From mitch.raful at dimensiondata.com Fri Jun 5 17:20:53 2015 From: mitch.raful at dimensiondata.com (Mitch Raful (CBU)) Date: Fri, 5 Jun 2015 17:20:53 +0000 Subject: [tac_plus] groups Message-ID: Is there a way of combining groups such that a user gets only a few device commands for devices in one location but maintains all privileges for all other devices? Thanks, Mitch Mitch Raful Sr. Network Engineer Dimension Data Cloud Business Unit 43490 Yukon Drive Ashburn, VA 21047 Office: 703-724-8862 Cell: 804-363-0731 -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Fri Jun 5 22:37:32 2015 From: john at op-sec.us (John Fraizer) Date: Fri, 5 Jun 2015 15:37:32 -0700 Subject: [tac_plus] groups In-Reply-To: References: Message-ID: Take a look at do_auth.py which is bundled with the Shrubbery TAC_PLUS distribution. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Fri, Jun 5, 2015 at 10:20 AM, Mitch Raful (CBU) < mitch.raful at dimensiondata.com> wrote: > Is there a way of combining groups such that a user gets only a few device > commands for devices in one location but maintains all privileges for all > other devices? > > Thanks, > > Mitch > Mitch Raful > Sr. Network Engineer > Dimension Data Cloud Business Unit > 43490 Yukon Drive > Ashburn, VA 21047 > Office: 703-724-8862 > Cell: 804-363-0731 > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150605/be50cab4/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Fri Jun 5 22:38:42 2015 From: john at op-sec.us (John Fraizer) Date: Fri, 5 Jun 2015 15:38:42 -0700 Subject: [tac_plus] Rugged switch priv access In-Reply-To: <55536279.3050508@yorku.ca> References: <55536279.3050508@yorku.ca> Message-ID: Yes you can. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Wed, May 13, 2015 at 7:40 AM, Krzysztof Adamski wrote: > Hi, > > I'm integrating a rugged switch into our tacacs environment, the setup > works fine for normal access. > The switch needs priv level 15 for admin access. > In our environment we start of at level 1 then do enable and become level > 15. There does not seem to be an "enable" type command on the rugged, so it > expect that tacacs to send it priv-lvl = 15, but I don't want to make that > a default for all devices. > So my question is can I send different priv-lvl to some devices and not > others? > > Thanks in advance, > K > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kadamski at yorku.ca Mon Jun 8 13:32:13 2015 From: kadamski at yorku.ca (Krzysztof Adamski) Date: Mon, 08 Jun 2015 09:32:13 -0400 Subject: [tac_plus] Rugged switch priv access In-Reply-To: References: <55536279.3050508@yorku.ca> Message-ID: <5575995D.90107@yorku.ca> Thank you, how about a pointer to the solution. On 05/06/15 06:38 PM, John Fraizer wrote: > Yes you can. > > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > > On Wed, May 13, 2015 at 7:40 AM, Krzysztof Adamski > wrote: > > Hi, > > I'm integrating a rugged switch into our tacacs environment, the > setup works fine for normal access. > The switch needs priv level 15 for admin access. > In our environment we start of at level 1 then do enable and > become level 15. There does not seem to be an "enable" type > command on the rugged, so it expect that tacacs to send it > priv-lvl = 15, but I don't want to make that a default for all > devices. > So my question is can I send different priv-lvl to some devices > and not others? > > Thanks in advance, > K > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > > -- Krzysztof Adamski | Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.2100 x22675 | F: +1.416.736.5830 | kadamski at yorku.ca | www.yorku.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Tue Jun 9 17:45:31 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Tue, 9 Jun 2015 17:45:31 +0000 Subject: [tac_plus] Can you use variables in tac_plus.conf? Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B861B5@mbx030-w1-co-6.exch030.domain.local> Is it possible to use a variable within the tac_plus.conf file? Something like: set python = /usr/bin/python set dauthbin = /usr/local/share/tacacs+/do_auth.pyc set dauthlog = /var/log/do_auth.log group = test { after authorization $python $dauthbin -l $dauthlog } Thanks, -Aaron This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Jun 9 20:26:18 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 9 Jun 2015 14:26:18 -0600 Subject: [tac_plus] Rugged switch priv access In-Reply-To: <5575995D.90107@yorku.ca> References: <55536279.3050508@yorku.ca> <5575995D.90107@yorku.ca> Message-ID: Look at do_auth.py - create groups, send the priv level only the groups you want it to go