From mus3 at lehigh.edu Tue Jan 6 15:56:32 2015 From: mus3 at lehigh.edu (Munroe Sollog) Date: Tue, 06 Jan 2015 10:56:32 -0500 Subject: [tac_plus] per-host user attribute Message-ID: <54AC05B0.4010008@lehigh.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a server that supports tacacs+ but requires me to send a user attribute of 'role' that needs to be either 'admin' or 'read-only' along with the authentication. I'm looking for documenation for how to do this but I can't seem to find anything useful. Thanks. - -- Munroe Sollog LTS - Network Analyst x85002 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUrAWvAAoJEPbbZiWCKDVCmB0IAKpavuL5WRF2wE2ssqt5WBEC 2DqhXgikHbYTzETapl2/jyvoEjiGcqFYJHHVoZh539vjnk81sPBdf1JejrFNBuMe TEnJGs92cEWOeHnxZv2YSrdkDK41CtYfMfPBQJWd/pmS2je3uLX7oJ6jOqiun6/d iH6pDa52NOMJUZGncG12Xw3bz7kMRjwsltSojjZUcZGBqb5LF6WoSDu98+BcYG09 8ER2W2FVKtePV/nRpamoNBtCZujihDj0BQkAM77CyH7xsTc8GGlwGhhHnONRuY90 ph6BVDTphGSGMnuXFAaXrsjBYMG5RUbs9fIIjVfdAKoM2iY1TYp5PVxQp08DdbE= =3Pqd -----END PGP SIGNATURE----- From alan.mckinnon at gmail.com Tue Jan 6 17:14:37 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 06 Jan 2015 19:14:37 +0200 Subject: [tac_plus] per-host user attribute In-Reply-To: <54AC05B0.4010008@lehigh.edu> References: <54AC05B0.4010008@lehigh.edu> Message-ID: <54AC17FD.8010406@gmail.com> On 06/01/2015 17:56, Munroe Sollog wrote: > I have a server that supports tacacs+ but requires me to send a user attribute of 'role' that > needs to be either 'admin' or 'read-only' along with the authentication. I'm looking for > documenation for how to do this but I can't seem to find anything useful. Hi Munroe What you want is this inside a group definition: service = exec { role = admin } or service = exec { role = read-only } I assume this is for login authorization, and the device uses a service called "exec".. Keep in mind that this runs out of steam very quickly, mostly because tac_plus.conf is designed to do whatever it does globally. You can't easily specify this per-host without breaking other things for example. If you run into this yourself, switch to using Dan Schmidt's do_auth script shipped with recent versions of tac_plus. It gives you vastly more control. -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Tue Jan 6 17:40:22 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 6 Jan 2015 10:40:22 -0700 Subject: [tac_plus] per-host user attribute In-Reply-To: <54AC17FD.8010406@gmail.com> References: <54AC05B0.4010008@lehigh.edu> <54AC17FD.8010406@gmail.com> Message-ID: Thanks Alan - quick clarification, if you want to use do_auth, it MUST be able to accept exit value of 2. For instance, HP (at least the old junk I've played with) and Cisco WLC won't, and that completely breaks do_auth's ability to modify the return pairs. It can still deny or accept based on IP addr', but it can't modify any roles set in tac_plus. Nexus works though. It looks like tacacs.org is completely gone, along with all the examples I had put up there back when I had time to do that sort of thing. That certainly sucks. On Tue, Jan 6, 2015 at 10:14 AM, Alan McKinnon wrote: > On 06/01/2015 17:56, Munroe Sollog wrote: > > I have a server that supports tacacs+ but requires me to send a user > attribute of 'role' that > > needs to be either 'admin' or 'read-only' along with the > authentication. I'm looking for > > documenation for how to do this but I can't seem to find anything useful. > > > Hi Munroe > > What you want is this inside a group definition: > > service = exec { > role = admin > } > > or > > service = exec { > role = read-only > } > > I assume this is for login authorization, and the device uses a service > called "exec".. > > Keep in mind that this runs out of steam very quickly, mostly because > tac_plus.conf is designed to do whatever it does globally. You can't > easily specify this per-host without breaking other things for example. > > If you run into this yourself, switch to using Dan Schmidt's do_auth > script shipped with recent versions of tac_plus. It gives you vastly > more control. > > -- > Alan McKinnon > alan.mckinnon at gmail.com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Jan 6 21:03:36 2015 From: heas at shrubbery.net (heasley) Date: Tue, 6 Jan 2015 21:03:36 +0000 Subject: [tac_plus] updating configure.in(ac) for automake 1.14 In-Reply-To: References: <549EDCDE.1090605@direcpath.com> <20141230174834.GG35851@shrubbery.net> Message-ID: <20150106210336.GC63810@shrubbery.net> Tue, Dec 30, 2014 at 08:57:29AM -0900, David M. Syzdek: > Heasley, > > Is there a public repository we can use to pull the combined patches? I'm and working on a series