From philipp_subx at redfish-solutions.com Sat Dec 3 00:34:54 2016 From: philipp_subx at redfish-solutions.com (Philip Prindeville) Date: Fri, 2 Dec 2016 17:34:54 -0700 Subject: [tac_plus] Testing the mailing list Message-ID: <7F327F26-A68D-40B4-ADB6-A07C1B54E8BD@redfish-solutions.com> Please ignore. Just wanted to see if the mailing list is back up or not. From philipp at redfish-solutions.com Sat Dec 3 00:57:59 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Sat, 03 Dec 2016 00:57:59 -0000 Subject: [tac_plus] Logging/encryption patches sent last month In-Reply-To: <2086D8F0-A3E2-4203-A9E0-0BED788E04D3@redfish-solutions.com> References: <2086D8F0-A3E2-4203-A9E0-0BED788E04D3@redfish-solutions.com> Message-ID: <9267190B-04E9-4697-909C-22F7A62863A8@redfish-solutions.com> > On Oct 19, 2016, at 12:08 PM, Philip Prindeville wrote: > > I was going to submit packaging for tac_plus on Redhat (Fedora, CentOS, EPEL, RHEL) but if the project is no longer accepting patches then I don?t want to be in a position to have to maintain distro-specific patches for Redhat with no hope of upstreaming them. Looking at the tarball, I?m seeing a .spec file? but it doesn?t conform to some Fedora packaging requirements? like avoiding embedding files as here-documents in the .spec file. Are there any objections to breaking those files out? Thanks, -Philip -------------- next part -------------- An HTML attachment was scrubbed... URL: From philipp at redfish-solutions.com Sat Dec 3 01:21:59 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Sat, 03 Dec 2016 01:21:59 -0000 Subject: [tac_plus] [PATCH 1/9] Avoid use of embedded here documents in .spec file Message-ID: <1478126949-7265-1-git-send-email-philipp@redfish-solutions.com> From: Philip Prindeville Here documents bloat the .spec file and are counter to the whole point of having SCM. Better to separate the files out. --- tac_plus.sysvinit | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++ tacacs+.spec | 73 ++----------------------------------------------------- 2 files changed, 70 insertions(+), 71 deletions(-) diff --git a/tac_plus.sysvinit b/tac_plus.sysvinit new file mode 100644 index 0000000000000000000000000000000000000000..1e2e3f0d3399a878f24747e6aff439b95790fff7 --- /dev/null +++ b/tac_plus.sysvinit @@ -0,0 +1,68 @@ +#!/bin/bash +# +# /etc/rc.d/init.d/tac_plus +# +# chkconfig: 2345 86 14 +# description: TACACS+ Daemon + +# Define variables +TACPLUS_PID=/var/run/tac_plus.pid +TACPLUS_EXE=/usr/bin/tac_plus +TACPLUS_ARG="" +TACPLUS_CNF=/etc/tac_plus.conf + +# Source function library. +. /etc/rc.d/init.d/functions + +case "$1" in +start) +# Check to see if tac_plus is running. +if [[ -f ${TACPLUS_PID} || -f /var/lock/subsys/tac_plus ]]; then + echo "tac_plus may already be running. Check for existing tac_plus processes." + exit 1 +fi +echo -n "Starting tac_plus:" +$TACPLUS_EXE $TACPLUS_ARG -C $TACPLUS_CNF && success || failure +echo +touch /var/lock/subsys/tac_plus +;; +stop) +if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then + echo -n "Stopping tac_plus:" + killproc -p ${TACPLUS_PID} + echo + rm -f /var/lock/subsys/tac_plus + rm -f ${TACPLUS_PID} +else + echo "tac_plus does not appear to be running." +fi +;; +status) +if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then + echo "tac_plus pid is `cat ${TACPLUS_PID}`" +else + echo "tac_plus does not appear to be running." +fi +;; +restart) +$0 stop; $0 start +;; +reload) +echo -n "Reloading tac_plus..." +if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then + kill -HUP `cat ${TACPLUS_PID}` + RETVAL=$? +fi +if [ $RETVAL -ne 0 ]; then + failure +else + success +fi +echo + +;; +*) +echo "Usage: $0 {start|stop|status|reload|restart}" +exit 1 +;; +esac diff --git a/tacacs+.spec b/tacacs+.spec index 7c08c23d67736a0617dbccd7a8ba00903504574f..505ed249982b3223da8bb21e0044a37bb2418b68 100644 --- a/tacacs+.spec +++ b/tacacs+.spec @@ -9,6 +9,7 @@ Packager: Bruce Carleton Vendor: Cisco Source: %{name}-%{version}.tar.gz +Source2: tac_plus.sysvinit BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: gcc, bison, flex, m4, pam-devel @@ -19,76 +20,6 @@ Requires: pam %prep %setup -%{__cat} <<'EOF' >tac_plus.sysvinit -#!