[tac_plus] Work around for BUG in Arista EOS <=4.9.1
Hans van den Bogert
hansbogert at gmail.com
Thu Jul 23 23:55:29 UTC 2015
reminds me of what I had to do, forgot the hardware. If needed, let me know and I’ll look it up (not arista IIRC). I patched it even more ugly probably:
https://github.com/hansbogert/tacacs-plus/commit/88b4aac5ba53916bf78ea6ae0eaaf83e5221304c
On 24 Jul 2015, at 00:51, John Fraizer <john at op-sec.us> wrote:
> There is a bug in Arista EOS <=4.9.1 which causes it to flip it's lid when
> it receives TAC_PLUS_AUTHOR_STATUS_PASS_REPL in an Authorization response.
> The bug manifests itself as tac_plus and do_auth.py both agreeing that the
> request was authorized but, the EOS device displaying "Authorization
> denied:" and dropping the login.
>
> After some troubleshooting to determine what was actually tickling this
> bug, I found that when using an after authorization script with tac_plus,
> it will return TAC_PLUS_AUTHOR_STATUS_PASS_REPL wherein when you don't use
> an after authorization script, tac_plus will return
> TAC_PLUS_AUTHOR_STATUS_PASS_ADD.
>
> I write a quick and dirty patch that seems to work just fine in my
> environment and I thought I would pass it along to the community in case
> you have any vintage EOS devices in your stable and want to use after
> authorization. (If you're not using do_auth.py, you don't know what you're
> missing!)
>
> This patch is against stock Shrubbery.net F4.0.4.28:
>
> $ cat arista-bug-fix.diff
> *** do_author.c.orig 2015-07-23 11:51:33.641510860 -0700
> --- do_author.c 2015-07-23 12:13:11.667818482 -0700
> ***************
> *** 325,359 ****
> --- 325,388 ----
> case 2:
> /* Use replacement AV pairs from program */
> if (debug & DEBUG_AUTHOR_FLAG)
> report(LOG_DEBUG, "cmd %s returns 2 (replace & continue)",
> after);
>
> /* Free any existing AV output pairs */
> if (data->num_out_args) {
> for (i = 0; i < data->num_out_args; i++) {
> free(data->output_args[i]);
> }
> free(data->output_args);
> data->output_args = NULL;
> }
>
> + /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> + * Arista EOS versions 4.9.1 and below do not support the *
> + * TAC_AUTHOR_STATUS_PASS_REPL status. When they receive *
> + * this status in an authorization reply, they flip their *
> + * lidz and return "Authorization denied:" to the user *
> + * and dump them out of the session. This presents a *
> + * problem for organizations who desire to use after *
> + * authorization scripts to change AV PAIRS, etc if they *
> + * have equipment running older EOS code. *
> + * *
> + * After finally tracking down the root cause of this *
> + * undesired behavior, the "fix" is very simple: "Lie to *
> + * everybody and send TAC_AUTHOR_STATUS_PASS_ADD any time *
> + * we would normally send TAC_AUTHOR_STATUS_PASS_REPL." *
> + * *
> + * This nasty hack was conceived and written by: *
> + * John Fraizer <jfraizer at ebay.com> *
> + * 23 July 2015 *
> + * *
> + * No Warranty is Expressed or Implied! *
> + * Individual mileage may vary with driving conditions and *
> + * driving style. Always use the manufacturers *
> + * recommended tire inflation! *
> + * *
> + * Semper Fi! *
> + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> +
> +
> if (debug & DEBUG_AUTHOR_FLAG) {
> report(LOG_DEBUG, "status is now AUTHOR_STATUS_PASS_REPL");
> }
>
> data->status = AUTHOR_STATUS_PASS_REPL;
> + */
> data->output_args = out_args;
> data->num_out_args = out_cnt;
> return;
> }
> }
>
> /* Return a pointer to the value part of an attr=value string */
> static char *
> value(char *s)
> {
> while (*s != '\0' && *s != '=' && *s != '*')
> s++;
> if (*s != '\0')
> return(++s);
> return(NULL);
>
>
>
>
>
>
> --
> John Fraizer
> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150723/2e4bb442/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
More information about the tac_plus
mailing list