From nategagne at gmail.com Mon Nov 10 21:46:03 2014 From: nategagne at gmail.com (Nate Gagne) Date: Mon, 10 Nov 2014 16:46:03 -0500 Subject: [tac_plus] Problems with ACLs Message-ID: Hello, I'm trying to implement ACLs in our environment but can't seem to get the syntax correct. Here's our entire sanitized tac_plus.conf: #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes } id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log key = test mavis module = external { script out = { if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1 } setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "domain.local:3268" setenv LDAP_BASE = "DC=domain,dc=local" setenv LDAP_USER = "CN=ldap,CN=Managed Service Accounts,DC=domain,DC=local" setenv LDAP_PASSWD = "password" setenv LDAP_SCOPE = "sub" setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName=%s))" setenv LDAP_FILTER_CHPW = "(&(objectclass=user) (sAMAccountName=%s))" setenv TACACS_GROUP_PREFIX = "TACACS_" setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl } login backend = mavis user backend = mavis pap backend = mavis acl = test { deny = 172.17.1\.(2|34|35) deny = 10.0.32.1$ permit = .* } group = Group1 { acl = test enable = permit default service = permit service = exec { set priv-lvl = 15 } } group = Group2 { enable = permit default service = permit service = exec { set priv-lvl = 15 } } } When I run that through the config check (tac_plus -d 16 -P tac_plus.conf) I get: 31363: 19:00:00.000 0/00000000: /home/ngagne/tac_plus_test.conf:15: "key" keyword is deprecated at top configuration level. #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes } id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log key = test mavis module = external { script out = { if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1 } setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "domain.local:3268" setenv LDAP_BASE = "DC=domain,dc=local" setenv LDAP_USER = "CN=ldap,CN=Managed Service Accounts,DC=domain,DC=local" setenv LDAP_PASSWD = "password" setenv LDAP_SCOPE = "sub" setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName=%s))" setenv LDAP_FILTER_CHPW = "(&(objectclass=user) (sAMAccountName=%s))" setenv TACACS_GROUP_PREFIX = "TACACS_" setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl } login backend = mavis user backend = mavis pap backend = mavis acl = test { deny /home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time' or 'acl', but got 'deny' 31363: /home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time' or 'acl', but got 'deny' 31363: Detected fatal configuration error. Exiting. What am I doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Mon Nov 10 23:40:48 2014 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Mon, 10 Nov 2014 23:40:48 +0000 Subject: [tac_plus] Problems with ACLs In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05AFF133@mbx030-w1-co-6.exch030.domain.local> Looks like you are using a version of TAC+ other than the Shrubbery one? Googling "id = tac_plus" indicates you are using the Mark Huber version. http://gatestec.wordpress.com/2012/01/11/tacacs-part-1-choosing-the-version/ I am not familiar with that version, but it looks like your closing curly-brackets are not in the right spot. I would expect that the "id = tac_plus" section would end right after the statement "pap backend", before the first ACL statement. Either way, I am guessing your syntax is not structured correctly for that version: http://www.pro-bono-publico.de/projects/tac_plus.html#AEN175 -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Nate Gagne Sent: Monday, November 10, 2014 2:46 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Problems with ACLs Hello, I'm trying to implement ACLs in our environment but can't seem to get the syntax correct. Here's our entire sanitized tac_plus.conf: #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes } id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log key = test mavis module = external { script out = { if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1 } setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "domain.local:3268" setenv LDAP_BASE = "DC=domain,dc=local" setenv LDAP_USER = "CN=ldap,CN=Managed Service Accounts,DC=domain,DC=local" setenv LDAP_PASSWD = "password" setenv LDAP_SCOPE = "sub" setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName=%s))" setenv LDAP_FILTER_CHPW = "(&(objectclass=user) (sAMAccountName=%s))" setenv TACACS_GROUP_PREFIX = "TACACS_" setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl } login backend = mavis user backend = mavis pap backend = mavis acl = test { deny = 172.17.1\.(2|34|35) deny = 10.0.32.1$ permit = .* } group = Group1 { acl = test enable = permit default service = permit service = exec { set priv-lvl = 15 } } group = Group2 { enable = permit default service = permit service = exec { set priv-lvl = 15 } } } When I run that through the config check (tac_plus -d 16 -P tac_plus.conf) I get: 31363: 19:00:00.000 0/00000000: /home/ngagne/tac_plus_test.conf:15: "key" keyword is deprecated at top configuration level. #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes } id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log key = test mavis module = external { script out = { if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1 } setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "domain.local:3268" setenv LDAP_BASE = "DC=domain,dc=local" setenv LDAP_USER = "CN=ldap,CN=Managed Service Accounts,DC=domain,DC=local" setenv LDAP_PASSWD = "password" setenv LDAP_SCOPE = "sub" setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName=%s))" setenv LDAP_FILTER_CHPW = "(&(objectclass=user) (sAMAccountName=%s))" setenv TACACS_GROUP_PREFIX = "TACACS_" setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl } login backend = mavis user backend = mavis pap backend = mavis acl = test { deny /home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time' or 'acl', but got 'deny' 31363: /home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time' or 'acl', but got 'deny' 31363: Detected fatal configuration error. Exiting. What am I doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus From heas at shrubbery.net Wed Nov 19 05:48:26 2014 From: heas at shrubbery.net ('John Heasley') Date: Wed, 19 Nov 2014 05:48:26 +0000 Subject: [tac_plus] tac_plus Logging Security concerns In-Reply-To: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A777@prometheus> References: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A775@prometheus> <283B98E7-32D6-4F2D-8C04-00DD423461EE@shrubbery.net> <20141023171333.GC49163@shrubbery.net> <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A777@prometheus> Message-ID: <20141119054826.GK66561@shrubbery.net> Fri, Oct 24, 2014 at 06:55:14AM +0200, Josten, Michael: > Hello, > > i think i found the problem. I didn't create the /etc/default file and the daemon always started in debugging mode. Hallo, That file is not part of tac_plus. > At least in my world this makes sense ;) but what about the secret being shown in the logfile ? Is that a usual behavior ? It is intended, if debugging is enabled, which is not the default. it is a facet of debugging, to know what is actually passed from the device. > Thanks for your help so far. > > Best regards > Michael Josten > > -----Urspr?ngliche Nachricht----- > Von: John Heasley [mailto:heas at shrubbery.net] > Gesendet: Donnerstag, 23. Oktober 2014 19:14 > An: Josten, Michael > Cc: tac_plus at shrubbery.net > Betreff: Re: [tac_plus] tac_plus Logging Security concerns > > Thu, Oct 23, 2014 at 07:57:12AM -0700, John Heasley: > > Am Oct 23, 2014 um 2:55 AM schrieb Josten, Michael : > > > > > > Hello, > > > > > > i am worried about user input being logged to my tac_plus logfile. I > > > recently compiled version F4.0.4.27a under debian 7.6 to implement > > > PAM functionality. Everything is working good so far, but I took a > > > very close look into my /var/log/tacacs/tacacs file after my > > > colleague informed me about him being able to read his password in > > > cleartext in the logging file. I did further troubleshooting on > > > various switch models like HP procurves, Brocade icx, fcx and mlx switches and even stoneold Enterasys N Series dinosaur switches with aaa accounting settings, encryption settings etc. turned off and on. I started the tac_plus daemon with several debugging levels and no debugging at all and can't get rid of the password being shown in the logs. > > > > Gr??en, It should not log any of that information without enabling debugging. Before trying to disable this logging, did you have any debug options on the command-line? > > > > I can test this when I have a terminal in a few hours. > > I do not see this logging occuring by default, that is without -d options, on debian 7.7. Please ensure that you are not using -d (debug) options. > > > > Even the secret is show in cleartext. I posted a failed authentication part of the logfile on pastebin. > > > http://pastebin.com/sffJkFJc just search for the term "bein" that's the part I am talking about. > > > > > > Best regards > > > Michael Josten > > > Mitarbeiter IT-Betrieb > > > Hochschule Niederrhein > > > KIS - Kommunikations und Informationssysteme Service Niederrhein > > > University of Applied Sciences Communication and Informationsystems > > > Service Reinarzstr. 49 D - 47805 Krefeld > > > Telefon: +49 2151 822 3129 > > > Fax: +49 2151 822 853123 > > > Email: > > > michael.josten at hs-niederrhein.de > > n.de> www.hs-niederrhein.de > > > > > > -------------- next part -------------- An HTML attachment was > > > scrubbed... > > > URL: > > > > > 60da86/attachment.html> > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus