[tac_plus] Tacacs host key and do_auth questions

Daniel Schmidt daniel.schmidt at wyo.gov
Wed Mar 16 18:33:18 UTC 2016 

I'd change your host_allow to .* for the purposes of testing to see if that
is it.

On Wed, Mar 16, 2016 at 10:15 AM, heasley <heas at shrubbery.net> wrote:

> Wed, Mar 16, 2016 at 11:52:49AM -0400, Kevin.Cruse at Instinet.com:
> >
> > Hi All
> >
> > I have a few questions regarding host keys and do_auth.
> >
> > First, I have a few routers i'd like to configure with a separate
> > 'tacac-server key' than rest of our network.  These devices require
> > external users to access and therefore will need higher level of
> security.
> > In my tac_plus.cfg i have the global configuration of:
> >
> > key = blahblahblah
> >
> > and the individual routers which require different key, i've configured
> the
> > following in tac_plus.cfg:
> >
> > host = 1.1.1.1 {
> >       key = differentkey
> >       }
> >
> > The issue I have is when logging into router with separate key, it fails
> > authentication as server is expecting 'blahblahblah' but router is
> sending
> > 'differentkey'. I thought by configuring the 'host' object it would
> > override the global key. Does anyone know how I may get this to work?
> I've
> > pasted the debug from server for your review
> >
> > tac_plus.cfg
> >
> > key = blahblahblah
> >
> > host = 1.1.1.1 {
> >       key = differentkey
> >       }
>
> yes, this should work.  You have obfuscated the addresses below, so is the
> device connecting from 1.1.1.1 or another interface?  It must match and
> can usually be forced by configuring the source-interface on the device.
> also, you may need this patch:
>
> Index: packet.c
> ===================================================================
> --- packet.c    (revision 3704)
> +++ packet.c    (revision 3714)
> @@ -147,7 +147,7 @@
>      /* decrypt the data portion */
>      tkey = cfg_get_host_key(session.peerip);
>      if (tkey == NULL && !STREQ(session.peer, session.peerip)) {
> -       tkey = cfg_get_host_prompt(session.peer);
> +       tkey = cfg_get_host_key(session.peer);
>      }
>      if (tkey == NULL)
>         tkey = session.key;
> @@ -547,7 +547,7 @@
>      /* encrypt the data portion */
>      tkey = cfg_get_host_key(session.peerip);
>      if (tkey == NULL && !STREQ(session.peer, session.peerip)) {
> -       tkey = cfg_get_host_prompt(session.peer);
> +       tkey = cfg_get_host_key(session.peer);
>      }
>      if (tkey == NULL)
>         tkey = session.key;
> Index: CHANGES
> ===================================================================
> --- CHANGES     (revision 3704)
> +++ CHANGES     (revision 3714)
> @@ -488,3 +488,4 @@
>           XXX needs a configure test to check for sha512 support.
>         - fix libtacacs link - from Gentoo via Ruben Farrelly
>         - fix -U decription in manpage
> +       - call correct function for host key look-up by hostname - Adam
> Dyess
>
> >
> > Debug output:
> >
> > !! ROUTER 1.1.1.1 is configured with "tacacs-server key differentkey" !!
> > Reading config
> > Version F4.0.4.28 Initialized 1
> > tac_plus server F4.0.4.28 starting
> > socket FD 4 AF 2
> > uid=0 euid=0 gid=0 egid=0 s=15505120
> > session request from 1.1.1.1 sock=5
> > connect from 1.1.1.1 [172.28.10.124]
> > Waiting for packet
> > Read AUTHEN/START size=40
> > validation request from 1.1.1.1
> > PACKET: key=blahblahblah
> > version 192 (0xc0), type 1, seq no 1, flags 0x1
> > session_id 2825152057 (0xa8646639), Data length 28 (0x1c)
> > End header
> > type=AUTHEN/START, priv_lvl = 72
> > action=UNKNOWN 132
> > authen_type=unknown 215
> > service=unknown 219
> > user_len=208 port_len=45 (0x2d), rem_addr_len=0 (0x0)
> > data_len=61
> > AUTHEN/START data length (314) exceeds packet length length 20
> > 1.1.1.1 : Invalid AUTHEN/START packet (check keys)
> > Writing AUTHEN/ERROR size=87
> > PACKET: key=blahblahblah
> > version 192 (0xc0), type 1, seq no 2, flags 0x1
> > session_id 2825152057 (0xa8646639), Data length 75 (0x4b)
> > End header
> > type=AUTHEN status=7 (AUTHEN/ERROR) flags=0x0
> > msg_len=69, data_len=0
> > msg:
> > 1.1.1.1 : Invalid AUTHEN/START packet (check keys)
> > data:
> > End packet
> > 1.1.1.1: disconnect
> >
> >
> > Second, I have the following configured in do_auth.ini (this is a
> separate
> > issue from tacacs-server key and not related...when I normalize the key
> on
> > router to blahblahblah I get the following after successful
> > authentication):
> >
> > [users]
> > test_support =
> >         support
> > [support]
> > host_allow =
> >     10.10.10.1
> > device_permit =
> >     1.1.1.1
> > command_permit =
> >     .*
> >
> > 2016-03-16 11:36:56: User 'test_support' not allowed access to device
> > '1.1.1.1' in 'support'->'device_permit'
> >
> > I thought by adding the router IP address of 1.1.1.1 under device_permit
> it
> > should allow user to send commands. I am wondering if im hitting bug?
>
> i believe this just allows the user to login from the host 1.1.1.1.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160316/51dd74e3/attachment.html>

More information about the tac_plus mailing list