/bin/bash -# -# /etc/rc.d/init.d/tac_plus -# -# chkconfig: 2345 86 14 -# description: TACACS+ Daemon - -# Define variables -TACPLUS_PID=/var/run/tac_plus.pid -TACPLUS_EXE=/usr/bin/tac_plus -TACPLUS_ARG="" -TACPLUS_CNF=/etc/tac_plus.conf - -# Source function library. -. /etc/rc.d/init.d/functions - -case "$1" in -start) -# Check to see if tac_plus is running. -if [[ -f ${TACPLUS_PID} || -f /var/lock/subsys/tac_plus ]]; then - echo "tac_plus may already be running. Check for existing tac_plus processes." - exit 1 -fi -echo -n "Starting tac_plus:" -$TACPLUS_EXE $TACPLUS_ARG -C $TACPLUS_CNF && success || failure -echo -touch /var/lock/subsys/tac_plus -;; -stop) -if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then - echo -n "Stopping tac_plus:" - killproc -p ${TACPLUS_PID} - echo - rm -f /var/lock/subsys/tac_plus - rm -f ${TACPLUS_PID} -else - echo "tac_plus does not appear to be running." -fi -;; -status) -if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then - echo "tac_plus pid is `cat ${TACPLUS_PID}`" -else - echo "tac_plus does not appear to be running." -fi -;; -restart) -$0 stop; $0 start -;; -reload) -echo -n "Reloading tac_plus..." -if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then - kill -HUP `cat ${TACPLUS_PID}` - RETVAL=$? -fi -if [ $RETVAL -ne 0 ]; then - failure -else - success -fi -echo - -;; -*) -echo "Usage: $0 {start|stop|status|reload|restart}" -exit 1 -;; -esac -EOF %build %configure --enable-acls --enable-uenable @@ -97,7 +28,7 @@ EOF %install %{__rm} -rf %{buildroot} %makeinstall -%{__install} -Dp -m0755 tac_plus.sysvinit %{buildroot}%{_initrddir}/tac_plus +%{__install} -Dp -m0755 %{SOURCE2} %{buildroot}%{_initrddir}/tac_plus ### Clean up buildroot %{__rm} -f %{buildroot}%{_infodir}/dir -- 2.7.4 From philipp at redfish-solutions.com Sat Dec 3 01:57:04 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Sat, 03 Dec 2016 01:57:04 -0000 Subject: [tac_plus] [PATCH 2/9] Accommodate the directory and tarball not having plus in the name Message-ID: <1478127078-7801-1-git-send-email-philipp@redfish-solutions.com> From: Philip Prindeville The plus in the package name gets stripped out by the AC_INIT_PACKAGE macro, and "tacacs+" is reduced to "tacacs". --- tacacs+.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tacacs+.spec b/tacacs+.spec index 505ed249982b3223da8bb21e0044a37bb2418b68..e3be447fc4d7201e89261a8b0e9771578d30ef33 100644 --- a/tacacs+.spec +++ b/tacacs+.spec @@ -8,8 +8,11 @@ License: Cisco Packager: Bruce Carleton Vendor: Cisco -Source: %{name}-%{version}.tar.gz +%global name2 %(eval echo "%{name}" | %{__sed} -e 's/+$//') + +Source: %{name2}-%{version}.tar.gz Source2: tac_plus.sysvinit + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: gcc, bison, flex, m4, pam-devel @@ -17,8 +20,8 @@ Requires: pam %description -%prep -%setup +%prep -n %{name2}-%{version} +%setup -n %{name2}-%{version} %build -- 2.7.4 From philipp at redfish-solutions.com Sat Dec 3 02:43:52 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Sat, 03 Dec 2016 02:43:52 -0000 Subject: [tac_plus] [PATCH 3/9] Perl is required for tac_convert at run-time Message-ID: <1478127080-7843-1-git-send-email-philipp@redfish-solutions.com> From: Philip Prindeville Don't forget to call out the dependency on perl in the Requires: section --- tacacs+.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tacacs+.spec b/tacacs+.spec index e3be447fc4d7201e89261a8b0e9771578d30ef33..717f4c88b0df024b9600cfce059b33850dbcc898 100644 --- a/tacacs+.spec +++ b/tacacs+.spec @@ -16,7 +16,7 @@ Source2: tac_plus.sysvinit BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: gcc, bison, flex, m4, pam-devel -Requires: pam +Requires: pam, perl %description -- 2.7.4 From philipp_subx at redfish-solutions.com Mon Dec 5 21:19:47 2016 From: philipp_subx at redfish-solutions.com (Philip Prindeville) Date: Mon, 5 Dec 2016 14:19:47 -0700 Subject: [tac_plus] Please ignore recently posted patches... they're on GitHub now Message-ID: <37528B75-D62D-461F-BB8B-75599D26A8A3@redfish-solutions.com> Hi, I had previously sent a series of