to. On Mon, Jun 8, 2015 at 7:32 AM, Krzysztof Adamski wrote: > Thank you, how about a pointer to the solution. > > On 05/06/15 06:38 PM, John Fraizer wrote: > >> Yes you can. >> >> -- >> John Fraizer >> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ >> >> >> >> On Wed, May 13, 2015 at 7:40 AM, Krzysztof Adamski > > wrote: >> >> Hi, >> >> I'm integrating a rugged switch into our tacacs environment, the >> setup works fine for normal access. >> The switch needs priv level 15 for admin access. >> In our environment we start of at level 1 then do enable and >> become level 15. There does not seem to be an "enable" type >> command on the rugged, so it expect that tacacs to send it >> priv-lvl = 15, but I don't want to make that a default for all >> devices. >> So my question is can I send different priv-lvl to some devices >> and not others? >> >> Thanks in advance, >> K >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> >> >> > -- > Krzysztof Adamski | Network Development | University Information > Technology > 010 Steacie Science and Engineering Library | York University | 4700 Keele > St. , Toronto ON Canada M3J 1P3 > T: +1.416.736.2100 x22675 | F: +1.416.736.5830 | kadamski at yorku.ca | > www.yorku.ca > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150608/3cd30848/attachment.html > > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Thu Jun 11 18:37:51 2015 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 11 Jun 2015 14:37:51 -0400 Subject: [tac_plus] Nokia IPSO Firewall to TACACS+ Message-ID: I have this setup on tacacs+ side, but user failing to authenticate. group = ipso_admin { service = nokia-ipso { Nokia-IPSO-User-Role = "adminRole" Nokia-IPSO-SuperUser-Access = 1 } } user = foo { login = PAM member = ipso_admin } I am seeing these logs. I am not sure where it is getting the ``admin'' login. Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from mpls-vrrp.example.net rejected Thu Jun 11 16:22:28 2015 [8107]: login failure: admin mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 16:24:51 2015 [14004]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from mpls-vrrp.example.net rejected Thu Jun 11 16:24:53 2015 [14004]: login failure: foo mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 16:25:05 2015 [14653]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from mpls-vrrp.example.net rejected Thu Jun 11 16:25:06 2015 [14653]: login failure: foo mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 16:29:43 2015 [26878]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:29:53 2015 [26878]: mpls-vrrp.example.net General: fd 2 eof (connection closed) Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from mpls-vrrp.example.net General, expecting 12 Thu Jun 11 16:29:53 2015 [26878]: Error mpls-vrrp.example.net General: Null reply packet, expecting CONTINUE Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 16:30:19 2015 [28716]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from mpls-vrrp.example.net rejected Thu Jun 11 16:30:19 2015 [28716]: login failure: admin mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 16:33:37 2015 [4462]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from mpls-vrrp.example.net rejected Thu Jun 11 16:33:37 2015 [4462]: login failure: admin mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 16:48:21 2015 [4278]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from mpls-vrrp.example.net rejected Thu Jun 11 16:48:21 2015 [4278]: login failure: admin mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 17:10:21 2015 [7781]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from mpls-vrrp.example.net rejected Thu Jun 11 17:10:31 2015 [7781]: login failure: foo mpls-vrrp.example.net (192.168.100.33) General Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33 Thu Jun 11 17:10:33 2015 [7999]: connect from mpls-vrrp.example.net [192.168.100.33] Thu Jun 11 17:10:42 2015 [7999]: mpls-vrrp.example.net General: fd 2 eof (connection closed) Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from mpls-vrrp.example.net General, expecting 12 Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: Null reply packet, expecting CONTINUE Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: Password change aborted. Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from mpls-vrrp.example.net rejected Thu Jun 11 17:10:42 2015 [7999]: login failure: foo mpls-vrrp.example.net (192.168.100.33) General Nokia IPSO firewall guys saying this Tried authentication again this morning, no luck. Again my firewalls are dropping the packet for being out of TCP state, errors similar to this: TCP packet out of state: Unexpected post SYN packet - RST or SYN expected tcp_flags: ACK That seems to be align with "Read -1 bytes from mpls-vrrp.example.net General, expecting 12" ? Any suggestion how to get a successful authentication? Firewall sshd is doing the TACACS+ authentication only, no command authorization. May be I need a cmd = * { permit .* } ? or just default service = permit and no cmd clause? -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Jun 11 21:58:08 2015 From: heas at shrubbery.net (heasley) Date: Thu, 11 Jun 2015 21:58:08 +0000 Subject: [tac_plus] Nokia IPSO Firewall to TACACS+ In-Reply-To: References: Message-ID: <20150611215808.GF5176@shrubbery.net> Thu, Jun 11, 2015 at 02:37:51PM -0400, Asif Iqbal: > I have this setup on tacacs+ side, but user failing to authenticate. > > group = ipso_admin { > service = nokia-ipso { > Nokia-IPSO-User-Role = "adminRole" > Nokia-IPSO-SuperUser-Access = 1 > } > } > > user = foo { > login = PAM > member = ipso_admin > } > > > I am seeing these logs. I am not sure where it is getting the ``admin'' > login. > > > Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net > [192.168.100.33] > Nokia IPSO firewall guys saying this > > Tried authentication again this morning, no luck. Again my firewalls are > dropping the packet for being out of TCP state, errors similar to this: > > TCP packet out of state: Unexpected post SYN packet - RST or SYN expected > tcp_flags: ACK > > That seems to be align with "Read -1 bytes from mpls-vrrp.example.net > General, expecting 12" ? I cant say; appears there were successful connections there. the error above really just means a premature disconnection. > Any suggestion how to get a successful authentication? Firewall sshd is > doing the TACACS+ authentication only, no command authorization. May be I > need a cmd = * { permit .* } ? or just default service = permit and no cmd > clause? i suggest trying: user = DEFAULT { default service = permit } and try authen / author debugging to see more info about the reason for the denied login. From heas at shrubbery.net Thu Jun 11 21:59:45 2015 From: heas at shrubbery.net (heasley) Date: Thu, 11 Jun 2015 21:59:45 +0000 Subject: [tac_plus] Can you use variables in tac_plus.conf? In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B861B5@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B861B5@mbx030-w1-co-6.exch030.domain.local> Message-ID: <20150611215945.GG5176@shrubbery.net> Tue, Jun 09, 2015 at 05:45:31PM +0000, Aaron Wasserott: > Is it possible to use a variable within the tac_plus.conf file? > > Something like: > > set python = /usr/bin/python > set dauthbin = /usr/local/share/tacacs+/do_auth.pyc > set dauthlog = /var/log/do_auth.log > > group = test { > after authorization $python $dauthbin -l $dauthlog > } no, no such feature. its a throught though. my suggestion is m4 < tac_plus.conf.m4 > tac_plus.conf From alan.mckinnon at gmail.com Thu Jun 11 19:46:45 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 11 Jun 2015 21:46:45 +0200 Subject: [tac_plus] Nokia IPSO Firewall to TACACS+ In-Reply-To: References: Message-ID: <5579E5A5.5000908@gmail.com> On 11/06/2015 20:37, Asif Iqbal wrote: > I have this setup on tacacs+ side, but user failing to authenticate. > > group = ipso_admin { > service = nokia-ipso { > Nokia-IPSO-User-Role = "adminRole" > Nokia-IPSO-SuperUser-Access = 1 > } > } > > user = foo { > login = PAM > member = ipso_admin > } > > > I am seeing these logs. I am not sure where it is getting the ``admin'' > login. My hunch tells me the device is sending it, perhaps as some kind of default username configuration? The tacacs server is receiving an admin login as the first thing, before the daemon has taken any action at all. > > > Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:22:28 2015 [8107]: login failure: admin mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:24:51 2015 [14004]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:24:53 2015 [14004]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:25:05 2015 [14653]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:25:06 2015 [14653]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:29:43 2015 [26878]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:29:53 2015 [26878]: mpls-vrrp.example.net General: fd 2 eof > (connection closed) > Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from mpls-vrrp.example.net > General, expecting 12 > Thu Jun 11 16:29:53 2015 [26878]: Error mpls-vrrp.example.net General: Null > reply packet, expecting CONTINUE > Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:30:19 2015 [28716]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:30:19 2015 [28716]: login failure: admin mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:33:37 2015 [4462]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:33:37 2015 [4462]: login failure: admin mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:48:21 2015 [4278]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:48:21 2015 [4278]: login failure: admin mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 17:10:21 2015 [7781]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 17:10:31 2015 [7781]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 17:10:33 2015 [7999]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 17:10:42 2015 [7999]: mpls-vrrp.example.net General: fd 2 eof > (connection closed) > Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from mpls-vrrp.example.net > General, expecting 12 > Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: Null > reply packet, expecting CONTINUE > Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: > Password change aborted. > Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 17:10:42 2015 [7999]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > > > Nokia IPSO firewall guys saying this > > Tried authentication again this morning, no luck. Again my firewalls are > dropping the packet for being out of TCP state, errors similar to this: > > TCP packet out of state: Unexpected post SYN packet - RST or SYN expected > tcp_flags: ACK > > That seems to be align with "Read -1 bytes from mpls-vrrp.example.net > General, expecting 12" ? > > Any suggestion how to get a successful authentication? Firewall sshd is > doing the TACACS+ authentication only, no command authorization. May be I > need a cmd = * { permit .* } ? or just default service = permit and no cmd > clause? > You don't need any specific cmd authorizations for authentication to work. Normally, permitting the correct service is enough to at least see in the tacacs logs that authentication succeeded. Of course to do anything useful thereafter, you do need authorization, but that is step 2. Do your Nokia docs say anything about what it expects from tacacs? -- Alan McKinnon alan.mckinnon at gmail.com From vadud3 at gmail.com Fri Jun 12 02:14:56 2015 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 11 Jun 2015 22:14:56 -0400 Subject: [tac_plus] Nokia IPSO Firewall to TACACS+ In-Reply-To: References: Message-ID: On Thu, Jun 11, 2015 at 2:37 PM, Asif Iqbal wrote: > I have this setup on tacacs+ side, but user failing to authenticate. > > group = ipso_admin { > service = nokia-ipso { > Nokia-IPSO-User-Role = "adminRole" > Nokia-IPSO-SuperUser-Access = 1 > } > } > > user = foo { > login = PAM > member = ipso_admin > } > > > I am seeing these logs. I am not sure where it is getting the ``admin'' > login. > > > Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:22:28 2015 [8107]: login failure: admin > mpls-vrrp.example.net (192.168.100.33) General > Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:24:51 2015 [14004]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:24:53 2015 [14004]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:25:05 2015 [14653]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:25:06 2015 [14653]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:29:43 2015 [26878]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:29:53 2015 [26878]: mpls-vrrp.example.net General: fd 2 eof > (connection closed) > Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from mpls-vrrp.example.net > General, expecting 12 > Thu Jun 11 16:29:53 2015 [26878]: Error mpls-vrrp.example.net General: > Null reply packet, expecting CONTINUE > Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:30:19 2015 [28716]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:30:19 2015 [28716]: login failure: admin > mpls-vrrp.example.net (192.168.100.33) General > Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:33:37 2015 [4462]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:33:37 2015 [4462]: login failure: admin > mpls-vrrp.example.net (192.168.100.33) General > Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 16:48:21 2015 [4278]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from > mpls-vrrp.example.net rejected > Thu Jun 11 16:48:21 2015 [4278]: login failure: admin > mpls-vrrp.example.net (192.168.100.33) General > Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 17:10:21 2015 [7781]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 17:10:31 2015 [7781]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33 > Thu Jun 11 17:10:33 2015 [7999]: connect from mpls-vrrp.example.net > [192.168.100.33] > Thu Jun 11 17:10:42 2015 [7999]: mpls-vrrp.example.net General: fd 2 eof > (connection closed) > Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from mpls-vrrp.example.net > General, expecting 12 > Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: > Null reply packet, expecting CONTINUE > Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: > Password change aborted. > Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from > mpls-vrrp.example.net rejected > Thu Jun 11 17:10:42 2015 [7999]: login failure: foo mpls-vrrp.example.net > (192.168.100.33) General > > > Nokia IPSO firewall guys saying this > > Tried authentication again this morning, no luck. Again my firewalls are > dropping the packet for being out of TCP state, errors similar to this: > > TCP packet out of state: Unexpected post SYN packet - RST or SYN expected > tcp_flags: ACK > > That seems to be align with "Read -1 bytes from mpls-vrrp.example.net > General, expecting 12" ? > > Any suggestion how to get a successful authentication? Firewall sshd is > doing the TACACS+ authentication only, no command authorization. May be I > need a cmd = * { permit .* } ? or just default service = permit and no cmd > clause? > > I was reported by firewall team of successful T+ authentication. And the RST was related some misconfig on NAT. I have not made any change on my original config which followed the doc on Nokia IPSO TACACS+ config, provided by our firewall team. Thanks a lot for your help! -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From acruhl at gmail.com Thu Jun 18 21:32:55 2015 From: acruhl at gmail.com (Andy Ruhl) Date: Thu, 18 Jun 2015 14:32:55 -0700 Subject: [tac_plus] Orphaned processes? Message-ID: Thanks in advance for any help you can provide. Please copy my email address because I'm not on the list yet. I have tac_plus running on CentOS 7 and I created a systemd startup file for it. The problem is systemd does not kill the process cleanly. I think it might be due to orphaned processes, or something similar: [root at tucacs-temp system]# ps -elf | grep tac_ 1 S root 22302 1 0 80 0 - 6078 futex_ 13:10 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 22305 1 0 80 0 - 6078 futex_ 13:10 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 22308 1 0 80 0 - 6078 futex_ 13:10 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 22311 1 0 80 0 - 6078 futex_ 13:10 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 5 S root 22384 1 0 80 0 - 6078 poll_s 13:11 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23548 22384 0 80 0 - 6078 poll_s 14:25 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23552 22384 0 80 0 - 6078 poll_s 14:26 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23555 22384 0 80 0 - 6078 poll_s 14:26 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23562 22384 0 80 0 - 6078 poll_s 14:26 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23570 22384 0 80 0 - 6078 poll_s 14:27 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23571 22384 0 80 0 - 6078 poll_s 14:27 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23572 22384 0 80 0 - 6078 poll_s 14:27 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 1 S root 23576 22384 0 80 0 - 6078 poll_s 14:27 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 0 S root 23581 16123 0 80 0 - 28160 pipe_w 14:27 pts/0 00:00:00 grep --color=auto tac_ Am I supposed to have this many processes? Why are the last ones spawned by 22384 and the first ones spawned by 1? When I restart tac_plus, I have to do "killall tac_plus" to clean all of this up because "systemd stop tac_plus.service" doesn't do it. Thanks! Andy Ruhl From heas at shrubbery.net Fri Jun 19 07:31:32 2015 From: heas at shrubbery.net (heasley) Date: Fri, 19 Jun 2015 07:31:32 +0000 Subject: [tac_plus] Orphaned processes? In-Reply-To: References: Message-ID: <20150619073132.GB29524@shrubbery.net> Thu, Jun 18, 2015 at 02:32:55PM -0700, Andy Ruhl: > Thanks in advance for any help you can provide. Please copy my email > address because I'm not on the list yet. > > I have tac_plus running on CentOS 7 and I created a systemd startup file for it. > > The problem is systemd does not kill the process cleanly. I think it > might be due to orphaned processes, or something similar: > > [root at tucacs-temp system]# ps -elf | grep tac_ > 1 S root 22302 1 0 80 0 - 6078 futex_ 13:10 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 22305 1 0 80 0 - 6078 futex_ 13:10 