of patches to submit, and I'd like to keep them in sync with your repository as much as possible in order to make it easier to merge if you accept them. I dont offer one, but i can roll a new tarball. i'll make them today. From daniel.schmidt at wyo.gov Tue Jan 6 22:16:55 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 6 Jan 2015 15:16:55 -0700 Subject: [tac_plus] per-host user attribute In-Reply-To: References: <54AC05B0.4010008@lehigh.edu> <54AC17FD.8010406@gmail.com> Message-ID: Thanks, I didn't think wayback would have it. On Tue, Jan 6, 2015 at 2:12 PM, Asif Iqbal wrote: > > > On Tue, Jan 6, 2015 at 12:40 PM, Daniel Schmidt > wrote: > >> Thanks Alan - quick clarification, if you want to use do_auth, it MUST be >> able to accept exit value of 2. For instance, HP (at least the old junk >> I've played with) and Cisco WLC won't, and that completely breaks >> do_auth's >> ability to modify the return pairs. It can still deny or accept based on >> IP addr', but it can't modify any roles set in tac_plus. Nexus works >> though. >> >> It looks like tacacs.org is completely gone, along with all the examples >> I >> had put up there back when I had time to do that sort of thing. That >> certainly sucks. >> > > I guess you can collect them back through wayback? > > https://web.archive.org/web/20110506210622/http://tacacs.org/ > > > >> On Tue, Jan 6, 2015 at 10:14 AM, Alan McKinnon >> wrote: >> >> > On 06/01/2015 17:56, Munroe Sollog wrote: >> > > I have a server that supports tacacs+ but requires me to send a user >> > attribute of 'role' that >> > > needs to be either 'admin' or 'read-only' along with the >> > authentication. I'm looking for >> > > documenation for how to do this but I can't seem to find anything >> useful. >> > >> > >> > Hi Munroe >> > >> > What you want is this inside a group definition: >> > >> > service = exec { >> > role = admin >> > } >> > >> > or >> > >> > service = exec { >> > role = read-only >> > } >> > >> > I assume this is for login authorization, and the device uses a service >> > called "exec".. >> > >> > Keep in mind that this runs out of steam very quickly, mostly because >> > tac_plus.conf is designed to do whatever it does globally. You can't >> > easily specify this per-host without breaking other things for example. >> > >> > If you run into this yourself, switch to using Dan Schmidt's do_auth >> > script shipped with recent versions of tac_plus. It gives you vastly >> > more control. >> > >> > -- >> > Alan McKinnon >> > alan.mckinnon at gmail.com >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo/tac_plus >> > >> >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/67a9c8dd/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Jan 6 21:12:37 2015 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 6 Jan 2015 16:12:37 -0500 Subject: [tac_plus] per-host user attribute In-Reply-To: References: <54AC05B0.4010008@lehigh.edu> <54AC17FD.8010406@gmail.com> Message-ID: On Tue, Jan 6, 2015 at 12:40 PM, Daniel Schmidt wrote: > Thanks Alan - quick clarification, if you want to use do_auth, it MUST be > able to accept exit value of 2. For instance, HP (at least the old junk > I've played with) and Cisco WLC won't, and that completely breaks do_auth's > ability to modify the return pairs. It can still deny or accept based on > IP addr', but it can't modify any roles set in tac_plus. Nexus works > though. > > It looks like tacacs.org is completely gone, along with all the examples I > had put up there back when I had time to do that sort of thing. That > certainly sucks. > I guess you can collect them back through wayback? https://web.archive.org/web/20110506210622/http://tacacs.org/ > On Tue, Jan 6, 2015 at 10:14 AM, Alan McKinnon > wrote: > > > On 06/01/2015 17:56, Munroe Sollog wrote: > > > I have a server that supports tacacs+ but requires me to send a user > > attribute of 'role' that > > > needs to be either 'admin' or 'read-only' along with the > > authentication. I'm looking for > > > documenation for how to do this but I can't seem to find anything > useful. > > > > > > Hi Munroe > > > > What you want is this inside a group definition: > > > > service = exec { > > role = admin > > } > > > > or > > > > service = exec { > > role = read-only > > } > > > > I assume this is for login authorization, and the device uses a service > > called "exec".. > > > > Keep in mind that this runs out of steam very quickly, mostly because > > tac_plus.conf is designed to do whatever it does globally. You can't > > easily specify this per-host without breaking other things for example. > > > > If you run into this yourself, switch to using Dan Schmidt's