[tac_plus] Tacacs host key and do_auth questions

heasley heas at shrubbery.net
Wed Mar 16 16:15:35 UTC 2016 

Wed, Mar 16, 2016 at 11:52:49AM -0400, Kevin.Cruse at Instinet.com:
> 
> Hi All
> 
> I have a few questions regarding host keys and do_auth.
> 
> First, I have a few routers i'd like to configure with a separate
> 'tacac-server key' than rest of our network.  These devices require
> external users to access and therefore will need higher level of security.
> In my tac_plus.cfg i have the global configuration of:
> 
> key = blahblahblah
> 
> and the individual routers which require different key, i've configured the
> following in tac_plus.cfg:
> 
> host = 1.1.1.1 {
> 	key = differentkey
> 	}
> 
> The issue I have is when logging into router with separate key, it fails
> authentication as server is expecting 'blahblahblah' but router is sending
> 'differentkey'. I thought by configuring the 'host' object it would
> override the global key. Does anyone know how I may get this to work? I've
> pasted the debug from server for your review
> 
> tac_plus.cfg
> 
> key = blahblahblah
> 
> host = 1.1.1.1 {
> 	key = differentkey
> 	}

yes, this should work.  You have obfuscated the addresses below, so is the
device connecting from 1.1.1.1 or another interface?  It must match and
can usually be forced by configuring the source-interface on the device.
also, you may need this patch:

Index: packet.c
===================================================================
--- packet.c	(revision 3704)
+++ packet.c	(revision 3714)
@@ -147,7 +147,7 @@
     /* decrypt the data portion */
     tkey = cfg_get_host_key(session.peerip);
     if (tkey == NULL && !STREQ(session.peer, session.peerip)) {
-	tkey = cfg_get_host_prompt(session.peer);
+	tkey = cfg_get_host_key(session.peer);
     }
     if (tkey == NULL)
 	tkey = session.key;
@@ -547,7 +547,7 @@
     /* encrypt the data portion */
     tkey = cfg_get_host_key(session.peerip);
     if (tkey == NULL && !STREQ(session.peer, session.peerip)) {
-	tkey = cfg_get_host_prompt(session.peer);
+	tkey = cfg_get_host_key(session.peer);
     }
     if (tkey == NULL)
 	tkey = session.key;
Index: CHANGES
===================================================================
--- CHANGES	(revision 3704)
+++ CHANGES	(revision 3714)
@@ -488,3 +488,4 @@
 	  XXX needs a configure test to check for sha512 support.
 	- fix libtacacs link - from Gentoo via Ruben Farrelly
 	- fix -U decription in manpage
+	- call correct function for host key look-up by hostname - Adam Dyess

> 
> Debug output:
> 
> !! ROUTER 1.1.1.1 is configured with "tacacs-server key differentkey" !!
> Reading config
> Version F4.0.4.28 Initialized 1
> tac_plus server F4.0.4.28 starting
> socket FD 4 AF 2
> uid=0 euid=0 gid=0 egid=0 s=15505120
> session request from 1.1.1.1 sock=5
> connect from 1.1.1.1 [172.28.10.124]
> Waiting for packet
> Read AUTHEN/START size=40
> validation request from 1.1.1.1
> PACKET: key=blahblahblah
> version 192 (0xc0), type 1, seq no 1, flags 0x1
> session_id 2825152057 (0xa8646639), Data length 28 (0x1c)
> End header
> type=AUTHEN/START, priv_lvl = 72
> action=UNKNOWN 132
> authen_type=unknown 215
> service=unknown 219
> user_len=208 port_len=45 (0x2d), rem_addr_len=0 (0x0)
> data_len=61
> AUTHEN/START data length (314) exceeds packet length length 20
> 1.1.1.1 : Invalid AUTHEN/START packet (check keys)
> Writing AUTHEN/ERROR size=87
> PACKET: key=blahblahblah
> version 192 (0xc0), type 1, seq no 2, flags 0x1
> session_id 2825152057 (0xa8646639), Data length 75 (0x4b)
> End header
> type=AUTHEN status=7 (AUTHEN/ERROR) flags=0x0
> msg_len=69, data_len=0
> msg:
> 1.1.1.1 : Invalid AUTHEN/START packet (check keys)
> data:
> End packet
> 1.1.1.1: disconnect
> 
> 
> Second, I have the following configured in do_auth.ini (this is a separate
> issue from tacacs-server key and not related...when I normalize the key on
> router to blahblahblah I get the following after successful
> authentication):
> 
> [users]
> test_support =
>         support
> [support]
> host_allow =
>     10.10.10.1
> device_permit =
>     1.1.1.1
> command_permit =
>     .*
> 
> 2016-03-16 11:36:56: User 'test_support' not allowed access to device
> '1.1.1.1' in 'support'->'device_permit'
> 
> I thought by adding the router IP address of 1.1.1.1 under device_permit it
> should allow user to send commands. I am wondering if im hitting bug?

i believe this just allows the user to login from the host 1.1.1.1.

More information about the tac_plus mailing list