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 22308 1 0 80 0 - 6078 futex_ 13:10 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 22311 1 0 80 0 - 6078 futex_ 13:10 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 5 S root 22384 1 0 80 0 - 6078 poll_s 13:11 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23548 22384 0 80 0 - 6078 poll_s 14:25 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23552 22384 0 80 0 - 6078 poll_s 14:26 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23555 22384 0 80 0 - 6078 poll_s 14:26 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23562 22384 0 80 0 - 6078 poll_s 14:26 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23570 22384 0 80 0 - 6078 poll_s 14:27 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23571 22384 0 80 0 - 6078 poll_s 14:27 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23572 22384 0 80 0 - 6078 poll_s 14:27 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 1 S root 23576 22384 0 80 0 - 6078 poll_s 14:27 ? > 00:00:00 /usr/local/sbin/tac_plus -C /etc/tac-plus/tac_plus.conf -p 49 > 0 S root 23581 16123 0 80 0 - 28160 pipe_w 14:27 pts/0 > 00:00:00 grep --color=auto tac_ > > Am I supposed to have this many processes? Why are the last ones > spawned by 22384 and the first ones spawned by 1? unix 102. see orphaned processes > When I restart tac_plus, I have to do "killall tac_plus" to clean all > of this up because "systemd stop tac_plus.service" doesn't do it. well, thats unusual. check if some device(s) are holding connections to these children. lsof -p. From david.leonard at opengear.com Mon Jun 22 05:55:26 2015 From: david.leonard at opengear.com (david.leonard at opengear.com) Date: Mon, 22 Jun 2015 15:55:26 +1000 (EST) Subject: [tac_plus] IPv6 and disabled account segv patches Message-ID: <1434952526.879926743@apps.rackspace.com> Hi, guys. Before I'd found the shrubbery.net site, I'd submitted some IPv6 patches against tacacs+-4.0.4.27a to Ubuntu. The patches are spread over 3 separate bug reports at?https://bugs.launchpad.net/ubuntu/+source/tacacs+ but you can ignore them because I have merged them to 4.0.4.28 and pasted the effective patches below. The problems fixed are: * fix segfault on disabled accounts * fix mangled IPv6 addresses Cheers David * fix segfault on disabled accounts --- a/pwlib.c 2015-03-24 11:29:26.337011181 +1000 +++ b/pwlib.c 2015-03-24 11:30:01.193011950 +1000 @@ -457,7 +457,7 @@ if (debug & DEBUG_PASSWD_FLAG) report(LOG_DEBUG, "%s encrypts to %s", users_passwd, ep); - if (strcmp(ep, encrypted_passwd) == 0) { + if (ep && strcmp(ep, encrypted_passwd) == 0) { if (debug & DEBUG_PASSWD_FLAG) report(LOG_DEBUG, "Password is correct"); return(1); * fix mangled IPv6 addresses Index: tacacs-F4.0.4.28/tac_plus.c =================================================================== --- tacacs-F4.0.4.28.orig/tac_plus.c +++ tacacs-F4.0.4.28/tac_plus.c @@ -264,6 +264,26 @@ open_logfile(void) setlogmask(LOG_UPTO(LOG_DEBUG)); } +static char * +sockaddr_ntop(const struct sockaddr *sa) +{ + const void *src; + char buf[INET6_ADDRSTRLEN]; + + switch (sa->sa_family) { + case AF_INET: + src = &((const struct sockaddr_in *)sa)->sin_addr; + break; + case AF_INET6: + src = &((const struct sockaddr_in6 *)sa)->sin6_addr; + break; + default: + return NULL; + } + + return tac_strdup((char *)inet_ntop(sa->sa_family, src, buf, sizeof buf)); +} + /* * We will eventually be called from inetd or via the rc scripts directly * Parse arguments and act appropiately. @@ -393,7 +413,7 @@ main(int argc, char **argv) /* running under inetd */ char host[NI_MAXHOST]; int on; - struct sockaddr_in name; + struct sockaddr_storage name; socklen_t name_len; name_len = sizeof(name); @@ -419,8 +439,7 @@ main(int argc, char **argv) if (session.peerip) free(session.peerip); - session.peerip = tac_strdup((char *)inet_ntop(name.sin_family, - &name.sin_addr, host, NI_MAXHOST)); + session.peerip = sockaddr_ntop((struct sockaddr *)&name); if (debug & DEBUG_AUTHEN_FLAG) report(LOG_INFO, "session.peerip is %s", session.peerip); } @@ -620,7 +639,7 @@ main(int argc, char **argv) int pid; #endif char host[NI_MAXHOST]; - struct sockaddr_in from; + struct sockaddr_storage from; socklen_t from_len; int newsockfd = -1; int flags, status; @@ -671,8 +690,7 @@ main(int argc, char **argv) if (session.peerip) free(session.peerip); - session.peerip = tac_strdup((char *)inet_ntop(from.sin_family, - &from.sin_addr, host, NI_MAXHOST)); + session.peerip = sockaddr_ntop((struct sockaddr *)&from); if (debug & DEBUG_PACKET_FLAG) report(LOG_DEBUG, "session request from %s sock=%d", session.peer, newsockfd);