[tac_plus] tacacs+ F5.0.0a patches

Cory Cartwright ccjaph at gmail.com
Mon Apr 30 13:43:19 UTC 2018


So the patch to drop privileges seem to work, in tacacs-F4.0.4.28 so I am
all set with that.

I am using tac_plus to perform radius auth through PAM, that is also
working correctly.  The one issue I currently have is logging to the
auth.log through syslog successful and failed attempts to authenticate.
I have added some logging to authen.c, although it feels like i shoe horned
in the logging with the global flag for authentication.  So any suggestions
would be welcome.
Understanding that the rem_addr and rem_addr_len are "best effort" from the
rfc draft.  That being said, my implementation is network appliance centric
and so far have not run across issues. Are there any pitfalls you can see
with my code or implementation?

< /* add static global for pass/fail return */
< static int auth_pass = 0;
<
153,165d149
< /* add syslog auth
      will remove stderr prt
*/
< if(auth_pass) {
<         fprintf(stderr,"DEBUG: auth passed user=%s host=%s shost=%s \n",
<                 identity.username,identity.NAS_ip,identity.NAC_address);
<         syslog(LOG_INFO | LOG_AUTH, "user=%s host=%s user_ip=%s
SUCCESSFULLY AUTH",
<                 identity.username,identity.NAS_ip,identity.NAC_address);
< } else {
<         fprintf(stderr,"DEBUG: auth failed user=%s host=%s shost=%s \n",
<                 identity.username,identity.NAS_ip,identity.NAC_address);
<         syslog(LOG_INFO | LOG_AUTH, "user=%s host=%s user_ip=%s FAILED
AUTH",
<                 identity.username,identity.NAS_ip,identity.NAC_address);
< }
<
360,361d340
<         /* set global in case TAC_PLUS_AUTHEN_STATUS_PASS
              auth log only needs to know pass/fail, username, remote_ip,
remote_user_ip
*/
<         auth_pass = 1;


On Sun, Apr 29, 2018 at 11:23 AM, heasley <heas at shrubbery.net> wrote:

> Thu, Apr 26, 2018 at 10:26:43AM -0400, Cory Cartwright:
> > Yes, the patch and the consequently the uid/gid downgrade is working.
> >
> > I have been able to add the logging an source IP in pwlib.c via
> > session.peerip.  however I would also like to get the rem_addr_len from
> the
> > START packet body, and having trouble understanding how to bring in the
> > value to pwlib.c.
>
> please be more specific about the where in the code you are trying to do
> that.  also, not that rem_addr may not be supplied by the client; it is
> "best effort" and sometimes is not relevant.
>
> > thanks!
> >
> > On Wed, Apr 25, 2018 at 6:54 AM, heasley <heas at shrubbery.net> wrote:
> >
> > > Tue, Apr 24, 2018 at 11:47:58AM -0400, Cory Cartwright:
> > > > I know this post (
> > > > http://www.shrubbery.net/pipermail/tac_plus/2014-
> December/001530.html)
> > > is
> > > > old, but what is the current level of maintenance, is there a current
> > > > maintainer?  I am currently using tacacs-F4.0.4.28, and building with
> > > > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like
> the
> > > > idea of not having to rebuild for different systems, or statically
> > > > configure uid/gid.
> > >
> > > does the patch work?  it could be back-ported.
> > >
> > > > I’m also working on adding AUTH logging for PAM radius
> authentication,
> > > as I
> > > > can’t seem to find a good or proper place to do it directly from
> > > > PAM_radius.so.
> > >
> > > do you mean that you want to use radius to perform the tacacs auth?
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180430/445485bd/attachment.html>


More information about the tac_plus mailing list