From veerabhadra at stpi.in  Fri Jun  1 04:50:20 2018
From: veerabhadra at stpi.in (veerabhadra)
Date: Fri, 1 Jun 2018 10:20:20 +0530
Subject: [tac_plus] Questions regarding tacacs+ server config file
Message-ID: <59A8A89AAA174F3CB96A5BA028672575@stpmydc.in>

Dear Team,

I am able use tacacs server to authenticate users to connect three different vendors devices viz. Cisco , Juniper and Huawei.
Configuration of tacacs is attached for reference.

Like to know , how to make users create strong password while creating users in tacacs .
I.e is there any way i could make system to ask password of length 10 letter including capital ,special character etc.
Please suggest.

Regards
Veerabhadra



From: veerabhadra 
Sent: Tuesday, May 22, 2018 3:07 PM
To: John Fraizer 
Cc: tac_plus 
Subject: Re: [tac_plus] Questions regarding tacacs+ server config file

Dear Sir,

Followed your inputs and successfully authenticated users for access to juniper J6350 and Cisco 3660 routers.
Now, i have huawei NE40E-X3A router and done configuration on router , but stuck in tac_server config relating to that.

Please help with template specific to huawei router , if you have.

Regards
Veerabhadra


From: John Fraizer 
Sent: Monday, March 26, 2018 12:58 PM
To: veerabhadra 
Cc: tac_plus 
Subject: Re: [tac_plus] Questions regarding tacacs+ server config file

Take a look at http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html 

It will look something like this:

key = "blah-blah-blah"
accounting file = /some/location/tacplus.acct

default authentication = file /etc/passwd

#
# Default group to run all command authentication through do_auth.
#
group = doauthaccess {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ".*"
                }
    after authorization "/usr/bin/python /some-location/do_auth.py -i
$address -u $user -d $name -l /some-location/do_auth.log -f
/some-location/do_auth.ini"
}


#
# Default user - Used when no user specific stanza exists in tac_plus.conf.
#
user = DEFAULT {
    member = doauthaccess
    login = PAM
}


Notice that there are two stanzas... One for 'exec' (cisco, cisco-like) and 'junos-exec' (Juniper)...  You simply need to know what 'service' the device in question is going to use and you need a stanza for it...


--
John Fraizer 
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/




On Mon, Mar 26, 2018 at 12:17 AM, veerabhadra <veerabhadra at stpi.in> wrote:

  Sir,

  Authenticating users of network using standalone file for each NAS works fine. ( cisco and juniper separately).
  Please let me know how to combine both cisco and juniper config in single file to authenticate same users of both devices.

  Did not find any details in man pages for combining config for both devices.

  Regards
  Veerabhadra

  -----Original Message----- From: heasley
  Sent: Monday, March 26, 2018 12:32 PM
  To: veerabhadra
  Cc: tac_plus at shrubbery.net ; heasley
  Subject: Re: Questions regarding tacacs+ server config file


  Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra:

    Hi,

    Can i use "single"  tac_plus.conf file to load configuration to authenticate
    cisco and juniper devices at the same time.


  yes.


    If yes, can i have template of the configuration file , please.

    I have the network with cisco and juniper devices and looking to
    authenticate users of both devices using single tacacs server and single
    config file.


  the distribution and installation provide a tac_plus.conf.sample file which
  has an example for nearly all configuration syntax. 
  _______________________________________________
  tac_plus mailing list
  tac_plus at shrubbery.net
  http://www.shrubbery.net/mailman/listinfo/tac_plus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180601/c7dec0c0/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 260518.txt
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180601/c7dec0c0/attachment.txt>

From jj at fb.com  Tue Jun 19 18:40:18 2018
From: jj at fb.com (JJ Crawford)
Date: Tue, 19 Jun 2018 18:40:18 +0000
Subject: [tac_plus] Orphaned connections with dual-stack process
Message-ID: <BAE0E4AE-2452-4DC5-9A72-3B05FE8650AD@contoso.com>

Currently in all releases of tac_plus there is the possibility to leak file descriptors due to how accept() calls are handled. This should only impact versions where both v4 and v6 listeners exist or some other setup where multiple listeners are being utilized.

If you are using both ipv4 and ipv6 bound and you get a v4 and v6 request at the same time the for loop will accept both before hitting the fork call to handle the request. This results in one of the requests being properly handled and closed but the other open descriptor will be orphaned and remain in close_wait status indefinitely, ultimately leading to hitting the open file limit and stopping all further requests from being processed.

This can be seen in the trace below? both fd 11 and 12 are accepted, but only fd 12 is closed since newsockfd is reassigned before anything is done with fd 11.

poll([{fd=4, events=POLLIN|POLLERR|POLLHUP|POLLNVAL}, {fd=5, events=POLLIN|POLLERR|POLLHUP|POLLNVAL}], 2, 180000) = 2 ([{fd=4, revents=POLLIN}, {fd=5, revents=POLLIN}])
accept(4, {sa_family=AF_INET, sin_port=htons(41359), sin_addr=inet_addr("172.16.4.5")}, [16]) = 11
accept(5, {sa_family=AF_INET6, sin6_port=htons(47166), inet_pton(AF_INET6, "2601:600:9f80:3073::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 12
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2760df0a50) = 3420565
close(12)                               = 0
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP|POLLNVAL}, {fd=5, events=POLLIN|POLLERR|POLLHUP|POLLNVAL}], 2, 180000) = 1 ([{fd=4, revents=POLLIN}])

I temporarily got around this by checking newsockfd after accept, and if it is valid (>=0) breaking out of the loop to fully process that request before checking for more. This really isn?t ideal as in theory you could block all requests on the other sockets from being processed if the first socket always has connections pending, but it works for the interim.

Thanks,
-jj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180619/b1443547/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stranded-socket.diff
Type: application/octet-stream
Size: 690 bytes
Desc: stranded-socket.diff
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180619/b1443547/attachment.obj>