patches for 4.0.4.28 but hadn?t realized that there was a 4.0.4.29a planned? Also, the list wasn?t working for some time so I decided to put the patches somewhere that they?d be ready when the mailing list came back up. Have a look here to see what I?ve been up to: https://github.com/pprindeville/tac_plus/commits/dev/29a I?m between jobs so I?ve been busy trying to do something useful while my resume is out in the ether? (Well, and a job which I was expecting to take immediately fell through when they low-balled me.) -Philip From calman at imageworks.com Thu Dec 8 17:22:03 2016 From: calman at imageworks.com (Cal Man) Date: Thu, 8 Dec 2016 09:22:03 -0800 Subject: [tac_plus] Aruba controllers Message-ID: Hello- I'm having some trouble getting Aruba controllers to authenticate to tac_plus. Aruba TAC tells me the config is right on their side, but the tac_plus server shows a login failure in the logs. Accounting works, though. Full AAA is working fine for our Arista, Juniper, and Brocade gear. My research has indicated that I need to add "protocol = common" to the config, but anywhere I add it, the service will not restart. Here's the relevant portion of the config that I do have. group = admin { default service = permit login = PAM acl = default pap = cleartext "aruba" service = aruba { Aruba-Admin-Role = root # protocol = common !this is where I suspect it's supposed to go } service = AMP { role = "AMP Administrator" } service = exec { priv-lvl = 15 } user = me { member = admin login = PAM } } I would appreciate any help. Thanks, Cal -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Dec 9 19:10:45 2016 From: heas at shrubbery.net (heasley) Date: Fri, 9 Dec 2016 19:10:45 +0000 Subject: [tac_plus] Aruba controllers In-Reply-To: References: Message-ID: <20161209191045.GE24603@shrubbery.net> Thu, Dec 08, 2016 at 09:22:03AM -0800, Cal Man: > Hello- > I'm having some trouble getting Aruba controllers to authenticate to > tac_plus. Aruba TAC tells me the config is right on their side, but the > tac_plus server shows a login failure in the logs. Accounting works, > though. Full AAA is working fine for our Arista, Juniper, and Brocade gear. > > My research has indicated that I need to add "protocol = common" to the > config, but anywhere I add it, the service will not restart. Here's the > relevant portion of the config that I do have. > > group = admin { > default service = permit > login = PAM > acl = default > pap = cleartext "aruba" > service = aruba { > Aruba-Admin-Role = root > # protocol = common !this is where I suspect it's supposed to go its normally like: service = aruba protocol = common { } but this does not work for service aruba. if you mean to send a AVP that is named "protocol": service = aruba { "protocol" = common } > } > service = AMP { > role = "AMP Administrator" > } > service = exec { > priv-lvl = 15 > } > user = me { > member = admin > login = PAM > } > } > > I would appreciate any help. > > Thanks, > Cal > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From calman at imageworks.com Fri Dec 9 19:29:20 2016 From: calman at imageworks.com (Cal Man) Date: Fri, 9 Dec 2016 11:29:20 -0800 Subject: [tac_plus] Aruba controllers In-Reply-To: <20161209191045.GE24603@shrubbery.net> References: <20161209191045.GE24603@shrubbery.net> Message-ID: Thanks! I added that to tac_plus.conf and was able to restart the service, but unfortunately the controllers still cannot authenticate. If anybody has gotten aruba controllers to work with tac_plus, I'd appreciate if you could share the relevant portions of the tac_plus.conf. On Fri, Dec 9, 2016 at 11:10 AM, heasley wrote: > Thu, Dec 08, 2016 at 09:22:03AM -0800, Cal Man: > > Hello- > > I'm having some trouble getting Aruba controllers to authenticate to > > tac_plus. Aruba TAC tells me the config is right on their side, but the > > tac_plus server shows a login failure in the logs. Accounting works, > > though. Full AAA is working fine for our Arista, Juniper, and Brocade > gear. > > > > My research has indicated that I need to add "protocol = common" to the > > config, but anywhere I add it, the service will