From ccjaph at gmail.com Tue Apr 24 15:47:58 2018 From: ccjaph at gmail.com (Cory Cartwright) Date: Tue, 24 Apr 2018 11:47:58 -0400 Subject: [tac_plus] tacacs+ F5.0.0a patches Message-ID: Hello, I know this post ( http://www.shrubbery.net/pipermail/tac_plus/2014-December/001530.html) is old, but what is the current level of maintenance, is there a current maintainer? I am currently using tacacs-F4.0.4.28, and building with non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like the idea of not having to rebuild for different systems, or statically configure uid/gid. I?m also working on adding AUTH logging for PAM radius authentication, as I can?t seem to find a good or proper place to do it directly from PAM_radius.so. Thanks, Cory -------------- next part -------------- An HTML attachment was scrubbed... URL: From muhammadfaisalkhan7 at gmail.com Tue Apr 24 16:47:30 2018 From: muhammadfaisalkhan7 at gmail.com (Muhammad Faisal Khan) Date: Tue, 24 Apr 2018 19:47:30 +0300 Subject: [tac_plus] tacacs+ F5.0.0a patches In-Reply-To: References: Message-ID: unsubscribe me pleaseeeeeeee On Tue, Apr 24, 2018 at 6:47 PM, Cory Cartwright wrote: > Hello, > > > > I know this post ( > http://www.shrubbery.net/pipermail/tac_plus/2014-December/001530.html) is > old, but what is the current level of maintenance, is there a current > maintainer? I am currently using tacacs-F4.0.4.28, and building with > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like the > idea of not having to rebuild for different systems, or statically > configure uid/gid. > > I?m also working on adding AUTH logging for PAM radius authentication, as I > can?t seem to find a good or proper place to do it directly from > PAM_radius.so. > > > > Thanks, > > Cory > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20180424/326f21d2/attachment.html> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Apr 25 10:54:53 2018 From: heas at shrubbery.net (heasley) Date: Wed, 25 Apr 2018 10:54:53 +0000 Subject: [tac_plus] tacacs+ F5.0.0a patches In-Reply-To: References: Message-ID: <20180425105453.GF15480@shrubbery.net> Tue, Apr 24, 2018 at 11:47:58AM -0400, Cory Cartwright: > I know this post ( > http://www.shrubbery.net/pipermail/tac_plus/2014-December/001530.html) is > old, but what is the current level of maintenance, is there a current > maintainer? I am currently using tacacs-F4.0.4.28, and building with > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like the > idea of not having to rebuild for different systems, or statically > configure uid/gid. does the patch work? it could be back-ported. > I?m also working on adding AUTH logging for PAM radius authentication, as I > can?t seem to find a good or proper place to do it directly from > PAM_radius.so. do you mean that you want to use radius to perform the tacacs auth? From ccjaph at gmail.com Thu Apr 26 14:26:43 2018 From: ccjaph at gmail.com (Cory Cartwright) Date: Thu, 26 Apr 2018 10:26:43 -0400 Subject: [tac_plus] tacacs+ F5.0.0a patches In-Reply-To: <20180425105453.GF15480@shrubbery.net> References: <20180425105453.GF15480@shrubbery.net> Message-ID: Yes, the patch and the consequently the uid/gid downgrade is working. I have been able to add the logging an source IP in pwlib.c via session.peerip. however I would also like to get the rem_addr_len from the START packet body, and having trouble understanding how to bring in the value to pwlib.c. thanks! On Wed, Apr 25, 2018 at 6:54 AM, heasley wrote: > Tue, Apr 24, 2018 at 11:47:58AM -0400, Cory Cartwright: > > I know this post ( > > http://www.shrubbery.net/pipermail/tac_plus/2014-December/001530.html) > is > > old, but what is the current level of maintenance, is there a current > > maintainer? I am currently using tacacs-F4.0.4.28, and building with > > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like the > > idea of not having to rebuild for different systems, or statically > > configure uid/gid. > > does the patch work? it could be back-ported. > > > I?m also working on adding AUTH logging for PAM radius authentication, > as I > > can?t seem to find a good or proper place to do it directly from > > PAM_radius.so. > > do you mean that you want to use radius to perform the tacacs auth? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Sat Apr 28 17:59:14 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Sat, 28 Apr 2018 11:59:14 -0600 Subject: [tac_plus] Strange Crash Message-ID: Well, that's just weird. Why does the latest libpam google authenticator crash when using pap? Works just fine for login. Old libpam google doesn't crash. Not sure where the problem is. ??dans at cwacs ~/google-authenticator-libpam ?master? ??$ *** Error in `tac_plus': double free or corruption (!prev): 0x0000000000b3c000 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb0082a37e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fb0082ac37a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fb0082b053c] tac_plus[0x408f6a] tac_plus[0x404234] tac_plus[0x4129d0] tac_plus[0x40312f] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb00824c830] tac_plus[0x4037a9] ======= Memory map: ======== 00400000-0041b000 r-xp 00000000 fc:00 135832 /usr/local/bin/tac_plus 0061a000-0061b000 r--p 0001a000 fc:00 135832 /usr/local/bin/tac_plus 0061b000-0061c000 rw-p 0001b000 fc:00 135832 /usr/local/bin/tac_plus 0061c000-0061f000 rw-p 00000000 00:00 0 00b39000-00b5a000 rw-p 00000000 00:00 0 [heap] (and so on) -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sun Apr 29 15:09:53 2018 From: heas at shrubbery.net (heasley) Date: Sun, 29 Apr 2018 15:09:53 +0000 Subject: [tac_plus] Strange Crash In-Reply-To: References: Message-ID: <20180429150953.GB97741@shrubbery.net> Sat, Apr 28, 2018 at 11:59:14AM -0600, Daniel Schmidt: > Well, that's just weird. Why does the latest libpam google authenticator > crash when using pap? Works just fine for login. Old libpam google > doesn't crash. Not sure where the problem is. > > ??dans at cwacs ~/google-authenticator-libpam ?master? > ??$ *** Error in `tac_plus': double free or corruption (!prev): > 0x0000000000b3c000 *** > ======= Backtrace: ========= > /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb0082a37e5] > /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fb0082ac37a] > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fb0082b053c] > tac_plus[0x408f6a] > tac_plus[0x404234] > tac_plus[0x4129d0] > tac_plus[0x40312f] > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb00824c830] > tac_plus[0x4037a9] > ======= Memory map: ======== > 00400000-0041b000 r-xp 00000000 fc:00 135832 > /usr/local/bin/tac_plus > 0061a000-0061b000 r--p 0001a000 fc:00 135832 > /usr/local/bin/tac_plus > 0061b000-0061c000 rw-p 0001b000 fc:00 135832 > /usr/local/bin/tac_plus > 0061c000-0061f000 rw-p 00000000 00:00 0 > 00b39000-00b5a000 rw-p 00000000 00:00 0 > [heap] > (and so on) > looking at the code surrounding the calls to PAM, its not obvious, if its even there. perhaps you can build tacacs with symbols and collect a core to share? From heas at shrubbery.net Sun Apr 29 15:23:08 2018 From: heas at shrubbery.net (heasley) Date: Sun, 29 Apr 2018 15:23:08 +0000 Subject: [tac_plus] tacacs+ F5.0.0a patches In-Reply-To: References: <20180425105453.GF15480@shrubbery.net> Message-ID: <20180429152308.GC97741@shrubbery.net> Thu, Apr 26, 2018 at 10:26:43AM -0400, Cory Cartwright: > Yes, the patch and the consequently the uid/gid downgrade is working. > > I have been able to add the logging an source IP in pwlib.c via > session.peerip. however I would also like to get the rem_addr_len from the > START packet body, and having trouble understanding how to bring in the > value to pwlib.c. please be more specific about the where in the code you are trying to do that. also, not that rem_addr may not be supplied by the client; it is "best effort" and sometimes is not relevant. > thanks! > > On Wed, Apr 25, 2018 at 6:54 AM, heasley wrote: > > > Tue, Apr 24, 2018 at 11:47:58AM -0400, Cory Cartwright: > > > I know this post ( > > > http://www.shrubbery.net/pipermail/tac_plus/2014-December/001530.html) > > is > > > old, but what is the current level of maintenance, is there a current > > > maintainer? I am currently using tacacs-F4.0.4.28, and building with > > > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like the > > > idea of not having to rebuild for different systems, or statically > > > configure uid/gid. > > > > does the patch work? it could be back-ported. > > > > > I?m also working on adding AUTH logging for PAM radius authentication, > > as I > > > can?t seem to find a good or proper place to do it directly from > > > PAM_radius.so. > > > > do you mean that you want to use radius to perform the tacacs auth? > > From daniel.schmidt at wyo.gov Sun Apr 29 19:38:45 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Sun, 29 Apr 2018 13:38:45 -0600 Subject: [tac_plus] Strange Crash In-Reply-To: <20180429150953.GB97741@shrubbery.net> References: <20180429150953.GB97741@shrubbery.net> Message-ID: Thank you very much, I will rebuild and provide the core file. It is exceedingly odd that old version of the libpam google auth works fine and the new one causes tac_plus to crash, but just with pap/nexus. I could also provide instructions to recreate the issue yourself if you have nexus. On Sun, Apr 29, 2018 at 9:09 AM, heasley wrote: > Sat, Apr 28, 2018 at 11:59:14AM -0600, Daniel Schmidt: > > Well, that's just weird. Why does the latest libpam google authenticator > > crash when using pap? Works just fine for login. Old libpam google > > doesn't crash. Not sure where the problem is. > > > > ??dans at cwacs ~/google-authenticator-libpam ?master? > > ??$ *** Error in `tac_plus': double free or corruption (!prev): > > 0x0000000000b3c000 *** > > ======= Backtrace: ========= > > /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb0082a37e5] > > /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fb0082ac37a] > > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fb0082b053c] > > tac_plus[0x408f6a] > > tac_plus[0x404234] > > tac_plus[0x4129d0] > > tac_plus[0x40312f] > > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb00824c830] > > tac_plus[0x4037a9] > > ======= Memory map: ======== > > 00400000-0041b000 r-xp 00000000 fc:00 135832 > > /usr/local/bin/tac_plus > > 0061a000-0061b000 r--p 0001a000 fc:00 135832 > > /usr/local/bin/tac_plus > > 0061b000-0061c000 rw-p 0001b000 fc:00 135832 > > /usr/local/bin/tac_plus > > 0061c000-0061f000 rw-p 00000000 00:00 0 > > 00b39000-00b5a000 rw-p 00000000 00:00 0 > > [heap] > > (and so on) > > > > looking at the code surrounding the calls to PAM, its not obvious, if > its even there. > > perhaps you can build tacacs with symbols and collect a core to share? > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Apr 30 06:51:49 2018 From: heas at shrubbery.net (Heasley) Date: Mon, 30 Apr 2018 08:51:49 +0200 Subject: [tac_plus] Strange Crash In-Reply-To: References: <20180429150953.GB97741@shrubbery.net> Message-ID: <820894B6-A90C-46CB-8890-8917E3B580FF@shrubbery.net> Am 29.04.2018 um 21:38 schrieb Daniel Schmidt : > > Thank you very much, I will rebuild and provide the core file. It is exceedingly odd that old version of the libpam google auth works fine and the new one causes tac_plus to crash, but just with pap/nexus. I could also provide instructions to recreate the issue yourself if you have nexus. I?ll need the executable too and possibly the build dir. If you like, i can provide the executable. I have an older 3k now, so i could reproduce it if you provide the procedure. > >> On Sun, Apr 29, 2018 at 9:09 AM, heasley wrote: >> Sat, Apr 28, 2018 at 11:59:14AM -0600, Daniel Schmidt: >> > Well, that's just weird. Why does the latest libpam google authenticator >> > crash when using pap? Works just fine for login. Old libpam google >> > doesn't crash. Not sure where the problem is. >> > >> > ??dans at cwacs ~/google-authenticator-libpam ?master? >> > ??