do_auth > > script shipped with recent versions of tac_plus. It gives you vastly > > more control. > > > > -- > > Alan McKinnon > > alan.mckinnon at gmail.com > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/67a9c8dd/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian at spritelink.net Wed Jan 21 09:11:20 2015 From: kristian at spritelink.net (Kristian Larsson) Date: Wed, 21 Jan 2015 10:11:20 +0100 Subject: [tac_plus] Git repo for tac_plus? Message-ID: <54BF6D38.6060505@spritelink.net> Hello Shrubbery, where is the source code for tac_plus hosted? I can't seem to find anything but the tarball available on your web page. I'm afraid the answer is that there is no git repo, correct? This is essentially the de facto tacacs+ implementation for anyone who do not wish to purchase software. I believe the lack of a public git repo (like on github) seriously fragments the community of users and potential developers which hampers further development. There are a number of repos on github named something like tac_plus, most of which have an initial commit like "import from shrubbery" and then a few commits on top of that. There's no one common tree with all the nice patches. By offering a standard git repo I think the community could unite and spend more time on the right things instead of maintaining individual repos. What do you think? Kind regards, Kristian. From heas at shrubbery.net Tue Jan 27 23:09:44 2015 From: heas at shrubbery.net (heasley) Date: Tue, 27 Jan 2015 23:09:44 +0000 Subject: [tac_plus] Git repo for tac_plus? In-Reply-To: <54BF6D38.6060505@spritelink.net> References: <54BF6D38.6060505@spritelink.net> Message-ID: <20150127230944.GE95442@shrubbery.net> Wed, Jan 21, 2015 at 10:11:20AM +0100, Kristian Larsson: > Hello Shrubbery, > > where is the source code for tac_plus hosted? I can't seem to find > anything but the tarball available on your web page. I'm afraid the > answer is that there is no git repo, correct? The repo is on my servers and I do not have a publicly accessible interface. I am not moving it or any of my code to github, sorry. I may be convinced to create a public interface, I suppose there could be value there, but I've not wanted to deal with the security implications and you are only the second to ask. I am happy to receive patches, have, and have merged several. > This is essentially the de facto tacacs+ implementation for anyone who > do not wish to purchase software. I believe the lack of a public git > repo (like on github) seriously fragments the community of users and > potential developers which hampers further development. There are a > number of repos on github named something like tac_plus, most of which > have an initial commit like "import from shrubbery" and then a few > commits on top of that. There's no one common tree with all the nice > patches. > > By offering a standard git repo I think the community could unite and > spend more time on the right things instead of maintaining individual > repos. What do you think? > > Kind regards, > Kristian. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From kristian at spritelink.net Thu Jan 29 17:55:59 2015 From: kristian at spritelink.net (Kristian Larsson) Date: Thu, 29 Jan 2015 18:55:59 +0100 Subject: [tac_plus] Git repo for tac_plus? In-Reply-To: <20150127230944.GE95442@shrubbery.net> References: <54BF6D38.6060505@spritelink.net> <20150127230944.GE95442@shrubbery.net> Message-ID: <54CA742F.9060108@spritelink.net> On 2015-01-28 00:09, heasley wrote: > Wed, Jan 21, 2015 at 10:11:20AM +0100, Kristian Larsson: >> Hello Shrubbery, >> >> where is the source code for tac_plus hosted? I can't seem to find >> anything but the tarball available on your web page. I'm afraid the >> answer is that there is no git repo, correct? > > The repo is on my servers and I do not have a publicly accessible interface. > I am not moving it or any of my code to github, sorry. I may be convinced > to create a public interface, I suppose there could be value there, but I've > not wanted to deal with the security implications and you are only the > second to ask. I am happy to receive patches, have, and have merged several. It's really difficult to track the changes when there is no public repository. I'm trying to write my own stuff on top of this but it's really cumbersome because I'd have to take the different versions of your published code, make diff sets out of that and then apply it to my code. What are the security implications that you are concerned about? You already have the code out there, what would be bad about publishing the history of the very same code? Kind regards, Kristian.