not restart. Here's the > > relevant portion of the config that I do have. > > > > group = admin { > > default service = permit > > login = PAM > > acl = default > > pap = cleartext "aruba" > > service = aruba { > > Aruba-Admin-Role = root > > # protocol = common !this is where I suspect it's supposed to go > > its normally like: > service = aruba protocol = common { > } > > but this does not work for service aruba. if you mean to send a AVP that > is named "protocol": > > service = aruba { > "protocol" = common > } > > > } > > service = AMP { > > role = "AMP Administrator" > > } > > service = exec { > > priv-lvl = 15 > > } > > user = me { > > member = admin > > login = PAM > > } > > } > > > > I would appreciate any help. > > > > Thanks, > > Cal > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: attachments/20161208/66ad63b3/attachment.html> > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- *Cal Man* M:604-724-6595 L:604-673-2737 -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Dec 13 02:53:40 2016 From: heas at shrubbery.net (heasley) Date: Tue, 13 Dec 2016 02:53:40 +0000 Subject: [tac_plus] Aruba controllers In-Reply-To: References: <20161209191045.GE24603@shrubbery.net> Message-ID: <20161213025340.GC64813@shrubbery.net> Fri, Dec 09, 2016 at 11:29:20AM -0800, Cal Man: > Thanks! I added that to tac_plus.conf and was able to restart the service, > but unfortunately the controllers still cannot authenticate. If anybody has > gotten aruba controllers to work with tac_plus, I'd appreciate if you could > share the relevant portions of the tac_plus.conf. Have you tried tacacs or aaa debugging on the aruba? I know nothing about the arubas, but cisco ios debug is often helpful. > On Fri, Dec 9, 2016 at 11:10 AM, heasley wrote: > > > Thu, Dec 08, 2016 at 09:22:03AM -0800, Cal Man: > > > Hello- > > > I'm having some trouble getting Aruba controllers to authenticate to > > > tac_plus. Aruba TAC tells me the config is right on their side, but the > > > tac_plus server shows a login failure in the logs. Accounting works, > > > though. Full AAA is working fine for our Arista, Juniper, and Brocade > > gear. > > > > > > My research has indicated that I need to add "protocol = common" to the > > > config, but anywhere I add it, the service will not restart. Here's the > > > relevant portion of the config that I do have. > > > > > > group = admin { > > > default service = permit > > > login = PAM > > > acl = default > > > pap = cleartext "aruba" > > > service = aruba { > > > Aruba-Admin-Role = root > > > # protocol = common !this is where I suspect it's supposed to go > > > > its normally like: > > service = aruba protocol = common { > > } > > > > but this does not work for service aruba. if you mean to send a AVP that > > is named "protocol": > > > > service = aruba { > > "protocol" = common > > } > > > > > } > > > service = AMP { > > > role = "AMP Administrator" > > > } > > > service = exec { > > > priv-lvl = 15 > > > } > > > user = me { > > > member = admin > > > login = PAM > > > } > > > } > > > > > > I would appreciate any help. > > > > > > Thanks, > > > Cal > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: > attachments/20161208/66ad63b3/attachment.html> > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > > -- > *Cal Man* > > > M:604-724-6595 > L:604-673-2737 From philipp_subx at redfish-solutions.com Tue Dec 13 18:13:56 2016 From: philipp_subx at redfish-solutions.com (Philip Prindeville) Date: Tue, 13 Dec 2016 11:13:56 -0700 Subject: [tac_plus] Fixing single connect mode Message-ID: <557A0C15-655A-49E7-8CED-A62E1615601C@redfish-solutions.com> If anyone is interested, there were some bugs that impeded single connection mode from working. This commit fixes that: https://github.com/pprindeville/tac_plus/commit/b71502fac3ee593468c87bd4253eac423fc6ed70 The main problems were that we were checking for the seq_no for being 1 during authentication or authorization requests; and we were resetting the session sequence number each time through start_session()?s loop. The latter should only have happened at the top of the loop. The only verification needed is that the received header?s seq_no needs to match that of the session. The changes are trivial. -Philip From heas at shrubbery.net Mon Dec 19 20:09:39 2016 From: heas at shrubbery.net (heasley) Date: Mon, 19 Dec 2016 20:09:39 +0000 Subject: [tac_plus] (no subject) In-Reply-To: <557A0C15-655A-49E7-8CED-A62E1615601C@redfish-solutions.com> References: <557A0C15-655A-49E7-8CED-A62E1615601C@redfish-solutions.com> Message-ID: <20161219200939.GB92298@shrubbery.net> Tue, Dec 13, 2016 at 11:13:56AM -0700, Philip Prindeville: > If anyone is interested, there were some bugs that impeded single connection mode from working. > > This commit fixes that: > > https://github.com/pprindeville/tac_plus/commit/b71502fac3ee593468c87bd4253eac423fc6ed70 > > The main problems were that we were checking for the seq_no for being 1 during authentication or authorization requests; and we were resetting the session sequence number each time through start_session()?s loop. The latter should only have happened at the top of the loop. > > The only verification needed is that the received header?s seq_no needs to match that of the session. > > The changes are trivial. my recollection is that cisco ios and ios-xr both do not perform single-connection tacacs properly. and, when I tried to engage DEs to fix the problem, they were not interested in touching it. From philipp_subx at redfish-solutions.com Mon Dec 19 22:09:05 2016 From: philipp_subx at redfish-solutions.com (Philip Prindeville) Date: Mon, 19 Dec 2016 15:09:05 -0700 Subject: [tac_plus] (no subject) In-Reply-To: <20161219200939.GB92298@shrubbery.net> References: <557A0C15-655A-49E7-8CED-A62E1615601C@redfish-solutions.com> <20161219200939.GB92298@shrubbery.net> Message-ID: > On Dec 19, 2016, at 1:09 PM, heasley wrote: > > Tue, Dec 13, 2016 at 11:13:56AM -0700, Philip Prindeville: >> If anyone is interested, there were some bugs that impeded single connection mode from working. >> >> This commit fixes that: >> >> https://github.com/pprindeville/tac_plus/commit/b71502fac3ee593468c87bd4253eac423fc6ed70 >> >> The main problems were that we were checking for the seq_no for being 1 during authentication or authorization requests; and we were resetting the session sequence number each time through start_session()?s loop. The latter should only have happened at the top of the loop. >> >> The only verification needed is that the received header?s seq_no needs to match that of the session. >> >> The changes are trivial. > > my recollection is that cisco ios and ios-xr both do not perform > single-connection tacacs properly. and, when I tried to engage DEs to > fix the problem, they were not interested in touching it. Didn?t know that. Do any other platforms do it correctly? I fixed the pam_tacplus library to reuse connections (though without having multiple requests on-the-fly simultaneously, so still strictly serialized)? -Philip From heas at shrubbery.net Mon Dec 19 23:26:17 2016 From: heas at shrubbery.net (John Heasley) Date: Mon, 19 Dec 2016 18:26:17 -0500 Subject: [tac_plus] (no subject) In-Reply-To: References: <557A0C15-655A-49E7-8CED-A62E1615601C@redfish-solutions.com> <20161219200939.GB92298@shrubbery.net> Message-ID: <2F81E788-2401-4A05-9A82-257CA624839E@shrubbery.net> > Am 19.12.2016 um 17:09 schrieb Philip Prindeville : > > >> On Dec 19, 2016, at 1:09 PM, heasley wrote: >> >> Tue, Dec 13, 2016 at 11:13:56AM -0700, Philip Prindeville: >>> If anyone is interested, there were some bugs that impeded single connection mode from working. >>> >>> This commit fixes that: >>> >>> https://github.com/pprindeville/tac_plus/commit/b71502fac3ee593468c87bd4253eac423fc6ed70 >>> >>> The main problems were that we were checking for the seq_no for being 1 during authentication or authorization requests; and we were resetting the session sequence number each time through start_session()?s loop. The latter should only have happened at the top of the loop. >>> >>> The only verification needed is that the received header?s seq_no needs to match that of the session. >>> >>> The changes are trivial. >> >> my recollection is that cisco ios and ios-xr both do not perform >> single-connection tacacs properly. and, when I tried to engage DEs to >> fix the problem, they were not interested in touching it. > > > Didn?t know that. Do any other platforms do it correctly? i only had ios, iosxr, junos and foundry to test and IIRC only junos worked. > > I fixed the pam_tacplus library to reuse connections (though without having multiple requests on-the-fly simultaneously, so still strictly serialized)? > > -Philip From Robin.Deas at fife.gov.uk Fri Dec 23 14:40:53 2016 From: Robin.Deas at fife.gov.uk (Robin Deas) Date: Fri, 23 Dec 2016 14:40:53 +0000 Subject: [tac_plus] Two factor authentication Message-ID: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> Hi, I've been looking at tac_plus as an alternative to our ageing ACS systems. Can you tell me if tac_plus has support for two factor authentication? Best regards, Robin ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed and should not be disclosed to any other party. If you have received this email in error please notify your system manager and the sender of this message. This email message has been swept for the presence of computer viruses but no guarantee is given that this e-mail message and any attachments are free from viruses. Fife Council reserves the right to monitor the content of all incoming and outgoing email. Fife Council ************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: From krux at thcnet.net Sat Dec 24 00:32:34 2016 From: krux at thcnet.net (Krux) Date: Fri, 23 Dec 2016 16:32:34 -0800 Subject: [tac_plus] Two factor authentication In-Reply-To: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> Message-ID: yea, it ties back to pam for auth, so you can make it wherever you want. On December 23, 2016 6:40:53 AM PST, Robin Deas wrote: >Hi, > >I've been looking at tac_plus as an alternative to our ageing ACS >systems. Can you tell me if tac_plus has support for two factor >authentication? > >Best regards, > >Robin > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed and should not be disclosed to any other party. >If you have received this email in error please notify your system >manager and the sender of this message. > >This email message has been swept for the presence of computer viruses >but no guarantee is given that this e-mail message and any attachments >are free from viruses. > >Fife Council reserves the right to monitor the content of all incoming >and outgoing email. > >Fife Council >************************************************ > >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: > >_______________________________________________ >tac_plus mailing list >tac_plus at shrubbery.net >http://www.shrubbery.net/mailman/listinfo/tac_plus -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sat Dec 24 15:38:52 2016 From: heas at shrubbery.net (heasley) Date: Sat, 24 Dec 2016 15:38:52 +0000 Subject: [tac_plus] Two factor authentication In-Reply-To: References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> Message-ID: <20161224153852.GC62123@shrubbery.net> Fri, Dec 23, 2016 at 04:32:34PM -0800, Krux: > yea, it ties back to pam for auth, so you can make it wherever you want. this is correct; securid, skey, etc can all be made to work through PAM and skey support can be done without PAM. From daniel.schmidt at wyo.gov Sat Dec 31 15:54:27 2016 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Sat, 31 Dec 2016 08:54:27 -0700 Subject: [tac_plus] Two factor authentication In-Reply-To: <20161224153852.GC62123@shrubbery.net> References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> <20161224153852.GC62123@shrubbery.net> Message-ID: google-authenticator works very well with pam and is free. do_auth can restrict IP's that can login to devices if strict security is your aim. On Sat, Dec 24, 2016 at 8:38 AM, heasley wrote: > Fri, Dec 23, 2016 at 04:32:34PM -0800, Krux: > > yea, it ties back to pam for auth, so you can make it wherever you want. > > this is correct; securid, skey, etc can all be made to work through PAM > and skey support can be done without PAM. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: