From philipp at redfish-solutions.com Mon Oct 17 20:40:13 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Mon, 17 Oct 2016 14:40:13 -0600 Subject: [tac_plus] Debugging authorization failures Message-ID: <1C0F28CA-6EE4-44B1-94ED-D6A5AE963E88@redfish-solutions.com> Hi. I?m banging on the source to pam_tacplus?s libtac library and tacc (a simple test program) and I?m trying to figure out if the source to that is broken or if I?m invoking the test code incorrectly or if the configuration that I?m using for testing is wrong. Here?s the config file that I have: key = "password" accounting file = /var/log/tac.acct user = fred { login = cleartext "wilma" name = "Fred Flintstone" # member = guest expires = "May 23 2020" service = exec { "acl" = 5 autocmd = "telnet foo" } } group = guest { expires = "May 1 2017" } and when I do an authorization query against it, this is the resultant logging: Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1 Oct 17 13:35:46 method=tacacs+ Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7 Oct 17 13:35:46 arg_cnt=2 Oct 17 13:35:46 User: Oct 17 13:35:46 fred Oct 17 13:35:46 port: Oct 17 13:35:46 pts/2 Oct 17 13:35:46 rem_addr: Oct 17 13:35:46 1.2.3.4 Oct 17 13:35:46 arg[0]: size=12 Oct 17 13:35:46 service=exec Oct 17 13:35:46 arg[1]: size=11 Oct 17 13:35:46 protocol=ip Oct 17 13:35:46 End packet Oct 17 13:35:46 Start authorization request Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1 Oct 17 13:35:46 cfg_get_pvalue: returns NULL Oct 17 13:35:46 do_author: user='fred' Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1 Oct 17 13:35:46 cfg_get_pvalue: returns NULL Oct 17 13:35:46 user 'fred' found Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec rec=1 Oct 17 13:35:46 cfg_get_svc_node: returns NULL Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1 Oct 17 13:35:46 cfg_get_intvalue: returns 0 Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1 Oct 17 13:35:46 cfg_get_pvalue: returns NULL Oct 17 13:35:46 Writing AUTHOR/FAIL size=18 What am I missing? Thanks, -Philip From philipp at redfish-solutions.com Tue Oct 18 18:19:18 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Tue, 18 Oct 2016 12:19:18 -0600 Subject: [tac_plus] Debugging authorization failures In-Reply-To: References: <1C0F28CA-6EE4-44B1-94ED-D6A5AE963E88@redfish-solutions.com> Message-ID: <5045B4D9-141F-4759-BB79-02DE19529D1A@redfish-solutions.com> Yeah, I was trying and finally got that to work, but I had a couple of questions/observations. Why does the ?default service = permit? need to be the first statement in the user profile (or else it doesn?t parse)? And do you have to have a ?default service? or can you explicitly permit just named services? -Philip > On Oct 18, 2016, at 11:46 AM, Daniel Schmidt wrote: > > Don't you need a default service = permit in there somewhere? > > On Mon, Oct 17, 2016 at 2:40 PM, Philip Prindeville > wrote: > Hi. > > I?m banging on the source to pam_tacplus?s libtac library and tacc (a simple test program) and I?m trying to figure out if the source to that is broken or if I?m invoking the test code incorrectly or if the configuration that I?m using for testing is wrong. > > Here?s the config file that I have: > > key = "password" > accounting file = /var/log/tac.acct > > user = fred { > login = cleartext "wilma" > name = "Fred Flintstone" > # member = guest > expires = "May 23 2020" > > service = exec { > "acl" = 5 > > autocmd = "telnet foo" > } > } > > group = guest { > expires = "May 1 2017" > } > > > and when I do an authorization query against it, this is the resultant logging: > > Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1 > Oct 17 13:35:46 method=tacacs+ > Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7 > Oct 17 13:35:46 arg_cnt=2 > Oct 17 13:35:46 User: > Oct 17 13:35:46 fred > Oct 17 13:35:46 port: > Oct 17 13:35:46 pts/2 > Oct 17 13:35:46 rem_addr: > Oct 17 13:35:46 1.2.3.4 > Oct 17 13:35:46 arg[0]: size=12 > Oct 17 13:35:46 service=exec > Oct 17 13:35:46 arg[1]: size=11 > Oct 17 13:35:46 protocol=ip > Oct 17 13:35:46 End packet > Oct 17 13:35:46 Start authorization request > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 do_author: user='fred' > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 user 'fred' found > Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec rec=1 > Oct 17 13:35:46 cfg_get_svc_node: returns NULL > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1 > Oct 17 13:35:46 cfg_get_intvalue: returns 0 > Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 Writing AUTHOR/FAIL size=18 > > > What am I missing? > > Thanks, > > -Philip > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Oct 18 17:46:52 2016 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 18 Oct 2016 11:46:52 -0600 Subject: [tac_plus] Debugging authorization failures In-Reply-To: <1C0F28CA-6EE4-44B1-94ED-D6A5AE963E88@redfish-solutions.com> References: <1C0F28CA-6EE4-44B1-94ED-D6A5AE963E88@redfish-solutions.com> Message-ID: Don't you need a default service = permit in there somewhere? On Mon, Oct 17, 2016 at 2:40 PM, Philip Prindeville < philipp at redfish-solutions.com> wrote: > Hi. > > I?m banging on the source to pam_tacplus?s libtac library and tacc (a > simple test program) and I?m trying to figure out if the source to that is > broken or if I?m invoking the test code incorrectly or if the configuration > that I?m using for testing is wrong. > > Here?s the config file that I have: > > key = "password" > accounting file = /var/log/tac.acct > > user = fred { > login = cleartext "wilma" > name = "Fred Flintstone" > # member = guest > expires = "May 23 2020" > > service = exec { > "acl" = 5 > > autocmd = "telnet foo" > } > } > > group = guest { > expires = "May 1 2017" > } > > > and when I do an authorization query against it, this is the resultant > logging: > > Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1 > Oct 17 13:35:46 method=tacacs+ > Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7 > Oct 17 13:35:46 arg_cnt=2 > Oct 17 13:35:46 User: > Oct 17 13:35:46 fred > Oct 17 13:35:46 port: > Oct 17 13:35:46 pts/2 > Oct 17 13:35:46 rem_addr: > Oct 17 13:35:46 1.2.3.4 > Oct 17 13:35:46 arg[0]: size=12 > Oct 17 13:35:46 service=exec > Oct 17 13:35:46 arg[1]: size=11 > Oct 17 13:35:46 protocol=ip > Oct 17 13:35:46 End packet > Oct 17 13:35:46 Start authorization request > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 do_author: user='fred' > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 user 'fred' found > Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec > rec=1 > Oct 17 13:35:46 cfg_get_svc_node: returns NULL > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1 > Oct 17 13:35:46 cfg_get_intvalue: returns 0 > Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 Writing AUTHOR/FAIL size=18 > > > What am I missing? > > Thanks, > > -Philip > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From philipp at redfish-solutions.com Wed Oct 19 18:08:58 2016 From: philipp at redfish-solutions.com (Philip Prindeville) Date: Wed, 19 Oct 2016 12:08:58 -0600 Subject: [tac_plus] Logging/encryption patches sent last month Message-ID: <2086D8F0-A3E2-4203-A9E0-0BED788E04D3@redfish-solutions.com> Hi, I didn?t hear back definitively on the list about the 3 patches I sent last month. http://www.shrubbery.net/pipermail/tac_plus/2016-September/date.html Should I take this to mean the patches were rejected? I was going to submit packaging for tac_plus on Redhat (Fedora, CentOS, EPEL, RHEL) but if the project is no longer accepting patches then I don?t want to be in a position to have to maintain distro-specific patches for Redhat with no hope of upstreaming them. Thanks, -Philip -------------- next part -------------- An HTML attachment was scrubbed... URL: From rrvzero at gmail.com Thu Oct 13 22:43:17 2016 From: rrvzero at gmail.com (Ricardo Rodriguez) Date: Thu, 13 Oct 2016 22:43:17 -0000 Subject: [tac_plus] The tac_plus can have IPv6 support? Message-ID: The tac_plus can have IPv6 support? is this project still in development? -------------- next part -------------- An HTML attachment was scrubbed... URL: From olson at cumulusnetworks.com Tue Oct 18 00:32:05 2016 From: olson at cumulusnetworks.com (Dave Olson) Date: Tue, 18 Oct 2016 00:32:05 -0000 Subject: [tac_plus] Debugging authorization failures In-Reply-To: <1C0F28CA-6EE4-44B1-94ED-D6A5AE963E88@redfish-solutions.com> References: <1C0F28CA-6EE4-44B1-94ED-D6A5AE963E88@redfish-solutions.com> Message-ID: <20161017214136.scacpurovt7t72dh@cumulusnetworks.com> Philip Prindeville wrote: > I?m banging on the source to pam_tacplus?s libtac library and tacc (a simple test program) and I?m trying to figure out if the source to that is broken or if I?m invoking the test code incorrectly or if the configuration that I?m using for testing is wrong. > > Here?s the config file that I have: I think the key is this debug line: svc=N_svc protocol= not found, denied by default I think you need to pass a protocol, and even then, I think you need to permit the service, or add default service = permit to your tac_plus.conf When I run (with top of git tree pam_tacplus, none of your changes): tacc -u olsont -R -S ppp -P ssh -s 192.168.3.189 -k tacacskey -r 10.0.1.228 it works for me. I have the default service = permit in my tac_plus.conf, and on the server I get: Oct 17 13:52:21 tacastest tac_plus[24975]: svc=N_svc_ppp protocol=ssh svcname= not found, permitted by default > key = "password" > accounting file = /var/log/tac.acct > > user = fred { > login = cleartext "wilma" > name = "Fred Flintstone" > # member = guest > expires = "May 23 2020" > > service = exec { > "acl" = 5 > > autocmd = "telnet foo" > } > } > > group = guest { > expires = "May 1 2017" > } > > > and when I do an authorization query against it, this is the resultant logging: > > Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1 > Oct 17 13:35:46 method=tacacs+ > Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7 > Oct 17 13:35:46 arg_cnt=2 > Oct 17 13:35:46 User: > Oct 17 13:35:46 fred > Oct 17 13:35:46 port: > Oct 17 13:35:46 pts/2 > Oct 17 13:35:46 rem_addr: > Oct 17 13:35:46 1.2.3.4 > Oct 17 13:35:46 arg[0]: size=12 > Oct 17 13:35:46 service=exec > Oct 17 13:35:46 arg[1]: size=11 > Oct 17 13:35:46 protocol=ip > Oct 17 13:35:46 End packet > Oct 17 13:35:46 Start authorization request > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 do_author: user='fred' > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 user 'fred' found > Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec rec=1 > Oct 17 13:35:46 cfg_get_svc_node: returns NULL > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1 > Oct 17 13:35:46 cfg_get_intvalue: returns 0 > Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default > Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1 > Oct 17 13:35:46 cfg_get_pvalue: returns NULL > Oct 17 13:35:46 Writing AUTHOR/FAIL size=18 > > > What am I missing? > > Thanks, > > -Philip > Dave Olson olson at cumulusnetworks.com