$ *** Error in `tac_plus': double free or corruption (!prev): >> > 0x0000000000b3c000 *** >> > ======= Backtrace: ========= >> > /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb0082a37e5] >> > /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fb0082ac37a] >> > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fb0082b053c] >> > tac_plus[0x408f6a] >> > tac_plus[0x404234] >> > tac_plus[0x4129d0] >> > tac_plus[0x40312f] >> > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb00824c830] >> > tac_plus[0x4037a9] >> > ======= Memory map: ======== >> > 00400000-0041b000 r-xp 00000000 fc:00 135832 >> > /usr/local/bin/tac_plus >> > 0061a000-0061b000 r--p 0001a000 fc:00 135832 >> > /usr/local/bin/tac_plus >> > 0061b000-0061c000 rw-p 0001b000 fc:00 135832 >> > /usr/local/bin/tac_plus >> > 0061c000-0061f000 rw-p 00000000 00:00 0 >> > 00b39000-00b5a000 rw-p 00000000 00:00 0 >> > [heap] >> > (and so on) >> > >> >> looking at the code surrounding the calls to PAM, its not obvious, if >> its even there. >> >> perhaps you can build tacacs with symbols and collect a core to share? > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ccjaph at gmail.com Mon Apr 30 13:43:19 2018 From: ccjaph at gmail.com (Cory Cartwright) Date: Mon, 30 Apr 2018 09:43:19 -0400 Subject: [tac_plus] tacacs+ F5.0.0a patches In-Reply-To: <20180429152308.GC97741@shrubbery.net> References: <20180425105453.GF15480@shrubbery.net> <20180429152308.GC97741@shrubbery.net> Message-ID: So the patch to drop privileges seem to work, in tacacs-F4.0.4.28 so I am all set with that. I am using tac_plus to perform radius auth through PAM, that is also working correctly. The one issue I currently have is logging to the auth.log through syslog successful and failed attempts to authenticate. I have added some logging to authen.c, although it feels like i shoe horned in the logging with the global flag for authentication. So any suggestions would be welcome. Understanding that the rem_addr and rem_addr_len are "best effort" from the rfc draft. That being said, my implementation is network appliance centric and so far have not run across issues. Are there any pitfalls you can see with my code or implementation? < /* add static global for pass/fail return */ < static int auth_pass = 0; < 153,165d149 < /* add syslog auth will remove stderr prt */ < if(auth_pass) { < fprintf(stderr,"DEBUG: auth passed user=%s host=%s shost=%s \n", < identity.username,identity.NAS_ip,identity.NAC_address); < syslog(LOG_INFO | LOG_AUTH, "user=%s host=%s user_ip=%s SUCCESSFULLY AUTH", < identity.username,identity.NAS_ip,identity.NAC_address); < } else { < fprintf(stderr,"DEBUG: auth failed user=%s host=%s shost=%s \n", < identity.username,identity.NAS_ip,identity.NAC_address); < syslog(LOG_INFO | LOG_AUTH, "user=%s host=%s user_ip=%s FAILED AUTH", < identity.username,identity.NAS_ip,identity.NAC_address); < } < 360,361d340 < /* set global in case TAC_PLUS_AUTHEN_STATUS_PASS auth log only needs to know pass/fail, username, remote_ip, remote_user_ip */ < auth_pass = 1; On Sun, Apr 29, 2018 at 11:23 AM, heasley wrote: > Thu, Apr 26, 2018 at 10:26:43AM -0400, Cory Cartwright: > > Yes, the patch and the consequently the uid/gid downgrade is working. > > > > I have been able to add the logging an source IP in pwlib.c via > > session.peerip. however I would also like to get the rem_addr_len from > the > > START packet body, and having trouble understanding how to bring in the > > value to pwlib.c. > > please be more specific about the where in the code you are trying to do > that. also, not that rem_addr may not be supplied by the client; it is > "best effort" and sometimes is not relevant. > > > thanks! > > > > On Wed, Apr 25, 2018 at 6:54 AM, heasley wrote: > > > > > Tue, Apr 24, 2018 at 11:47:58AM -0400, Cory Cartwright: > > > > I know this post ( > > > > http://www.shrubbery.net/pipermail/tac_plus/2014- > December/001530.html) > > > is > > > > old, but what is the current level of maintenance, is there a current > > > > maintainer? I am currently using tacacs-F4.0.4.28, and building with > > > > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like > the > > > > idea of not having to rebuild for different systems, or statically > > > > configure uid/gid. > > > > > > does the patch work? it could be back-ported. > > > > > > > I?m also working on adding AUTH logging for PAM radius > authentication, > > > as I > > > > can?t seem to find a good or proper place to do it directly from > > > > PAM_radius.so. > > > > > > do you mean that you want to use radius to perform the tacacs auth? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: