[tac_plus] tacacs+-F4.0.4.19 Auth Fail Lock (AFL) patch

Mark Ellzey Thomas mark.thomas at corp.aol.com
Tue Sep 15 21:22:06 UTC 2009

Greetings all,

I have patched the current release with AFL.
cd tacacs+-F4.0.4.19
patch -p0 < ../tacacs+-F4.0.4.19.afl.patch
./configure --enable-afl ...

(from http://www.shrubbery.net/pipermail/tac_plus/2008-June/000248.html)
Recently we have had the need for tac_plus to temporarily disable user  
accounts based on the number of authentication failures the user has  
had in a defined window of time.

The following global configuration parameter has been added:

auth-fail-lock $int1 $int2 $int3

Where $int1 is the number of authentication failures
Where $int2 is the window (in seconds) in which to watch for auth fails
Where $int3 is the number of seconds to disable the user.

An example would be:
# Watch for 10 authentication failures within 60 seconds, if triggered
# disable user for 120 seconds.
auth-fail-lock 10 60 120

The tac_plus daemon will log when a trigger is hit, and when the account
has been re-enabled:
Jun 23 14:51:36 tac_plus[27731]: User mark has been  
disabled for 120 seconds
Jun 23 14:53:46 tac_plus[28244]: Re-enabling account: mark

Unfortunately since tac_plus is a forked architecture, I had to  
achieve persistence of data via IPC. I understand that some may be  
weary of this mechanism so they can turn the feature off at compile  
time by passing the --disable-afl flag to configure.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tacacs+-F4.0.4.19.afl.patch
Type: application/octet-stream
Size: 14897 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20090915/9cf43054/attachment.obj 
-------------- next part --------------

More information about the tac_plus mailing list