flags" > no "^ip routing" > no "^router .*" > write ^terminal > command_permit = > clear .* > show .* > debug .* > ## prevent setting admin-group < 2^16... must be 6 decimal digits > mpls "traffic-eng attribute-flags [0-9][0-9][0-9][0-9][0-9][0-9]" > mpls .* > no .* > write .* > > tac_plus.conf > =========== > group = doauthaccess { > default service = permit > service = exec { > priv-lvl = 15 > idletime = 10 > } > after authorization "/usr/bin/python /root/do_auth/do_auth_orig.py > -i $address -u $user -d $name -l /root/do_auth/do_auth.log -f > /root/do_auth/do_auth.ini" > } > > user = DEFAULT { > pap = PAM > login = PAM > member = doauthaccess > } > > enabled DEBUG on do_auth.py > > DEBUG = os.getenv('DEBUG', True) > > I am not seeing any log in do_auth.log > I guess there is no log because user = DEFAULT {..} block is never consulted. man page says: " default authentication By default, authentication fails for users that do not appear in the configuration file. This overrides that behavior, thus permitting all authentication requests for such users. default authentication = file Such users will be authentication via the "DEFAULT". " So that explains why I do not see any log, since I am not using default authentication = file . I am using login = PAM for users. So to comply with that I added default authentication = file /etc/tacacs-passwd and added my account in there. Now I can login with user = DEFAULT {..} and I do see logs and DEBUG logs in do_auth.log file. Is there a way I can make default authentication = PAM ? Our LDAP password changes frequently as corporate policy. sync up that password to /etc/tacacs-passwd would be pain. We have no admin access to corporate LDAP to force sync that to /etc/tacacs-passwd. > What am I doing wrong? > > > >> >> >> *From:* Asif Iqbal [mailto:vadud3 at gmail.com] >> *Sent:* Monday, June 16, 2014 3:20 PM >> *To:* Aaron Wasserott >> *Cc:* tac_plus at shrubbery.net >> *Subject:* Re: [tac_plus] user DEFAULT - anyone can login? >> >> >> >> >> >> >> >> On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal wrote: >> >> >> >> >> >> On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott < >> aaron.wasserott at viawest.com> wrote: >> >> If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you >> could not restrict who can login to what. Only restriction there would be >> locking that user account in LDAP/AD to prevent any access for that user. >> >> But you could use DEFAULT in tac_plus.conf and then define users/groups >> in do_auth.ini you can restrict it that way who can login to what. >> >> >> >> device_deny is not being honored. >> >> >> >> [users] >> >> DEFAULT = >> >> noprivs >> >> iqbala = >> >> noprivs >> >> [noprivs] >> >> host_deny = >> >> .* >> >> host_allow = >> >> device_deny = >> >> .* >> >> device_allow = >> >> command_deny = >> >> .* >> >> command_permit = >> >> >> >> user ``iqbala'' still can login to a router. command_deny works fine. >> >> >> >> I do not see any log >> >> >> >> >> >> >> >> Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then >> device_deny works. >> >> >> >> >> >> >> >> >> >> >> I remember reading your emails before, and it sounds like you have a >> pretty complicated user base setup. The best way is to model user access >> around the tried-and-true tier groups, like tier1, tier2, tier3. Then you >> could have those three groups defined in tac_plus.conf pointing to >> different do_auth.ini files that control access to certain devices. The big >> issue for you will be something you mentioned a few weeks back, where you >> said you want users in different groups. You might want to think about >> letting more trusted/privileged users have access to things they don't >> necessary need, so you can just stick them in one group like tier2. >> >> >> >> >> >> >> >> So I have over 1500 network devices. Each vendor type gets it own >> instance of tac_plus which can point to >> >> separate do_auth.ini file like you suggested. >> >> >> >> Otherwise I have to consolidate all the devices in permit or deny block >> for different groups. That would be nightmare if I want to consolidate to >> one do_auth.ini file. Plus it will be slow to read through list of devices >> for each authorization request for 1000s of employees. May be there should >> be database option to read for device lists to make it perform well. >> >> >> >> >> >> -----Original Message----- >> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif >> Iqbal >> Sent: Monday, June 16, 2014 1:17 PM >> To: tac_plus at shrubbery.net >> Subject: [tac_plus] user DEFAULT - anyone can login? >> >> So if I understand correctly with the following stanza in tac_plus.conf >> anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can >> login to a router? >> >> user = DEFAULT { >> login = PAM >> member = doauthaccess >> } >> >> I am guessing I cannot really use this should I want to limit who can >> login? >> >> I guess I cannot take advantage of do_auth to prevent login since it gets >> called after authorization? >> >> May be I can use do_auth with before authorization as well and define the >> allowed users under the [users] stanza and limti that way if I want to >> shrink my tac_plus conf user blocks to just DEFAULT? >> >> Please advise. >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> >> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Jun 17 17:17:03 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 17 Jun 2014 13:17:03 -0400 Subject: [tac_plus] user DEFAULT - anyone can login? In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6E1A@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6F08@mbx030-w1-co-6.exch030.domain.local>

Message-ID: On Tue, Jun 17, 2014 at 12:44 PM, Asif Iqbal wrote: > > > > On Tue, Jun 17, 2014 at 11:08 AM, Asif Iqbal wrote: > >> >> >> >> On Mon, Jun 16, 2014 at 5:52 PM, Aaron Wasserott < >> aaron.wasserott at viawest.com> wrote: >> >>> I think the issue you were seeing with still having access for that >>> user is because you have DEFAULT user listed first. do_auth will act on >>> the first match it finds. In my do_auth.ini files I put the DEFAULT user >>> after all the specific users as a catch-all. >>> >> >> I am failing to connect to any router with this config and not seeing any >> log >> >> do_auth.ini >> ======== >> [users] >> DEFAULT = >> opseng >> [opseng] >> host_allow = >> .* >> device_permit = >> .* >> command_deny = >> clear "^route-map counters" >> show "^list" >> debug "^all" >> mpls "traffic-eng attribute-flags" >> no "^ip routing" >> no "^router .*" >> write ^terminal >> command_permit = >> clear .* >> show .* >> debug .* >> ## prevent setting admin-group < 2^16... must be 6 decimal digits >> mpls "traffic-eng attribute-flags [0-9][0-9][0-9][0-9][0-9][0-9]" >> mpls .* >> no .* >> write .* >> >> tac_plus.conf >> =========== >> group = doauthaccess { >> default service = permit >> service = exec { >> priv-lvl = 15 >> idletime = 10 >> } >> after authorization "/usr/bin/python >> /root/do_auth/do_auth_orig.py -i $address -u $user -d $name -l >> /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini" >> } >> >> user = DEFAULT { >> pap = PAM >> login = PAM >> member = doauthaccess >> } >> >> enabled DEBUG on do_auth.py >> >> DEBUG = os.getenv('DEBUG', True) >> >> I am not seeing any log in do_auth.log >> > > I guess there is no log because user = DEFAULT {..} block is never > consulted. > > man page says: > > " > default authentication > By default, authentication fails for users that do not > appear in the configuration file. This > overrides that behavior, thus permitting all authentication > requests for such users. > > default authentication = file > > Such users will be authentication via the "DEFAULT". > " > > So that explains why I do not see any log, since I am not using default > authentication = file . > I am using login = PAM for users. > > So to comply with that I added default authentication = file > /etc/tacacs-passwd and added my account > in there. > > Now I can login with user = DEFAULT {..} and I do see logs and DEBUG logs > in do_auth.log file. > > Is there a way I can make default authentication = PAM ? > This does not work today. Errors out Tue Jun 17 17:15:51 2014 [11884]: Error expecting 'file' but found 'PAM' on line 7 > Our LDAP password changes frequently as corporate policy. sync up that > password to /etc/tacacs-passwd would be pain. We have no admin access to > corporate LDAP to force sync that to /etc/tacacs-passwd. > > > > >> What am I doing wrong? >> >> >> >>> >>> >>> *From:* Asif Iqbal [mailto:vadud3 at gmail.com] >>> *Sent:* Monday, June 16, 2014 3:20 PM >>> *To:* Aaron Wasserott >>> *Cc:* tac_plus at shrubbery.net >>> *Subject:* Re: [tac_plus] user DEFAULT - anyone can login? >>> >>> >>> >>> >>> >>> >>> >>> On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal wrote: >>> >>> >>> >>> >>> >>> On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott < >>> aaron.wasserott at viawest.com> wrote: >>> >>> If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you >>> could not restrict who can login to what. Only restriction there would be >>> locking that user account in LDAP/AD to prevent any access for that user. >>> >>> But you could use DEFAULT in tac_plus.conf and then define users/groups >>> in do_auth.ini you can restrict it that way who can login to what. >>> >>> >>> >>> device_deny is not being honored. >>> >>> >>> >>> [users] >>> >>> DEFAULT = >>> >>> noprivs >>> >>> iqbala = >>> >>> noprivs >>> >>> [noprivs] >>> >>> host_deny = >>> >>> .* >>> >>> host_allow = >>> >>> device_deny = >>> >>> .* >>> >>> device_allow = >>> >>> command_deny = >>> >>> .* >>> >>> command_permit = >>> >>> >>> >>> user ``iqbala'' still can login to a router. command_deny works fine. >>> >>> >>> >>> I do not see any log >>> >>> >>> >>> >>> >>> >>> >>> Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then >>> device_deny works. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> I remember reading your emails before, and it sounds like you have a >>> pretty complicated user base setup. The best way is to model user access >>> around the tried-and-true tier groups, like tier1, tier2, tier3. Then you >>> could have those three groups defined in tac_plus.conf pointing to >>> different do_auth.ini files that control access to certain devices. The big >>> issue for you will be something you mentioned a few weeks back, where you >>> said you want users in different groups. You might want to think about >>> letting more trusted/privileged users have access to things they don't >>> necessary need, so you can just stick them in one group like tier2. >>> >>> >>> >>> >>> >>> >>> >>> So I have over 1500 network devices. Each vendor type gets it own >>> instance of tac_plus which can point to >>> >>> separate do_auth.ini file like you suggested. >>> >>> >>> >>> Otherwise I have to consolidate all the devices in permit or deny block >>> for different groups. That would be nightmare if I want to consolidate to >>> one do_auth.ini file. Plus it will be slow to read through list of devices >>> for each authorization request for 1000s of employees. May be there should >>> be database option to read for device lists to make it perform well. >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of >>> Asif Iqbal >>> Sent: Monday, June 16, 2014 1:17 PM >>> To: tac_plus at shrubbery.net >>> Subject: [tac_plus] user DEFAULT - anyone can login? >>> >>> So if I understand correctly with the following stanza in tac_plus.conf >>> anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can >>> login to a router? >>> >>> user = DEFAULT { >>> login = PAM >>> member = doauthaccess >>> } >>> >>> I am guessing I cannot really use this should I want to limit who can >>> login? >>> >>> I guess I cannot take advantage of do_auth to prevent login since it >>> gets called after authorization? >>> >>> May be I can use do_auth with before authorization as well and define >>> the allowed users under the [users] stanza and limti that way if I want to >>> shrink my tac_plus conf user blocks to just DEFAULT? >>> >>> Please advise. >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html >>> > >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >>> >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >>> >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Jun 17 18:31:30 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 17 Jun 2014 12:31:30 -0600 Subject: [tac_plus] Need help with do_auth config In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> Message-ID: I've never had a Alcatel Lucent switch to test. I'm not sure what options it sends; getopt does not correctly parse missing fields. (hence the -fix_crs_bug option) When I get time, I need to iterate through sys.argv[1:] and remove any blank options. On Mon, Jun 16, 2014 at 1:30 PM, Asif Iqbal wrote: > On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott < > aaron.wasserott at viawest.com> wrote: > > > In both do_auth.ini and tac_plus.conf be sure to spell the special > > username as "DEFAULT" - minding the upper-case. > > > > Do you have any log entries for that failed attempt in > > /root/do_auth/do_auth.log? > > > > 2014-06-16 16:54:30,195 [CRITICAL]: Did you forget "default service = > permit" in tac_plus.conf? > > That was if I did not have "default service = permit" in the doauthaccess > group. > > > > Does your group doauthaccess have the same settings as the other regular > > group, other than the addition of after auth? > > > > Yes > > > > > > > What device type did you test against? I would test against Cisco IOS to > > start with until you get it working. > > > > > Alcatel Lucent. > > OK let me try against cisco > > > > > You also might want to try toggling off the "-fix_crs_bug" flag and test > > login against IOS just to be safe. I've not used that flag before > > personally. > > > > > OK > > Thanks > > > > > -----Original Message----- > > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif > > Iqbal > > Sent: Sunday, June 15, 2014 5:09 PM > > To: tac_plus at shrubbery.net > > Subject: [tac_plus] Need help with do_auth config > > > > Let me know if there is a separate mailing list for do_auth related > > questions. > > > > So I am trying to follow the do_auth.ini syntax and need some help. > > > > I have setup the config file like below and failing to authorize. > > > > Here is the do_auth.ini file > > > > [users] > > default = > > noprivs > > foo = > > newgroup > > > > [newgroup] > > host_allow = > > .* > > command_permit = > > show configuration.* > > device_permit = > > .* > > > > [noprivs] > > host_deny = > > .* > > device_deny = > > .* > > command_deny = > > .* > > > > Here is the error message > > > > Username: iqbala > > Password: > > % Authorization failed. > > Connection closed by foreign host. > > > > > > Here is the relevant part in tacacs.conf > > > > group = doauthaccess { > > after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i > > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f > > /root/do_auth/do_auth.ini" > > } > > > > user = foo { > > login = PAM > > member = doauthaccess > > } > > > > If I change the member to another group which is regular group and not > > using after authorization, user ``foo'' can login fine. > > > > I must not do doing something right. > > > > Please advise. > > > > > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html > > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/ba90c9e1/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Jun 17 18:57:23 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 17 Jun 2014 14:57:23 -0400 Subject: [tac_plus] Need help with do_auth config In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Tue, Jun 17, 2014 at 2:31 PM, Daniel Schmidt wrote: > I've never had a Alcatel Lucent switch to test. I'm not sure what options > it sends; getopt does not correctly parse missing fields. (hence the > -fix_crs_bug option) When I get time, I need to iterate through > sys.argv[1:] and remove any blank options. > yes Alcatel lucent does not generate any log, not even DEBUG log when I login to router unlike cisco. It starts logging only when I start typing on the router after the login, and / or when I exit or logout of the router. I can collect some debug log for you to parse. What debug level log you need with tac_plus? I usually use "-d 8 -d 16", but I can add more levels. I can provide some log tonight when they are not busy. > > > On Mon, Jun 16, 2014 at 1:30 PM, Asif Iqbal wrote: > >> On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott < >> aaron.wasserott at viawest.com> wrote: >> >> > In both do_auth.ini and tac_plus.conf be sure to spell the special >> > username as "DEFAULT" - minding the upper-case. >> > >> > Do you have any log entries for that failed attempt in >> > /root/do_auth/do_auth.log? >> > >> >> 2014-06-16 16:54:30,195 [CRITICAL]: Did you forget "default service = >> permit" in tac_plus.conf? >> >> That was if I did not have "default service = permit" in the doauthaccess >> group. >> >> >> > Does your group doauthaccess have the same settings as the other regular >> > group, other than the addition of after auth? >> > >> >> Yes >> >> >> >> > >> > What device type did you test against? I would test against Cisco IOS to >> > start with until you get it working. >> > >> > >> Alcatel Lucent. >> >> OK let me try against cisco >> >> >> >> > You also might want to try toggling off the "-fix_crs_bug" flag and test >> > login against IOS just to be safe. I've not used that flag before >> > personally. >> > >> > >> OK >> >> Thanks >> >> >> >> > -----Original Message----- >> > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of >> Asif >> > Iqbal >> > Sent: Sunday, June 15, 2014 5:09 PM >> > To: tac_plus at shrubbery.net >> > Subject: [tac_plus] Need help with do_auth config >> > >> > Let me know if there is a separate mailing list for do_auth related >> > questions. >> > >> > So I am trying to follow the do_auth.ini syntax and need some help. >> > >> > I have setup the config file like below and failing to authorize. >> > >> > Here is the do_auth.ini file >> > >> > [users] >> > default = >> > noprivs >> > foo = >> > newgroup >> > >> > [newgroup] >> > host_allow = >> > .* >> > command_permit = >> > show configuration.* >> > device_permit = >> > .* >> > >> > [noprivs] >> > host_deny = >> > .* >> > device_deny = >> > .* >> > command_deny = >> > .* >> > >> > Here is the error message >> > >> > Username: iqbala >> > Password: >> > % Authorization failed. >> > Connection closed by foreign host. >> > >> > >> > Here is the relevant part in tacacs.conf >> > >> > group = doauthaccess { >> > after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i >> > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f >> > /root/do_auth/do_auth.ini" >> > } >> > >> > user = foo { >> > login = PAM >> > member = doauthaccess >> > } >> > >> > If I change the member to another group which is regular group and not >> > using after authorization, user ``foo'' can login fine. >> > >> > I must not do doing something right. >> > >> > Please advise. >> > >> > >> > >> > >> > -- >> > Asif Iqbal >> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> > A: Because it messes up the order in which people normally read text. >> > Q: Why is top-posting such a bad thing? >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: < >> > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html >> > > >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo/tac_plus >> > >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/ba90c9e1/attachment.html >> > >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Jun 17 19:04:20 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 17 Jun 2014 15:04:20 -0400 Subject: [tac_plus] Need help with do_auth config In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AA6DAD@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > In both do_auth.ini and tac_plus.conf be sure to spell the special > username as "DEFAULT" - minding the upper-case. > Just an FYI, So I verified and either of the ``default'' or ``DEFAULT'' works the same for do_auth.ini. However for tacacs conf file, as you said, only user = DEFAULT {..} is the right syntax. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Jun 19 15:57:08 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 19 Jun 2014 09:57:08 -0600 Subject: [tac_plus] tacacs.org down? Message-ID: database error? E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Thu Jun 19 16:40:11 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 19 Jun 2014 12:40:11 -0400 Subject: [tac_plus] TACPLUS AD Authentication In-Reply-To: References: Message-ID: On Wed, Apr 16, 2014 at 10:54 AM, Daniel Schmidt wrote: > I guess that would work if you wanted EVERY ad user to have access. Full > access, at that. > > If you priv_15 everybody, they shouldn't need an enable password. Doesn't > seem 2 work 4 the ASA though. Give everybody one generic enable password > maybe. > OR may be include this patch that Matt Addison is referring to, to the original code? https://gist.github.com/ragzilla/11297928 > > On Wed, Apr 16, 2014 at 8:47 AM, Linda Slater wrote: > > > Couple questions: > > > > I am using PAM_LDAP to authenticate our users via AD. The additional > > requirements are now: > > > > > > > > 1. No usernames in the Tac+ config file, I will define only groups and > use > > AD groupings to decide if that user can be allowed to access a network > > device. Does anyone have any examples using this method? Currently, I > > have the user name ...... login = PAM, listed in the tac...config file. > > > > 2. Each user that logins into the Network device, must use their AD > > password to gain enable access to the network device. Is anyone using > > this method to allow users enable access, given that the Tac+ enable > > password cannot be pointed to PAM? Each user will have using their own > > AD login credentials. > > > > > > Regards, > > Linda Slater | Senior Network Designer, Network Development | University > > Information Technology > > 010 Steacie Science and Engineering Library | York University | 4700 > Keele > > St. , Toronto ON Canada M3J 1P3 > > T: +1.416.736.2100 ext 22733 | F: +1.416.736.5830 | lslater at yorku.ca | > > www.yorku.ca > > > > York UIT will NEVER send unsolicited requests for passwords or other > > personal information via email. Messages requesting such information are > > fraudulent and should be deleted. > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/89ba12d8/attachment.html > > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/b7282d4f/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Jun 19 21:14:08 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 19 Jun 2014 15:14:08 -0600 Subject: [tac_plus] TACPLUS AD Authentication In-Reply-To: References: Message-ID: Arg. $ patch -p0 < pamenable.patch patching file tacacs+-F4.0.4.27a/aceclnt_fn.c Hunk #1 FAILED at 193. 1 out of 1 hunk FAILED -- saving rejects to file tacacs+-F4.0.4.27a/aceclnt_fn.c.rej patching file tacacs+-F4.0.4.27a/config.c Hunk #1 FAILED at 1220. Hunk #2 FAILED at 1908. 2 out of 2 hunks FAILED -- saving rejects to file tacacs+-F4.0.4.27a/config.c.rej patching file tacacs+-F4.0.4.27a/enable.c Hunk #1 FAILED at 53. 1 out of 1 hunk FAILED -- saving rejects to file tacacs+-F4.0.4.27a/enable.c.rej patching file tacacs+-F4.0.4.27a/pwlib.c Hunk #2 succeeded at 592 with fuzz 1. patching file tacacs+-F4.0.4.27a/tacacs.h patch unexpectedly ends in middle of line Hunk #1 FAILED at 482. 1 out of 1 hunk FAILED -- saving rejects to file tacacs+-F4.0.4.27a/tacacs.h.rej On Thu, Jun 19, 2014 at 10:40 AM, Asif Iqbal wrote: > > > > On Wed, Apr 16, 2014 at 10:54 AM, Daniel Schmidt > wrote: > >> I guess that would work if you wanted EVERY ad user to have access. Full >> access, at that. >> >> If you priv_15 everybody, they shouldn't need an enable password. Doesn't >> seem 2 work 4 the ASA though. Give everybody one generic enable password >> maybe. >> > > > > OR may be include this patch that Matt Addison is referring to, to the > original code? > > https://gist.github.com/ragzilla/11297928 > > > > > > >> >> On Wed, Apr 16, 2014 at 8:47 AM, Linda Slater wrote: >> >> > Couple questions: >> > >> > I am using PAM_LDAP to authenticate our users via AD. The additional >> > requirements are now: >> > >> > >> > >> > 1. No usernames in the Tac+ config file, I will define only groups and >> use >> > AD groupings to decide if that user can be allowed to access a network >> > device. Does anyone have any examples using this method? Currently, >> I >> > have the user name ...... login = PAM, listed in the tac...config file. >> > >> > 2. Each user that logins into the Network device, must use their AD >> > password to gain enable access to the network device. Is anyone using >> > this method to allow users enable access, given that the Tac+ enable >> > password cannot be pointed to PAM? Each user will have using their own >> > AD login credentials. >> > >> > >> > Regards, >> > Linda Slater | Senior Network Designer, Network Development | University >> > Information Technology >> > 010 Steacie Science and Engineering Library | York University | 4700 >> Keele >> > St. , Toronto ON Canada M3J 1P3 >> > T: +1.416.736.2100 ext 22733 | F: +1.416.736.5830 | lslater at yorku.ca | >> > www.yorku.ca >> > >> > York UIT will NEVER send unsolicited requests for passwords or other >> > personal information via email. Messages requesting such information are >> > fraudulent and should be deleted. >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: < >> > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/89ba12d8/attachment.html >> > > >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo/tac_plus >> > >> >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/b7282d4f/attachment.html >> > >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Thu Jun 19 21:58:52 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 19 Jun 2014 17:58:52 -0400 Subject: [tac_plus] TACPLUS AD Authentication In-Reply-To: References: Message-ID: I end up patching manually. It's in github.com/asifiqbal/tac_plus ragzilla branch. On Jun 19, 2014 5:14 PM, "Daniel Schmidt" wrote: > Arg. > > $ patch -p0 < pamenable.patch > patching file tacacs+-F4.0.4.27a/aceclnt_fn.c > Hunk #1 FAILED at 193. > 1 out of 1 hunk FAILED -- saving rejects to file > tacacs+-F4.0.4.27a/aceclnt_fn.c.rej > patching file tacacs+-F4.0.4.27a/config.c > Hunk #1 FAILED at 1220. > Hunk #2 FAILED at 1908. > 2 out of 2 hunks FAILED -- saving rejects to file > tacacs+-F4.0.4.27a/config.c.rej > patching file tacacs+-F4.0.4.27a/enable.c > Hunk #1 FAILED at 53. > 1 out of 1 hunk FAILED -- saving rejects to file > tacacs+-F4.0.4.27a/enable.c.rej > patching file tacacs+-F4.0.4.27a/pwlib.c > Hunk #2 succeeded at 592 with fuzz 1. > patching file tacacs+-F4.0.4.27a/tacacs.h > patch unexpectedly ends in middle of line > Hunk #1 FAILED at 482. > 1 out of 1 hunk FAILED -- saving rejects to file > tacacs+-F4.0.4.27a/tacacs.h.rej > > > > On Thu, Jun 19, 2014 at 10:40 AM, Asif Iqbal wrote: > >> >> >> >> On Wed, Apr 16, 2014 at 10:54 AM, Daniel Schmidt >> wrote: >> >>> I guess that would work if you wanted EVERY ad user to have access. Full >>> access, at that. >>> >>> If you priv_15 everybody, they shouldn't need an enable password. >>> Doesn't >>> seem 2 work 4 the ASA though. Give everybody one generic enable password >>> maybe. >>> >> >> >> >> OR may be include this patch that Matt Addison is referring to, to the >> original code? >> >> https://gist.github.com/ragzilla/11297928 >> >> >> >> >> >> >>> >>> On Wed, Apr 16, 2014 at 8:47 AM, Linda Slater wrote: >>> >>> > Couple questions: >>> > >>> > I am using PAM_LDAP to authenticate our users via AD. The >>> additional >>> > requirements are now: >>> > >>> > >>> > >>> > 1. No usernames in the Tac+ config file, I will define only groups and >>> use >>> > AD groupings to decide if that user can be allowed to access a network >>> > device. Does anyone have any examples using this method? Currently, >>> I >>> > have the user name ...... login = PAM, listed in the tac...config >>> file. >>> > >>> > 2. Each user that logins into the Network device, must use their AD >>> > password to gain enable access to the network device. Is anyone using >>> > this method to allow users enable access, given that the Tac+ enable >>> > password cannot be pointed to PAM? Each user will have using their >>> own >>> > AD login credentials. >>> > >>> > >>> > Regards, >>> > Linda Slater | Senior Network Designer, Network Development | >>> University >>> > Information Technology >>> > 010 Steacie Science and Engineering Library | York University | 4700 >>> Keele >>> > St. , Toronto ON Canada M3J 1P3 >>> > T: +1.416.736.2100 ext 22733 | F: +1.416.736.5830 | lslater at yorku.ca | >>> > www.yorku.ca >>> > >>> > York UIT will NEVER send unsolicited requests for passwords or other >>> > personal information via email. Messages requesting such information >>> are >>> > fraudulent and should be deleted. >>> > -------------- next part -------------- >>> > An HTML attachment was scrubbed... >>> > URL: < >>> > >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/89ba12d8/attachment.html >>> > > >>> > _______________________________________________ >>> > tac_plus mailing list >>> > tac_plus at shrubbery.net >>> > http://www.shrubbery.net/mailman/listinfo/tac_plus >>> > >>> >>> >>> E-Mail to and from me, in connection with the transaction >>> of public business, is subject to the Wyoming Public Records >>> Act and may be disclosed to third parties. >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/b7282d4f/attachment.html >>> > >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Jun 19 22:52:44 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 19 Jun 2014 16:52:44 -0600 Subject: [tac_plus] TACPLUS AD Authentication In-Reply-To: References:

Message-ID: If you could get the AFL patch in there too, that would be very useful. https://github.com/ellzey/tac_plus_AFL On Thu, Jun 19, 2014 at 3:58 PM, Asif Iqbal wrote: > I end up patching manually. It's in github.com/asifiqbal/tac_plus > ragzilla branch. > On Jun 19, 2014 5:14 PM, "Daniel Schmidt" wrote: > >> Arg. >> >> $ patch -p0 < pamenable.patch >> patching file tacacs+-F4.0.4.27a/aceclnt_fn.c >> Hunk #1 FAILED at 193. >> 1 out of 1 hunk FAILED -- saving rejects to file >> tacacs+-F4.0.4.27a/aceclnt_fn.c.rej >> patching file tacacs+-F4.0.4.27a/config.c >> Hunk #1 FAILED at 1220. >> Hunk #2 FAILED at 1908. >> 2 out of 2 hunks FAILED -- saving rejects to file >> tacacs+-F4.0.4.27a/config.c.rej >> patching file tacacs+-F4.0.4.27a/enable.c >> Hunk #1 FAILED at 53. >> 1 out of 1 hunk FAILED -- saving rejects to file >> tacacs+-F4.0.4.27a/enable.c.rej >> patching file tacacs+-F4.0.4.27a/pwlib.c >> Hunk #2 succeeded at 592 with fuzz 1. >> patching file tacacs+-F4.0.4.27a/tacacs.h >> patch unexpectedly ends in middle of line >> Hunk #1 FAILED at 482. >> 1 out of 1 hunk FAILED -- saving rejects to file >> tacacs+-F4.0.4.27a/tacacs.h.rej >> >> >> >> On Thu, Jun 19, 2014 at 10:40 AM, Asif Iqbal wrote: >> >>> >>> >>> >>> On Wed, Apr 16, 2014 at 10:54 AM, Daniel Schmidt >> > wrote: >>> >>>> I guess that would work if you wanted EVERY ad user to have access. >>>> Full >>>> access, at that. >>>> >>>> If you priv_15 everybody, they shouldn't need an enable password. >>>> Doesn't >>>> seem 2 work 4 the ASA though. Give everybody one generic enable >>>> password >>>> maybe. >>>> >>> >>> >>> >>> OR may be include this patch that Matt Addison is referring to, to the >>> original code? >>> >>> https://gist.github.com/ragzilla/11297928 >>> >>> >>> >>> >>> >>> >>>> >>>> On Wed, Apr 16, 2014 at 8:47 AM, Linda Slater wrote: >>>> >>>> > Couple questions: >>>> > >>>> > I am using PAM_LDAP to authenticate our users via AD. The >>>> additional >>>> > requirements are now: >>>> > >>>> > >>>> > >>>> > 1. No usernames in the Tac+ config file, I will define only groups >>>> and use >>>> > AD groupings to decide if that user can be allowed to access a network >>>> > device. Does anyone have any examples using this method? >>>> Currently, I >>>> > have the user name ...... login = PAM, listed in the tac...config >>>> file. >>>> > >>>> > 2. Each user that logins into the Network device, must use their AD >>>> > password to gain enable access to the network device. Is anyone >>>> using >>>> > this method to allow users enable access, given that the Tac+ enable >>>> > password cannot be pointed to PAM? Each user will have using their >>>> own >>>> > AD login credentials. >>>> > >>>> > >>>> > Regards, >>>> > Linda Slater | Senior Network Designer, Network Development | >>>> University >>>> > Information Technology >>>> > 010 Steacie Science and Engineering Library | York University | 4700 >>>> Keele >>>> > St. , Toronto ON Canada M3J 1P3 >>>> > T: +1.416.736.2100 ext 22733 | F: +1.416.736.5830 | lslater at yorku.ca >>>> | >>>> > www.yorku.ca >>>> > >>>> > York UIT will NEVER send unsolicited requests for passwords or other >>>> > personal information via email. Messages requesting such information >>>> are >>>> > fraudulent and should be deleted. >>>> > -------------- next part -------------- >>>> > An HTML attachment was scrubbed... >>>> > URL: < >>>> > >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/89ba12d8/attachment.html >>>> > > >>>> > _______________________________________________ >>>> > tac_plus mailing list >>>> > tac_plus at shrubbery.net >>>> > http://www.shrubbery.net/mailman/listinfo/tac_plus >>>> > >>>> >>>> >>>> E-Mail to and from me, in connection with the transaction >>>> of public business, is subject to the Wyoming Public Records >>>> Act and may be disclosed to third parties. >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: < >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/b7282d4f/attachment.html >>>> > >>>> >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>>> >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >>> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> >> >> E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Fri Jun 20 00:06:26 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 19 Jun 2014 20:06:26 -0400 Subject: [tac_plus] TACPLUS AD Authentication In-Reply-To: References:

Message-ID: On Thu, Jun 19, 2014 at 6:52 PM, Daniel Schmidt wrote: > If you could get the AFL patch in there too, that would be very useful. > > https://github.com/ellzey/tac_plus_AFL > > PAM, for our setup, pointing to corporate LDAP and it already has the AFL feature. So it locks out an account temporarily after certain number of authentication failure. > > On Thu, Jun 19, 2014 at 3:58 PM, Asif Iqbal wrote: > >> I end up patching manually. It's in github.com/asifiqbal/tac_plus >> ragzilla branch. >> On Jun 19, 2014 5:14 PM, "Daniel Schmidt" >> wrote: >> >>> Arg. >>> >>> $ patch -p0 < pamenable.patch >>> patching file tacacs+-F4.0.4.27a/aceclnt_fn.c >>> Hunk #1 FAILED at 193. >>> 1 out of 1 hunk FAILED -- saving rejects to file >>> tacacs+-F4.0.4.27a/aceclnt_fn.c.rej >>> patching file tacacs+-F4.0.4.27a/config.c >>> Hunk #1 FAILED at 1220. >>> Hunk #2 FAILED at 1908. >>> 2 out of 2 hunks FAILED -- saving rejects to file >>> tacacs+-F4.0.4.27a/config.c.rej >>> patching file tacacs+-F4.0.4.27a/enable.c >>> Hunk #1 FAILED at 53. >>> 1 out of 1 hunk FAILED -- saving rejects to file >>> tacacs+-F4.0.4.27a/enable.c.rej >>> patching file tacacs+-F4.0.4.27a/pwlib.c >>> Hunk #2 succeeded at 592 with fuzz 1. >>> patching file tacacs+-F4.0.4.27a/tacacs.h >>> patch unexpectedly ends in middle of line >>> Hunk #1 FAILED at 482. >>> 1 out of 1 hunk FAILED -- saving rejects to file >>> tacacs+-F4.0.4.27a/tacacs.h.rej >>> >>> >>> >>> On Thu, Jun 19, 2014 at 10:40 AM, Asif Iqbal wrote: >>> >>>> >>>> >>>> >>>> On Wed, Apr 16, 2014 at 10:54 AM, Daniel Schmidt < >>>> daniel.schmidt at wyo.gov> wrote: >>>> >>>>> I guess that would work if you wanted EVERY ad user to have access. >>>>> Full >>>>> access, at that. >>>>> >>>>> If you priv_15 everybody, they shouldn't need an enable password. >>>>> Doesn't >>>>> seem 2 work 4 the ASA though. Give everybody one generic enable >>>>> password >>>>> maybe. >>>>> >>>> >>>> >>>> >>>> OR may be include this patch that Matt Addison is referring to, to the >>>> original code? >>>> >>>> https://gist.github.com/ragzilla/11297928 >>>> >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> On Wed, Apr 16, 2014 at 8:47 AM, Linda Slater >>>>> wrote: >>>>> >>>>> > Couple questions: >>>>> > >>>>> > I am using PAM_LDAP to authenticate our users via AD. The >>>>> additional >>>>> > requirements are now: >>>>> > >>>>> > >>>>> > >>>>> > 1. No usernames in the Tac+ config file, I will define only groups >>>>> and use >>>>> > AD groupings to decide if that user can be allowed to access a >>>>> network >>>>> > device. Does anyone have any examples using this method? >>>>> Currently, I >>>>> > have the user name ...... login = PAM, listed in the tac...config >>>>> file. >>>>> > >>>>> > 2. Each user that logins into the Network device, must use their AD >>>>> > password to gain enable access to the network device. Is anyone >>>>> using >>>>> > this method to allow users enable access, given that the Tac+ enable >>>>> > password cannot be pointed to PAM? Each user will have using their >>>>> own >>>>> > AD login credentials. >>>>> > >>>>> > >>>>> > Regards, >>>>> > Linda Slater | Senior Network Designer, Network Development | >>>>> University >>>>> > Information Technology >>>>> > 010 Steacie Science and Engineering Library | York University | 4700 >>>>> Keele >>>>> > St. , Toronto ON Canada M3J 1P3 >>>>> > T: +1.416.736.2100 ext 22733 | F: +1.416.736.5830 | lslater at yorku.ca >>>>> | >>>>> > www.yorku.ca >>>>> > >>>>> > York UIT will NEVER send unsolicited requests for passwords or other >>>>> > personal information via email. Messages requesting such information >>>>> are >>>>> > fraudulent and should be deleted. >>>>> > -------------- next part -------------- >>>>> > An HTML attachment was scrubbed... >>>>> > URL: < >>>>> > >>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/89ba12d8/attachment.html >>>>> > > >>>>> > _______________________________________________ >>>>> > tac_plus mailing list >>>>> > tac_plus at shrubbery.net >>>>> > http://www.shrubbery.net/mailman/listinfo/tac_plus >>>>> > >>>>> >>>>> >>>>> E-Mail to and from me, in connection with the transaction >>>>> of public business, is subject to the Wyoming Public Records >>>>> Act and may be disclosed to third parties. >>>>> -------------- next part -------------- >>>>> An HTML attachment was scrubbed... >>>>> URL: < >>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/b7282d4f/attachment.html >>>>> > >>>>> >>>>> _______________________________________________ >>>>> tac_plus mailing list >>>>> tac_plus at shrubbery.net >>>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>>>> >>>> >>>> >>>> >>>> -- >>>> Asif Iqbal >>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>> A: Because it messes up the order in which people normally read text. >>>> Q: Why is top-posting such a bad thing? >>>> >>>> >>> E-Mail to and from me, in connection with the transaction >>> of public business, is subject to the Wyoming Public Records >>> Act and may be disclosed to third parties. >>> >>> >>> > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Jun 20 08:21:27 2014 From: heas at shrubbery.net (John Heasley) Date: Fri, 20 Jun 2014 09:21:27 +0100 Subject: [tac_plus] github repository In-Reply-To: References: Message-ID: Am Jun 16, 2014 um 3:56 PM schrieb Asif Iqbal : > > Hi Shrubbery, > > Do you have a github version of your latest stable tac_plus code publicly > available? I am aware of the ftp site. > No, we do not use github. What are looking for exactly? > Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus