From sten at blinkenlights.nl Wed Feb 11 09:04:34 2015 From: sten at blinkenlights.nl (Sten Spans) Date: Wed, 11 Feb 2015 10:04:34 +0100 (CET) Subject: [tac_plus] sha512 and new specfile Message-ID: We've been using the tac_plus/tacacs+ package for a while now, and would like to contribute back some small improvements that we've been using. - switch tac_pwd to sha512 hashes by default - an updated specfile with a few cleanups -- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem -------------- next part -------------- Summary: TACACS+ Daemon Name: tacacs+ Group: Networking/Servers Version: F4.0.4.27a Release: 2%{?dist} License: Cisco Packager: Bruce Carleton Vendor: Cisco Source: %{name}-%{version}.tar.gz Patch0: %{name}-sha512.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: gcc, bison, flex, m4, pam-devel, tcp_wrappers-devel Requires: pam %description %prep %setup %patch0 -p1 %{__cat} <<'EOF' >tac_plus.sysvinit #!/bin/bash # # /etc/rc.d/init.d/tac_plus # # chkconfig: 2345 86 14 # description: TACACS+ Daemon # Define variables TACPLUS_PID=/var/run/tac_plus.pid TACPLUS_EXE=/usr/sbin/tac_plus TACPLUS_ARG="" TACPLUS_CNF=/etc/tac_plus.conf # Source function library. . /etc/rc.d/init.d/functions case "$1" in start) # Check to see if tac_plus is running. if [[ -f ${TACPLUS_PID} || -f /var/lock/subsys/tac_plus ]]; then echo "tac_plus may already be running. Check for existing tac_plus processes." exit 1 fi echo -n "Starting tac_plus:" $TACPLUS_EXE $TACPLUS_ARG -C $TACPLUS_CNF && success || failure echo touch /var/lock/subsys/tac_plus ;; stop) if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then echo -n "Stopping tac_plus:" killproc -p ${TACPLUS_PID} echo rm -f /var/lock/subsys/tac_plus rm -f ${TACPLUS_PID} else echo "tac_plus does not appear to be running." fi ;; status) if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then echo "tac_plus pid is `cat ${TACPLUS_PID}`" else echo "tac_plus does not appear to be running." fi ;; restart) $0 stop; $0 start ;; reload) echo -n "Reloading tac_plus..." if [[ -f ${TACPLUS_PID} && -f /var/lock/subsys/tac_plus ]]; then kill -HUP `cat ${TACPLUS_PID}` RETVAL=$? fi if [ $RETVAL -ne 0 ]; then failure else success fi echo ;; *) echo "Usage: $0 {start|stop|status|reload|restart}" exit 1 ;; esac EOF %build %configure --enable-acls --enable-uenable %{__make} %install %{__rm} -rf %{buildroot} %makeinstall %{__install} -Dp -m0755 tac_plus.sysvinit %{buildroot}%{_initrddir}/tac_plus %{__mkdir} %{buildroot}%{_sbindir} %{__mv} %{buildroot}%{_bindir}/tac_plus %{buildroot}%{_sbindir} ### Clean up buildroot %{__rm} -f %{buildroot}%{_infodir}/dir %post %preun %clean %{__rm} -rf %{buildroot} %files %{_includedir}/tacacs.h %{_bindir}/tac_pwd %{_sbindir}/tac_plus %{_datadir}/tacacs+/users_guide %{_datadir}/tacacs+/tac_convert %{_datadir}/tacacs+/do_auth.py %{_datadir}/tacacs+/do_auth.pyc %{_datadir}/tacacs+/do_auth.pyo %{_mandir}/man5/tac_plus.conf.5.gz %{_mandir}/man8/tac_pwd.8.gz %{_mandir}/man8/tac_plus.8.gz %{_libdir}/libtacacs.so.1.0.0 %{_libdir}/libtacacs.so.1 %{_libdir}/libtacacs.so %{_libdir}/libtacacs.a %{_libdir}/libtacacs.la %attr(0755,root,root) %{_initrddir}/tac_plus %changelog -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+-sha512.patch Type: text/x-diff Size: 2918 bytes Desc: URL: From heas at shrubbery.net Wed Feb 11 21:27:57 2015 From: heas at shrubbery.net (heasley) Date: Wed, 11 Feb 2015 21:27:57 +0000 Subject: [tac_plus] Git repo for tac_plus? In-Reply-To: <54CA742F.9060108@spritelink.net> References: <54BF6D38.6060505@spritelink.net> <20150127230944.GE95442@shrubbery.net> <54CA742F.9060108@spritelink.net> Message-ID: <20150211212757.GI38204@shrubbery.net> Thu, Jan 29, 2015 at 06:55:59PM +0100, Kristian Larsson: > What are the security implications that you are concerned about? You remotes connecting to the host; any number of lurking exploits could exist or configurations errors on my part. i havent setup these tools before. anyway, i'll provide something after the machine is upgraded in March. but, I also have to separate from other things that in the tree, but are unrelated. > already have the code out there, what would be bad about publishing the > history of the very same code? > > Kind regards, > Kristian. From matt.addison at lists.evilgeni.us Wed Feb 11 22:53:17 2015 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Wed, 11 Feb 2015 17:53:17 -0500 Subject: [tac_plus] Git repo for tac_plus? In-Reply-To: <20150127230944.GE95442@shrubbery.net> References: <54BF6D38.6060505@spritelink.net> <20150127230944.GE95442@shrubbery.net> Message-ID: Is the opposition to Github something philosophical, or just wanting to keep the canonical source in your own repository? If the latter mirroring your repo up to Github (or one of the many other free online git/svn/hg/fotm scm sites) would save you from having to maintain and secure your own public interface, and make it easier for people to work with (instead of having to make their own project on said site, upload source, make changes, generate patch, leave stale old version around forever, etc). That's what the Linux kernel/GNOME/Apache etc currently do, usually using a post-commit hook in the canonical repository to push up to Github. On Tue, Jan 27, 2015 at 6:09 PM, heasley wrote: > Wed, Jan 21, 2015 at 10:11:20AM +0100, Kristian Larsson: >> Hello Shrubbery, >> >> where is the source code for tac_plus hosted? I can't seem to find >> anything but the tarball available on your web page. I'm afraid the >> answer is that there is no git repo, correct? > > The repo is on my servers and I do not have a publicly accessible interface. > I am not moving it or any of my code to github, sorry. I may be convinced > to create a public interface, I suppose there could be value there, but I've > not wanted to deal with the security implications and you are only the > second to ask. I am happy to receive patches, have, and have merged several. > >> This is essentially the de facto tacacs+ implementation for anyone who >> do not wish to purchase software. I believe the lack of a public git >> repo (like on github) seriously fragments the community of users and >> potential developers which hampers further development. There are a >> number of repos on github named something like tac_plus, most of which >> have an initial commit like "import from shrubbery" and then a few >> commits on top of that. There's no one common tree with all the nice >> patches. >> >> By offering a standard git repo I think the community could unite and >> spend more time on the right things instead of maintaining individual >> repos. What do you think? >> >> Kind regards, >> Kristian. >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From heas at shrubbery.net Fri Feb 13 22:27:54 2015 From: heas at shrubbery.net (heasley) Date: Fri, 13 Feb 2015 22:27:54 +0000 Subject: [tac_plus] Git repo for tac_plus? In-Reply-To: References: <54BF6D38.6060505@spritelink.net> <20150127230944.GE95442@shrubbery.net> Message-ID: <20150213222754.GD20150@shrubbery.net> Wed, Feb 11, 2015 at 05:53:17PM -0500, Matt Addison: > Is the opposition to Github something philosophical, or just wanting > to keep the canonical source in your own repository? If the latter both; i dont want to rely on and i dislike git. > mirroring your repo up to Github (or one of the many other free online > git/svn/hg/fotm scm sites) would save you from having to maintain and > secure your own public interface, and make it easier for people to > work with (instead of having to make their own project on said site, > upload source, make changes, generate patch, leave stale old version > around forever, etc). That's what the Linux kernel/GNOME/Apache etc > currently do, usually using a post-commit hook in the canonical > repository to push up to Github. i've already agreed to add some public interface. i like your suggestion of pushing it to one of the free online sites. it will still have to wait until i have the time for it and host is upgraded; i'm much too busy for it right now, sorry. From heas at shrubbery.net Fri Feb 13 23:57:33 2015 From: heas at shrubbery.net (heasley) Date: Fri, 13 Feb 2015 23:57:33 +0000 Subject: [tac_plus] sha512 and new specfile In-Reply-To: <20150213235435.9F5F5461CC@guelah.shrubbery.net> Message-ID: <20150213235733.GI20150@shrubbery.net> Wed, Feb 11, 2015 at 10:04:34AM +0100, Sten Spans: > > We've been using the tac_plus/tacacs+ package for a while now, > and would like to contribute back some small improvements that > we've been using. > > - switch tac_pwd to sha512 hashes by default > - an updated specfile with a few cleanups thanks. slight adjustment to the patch included. thanks for being rather thorough. Index: CHANGES =================================================================== --- CHANGES (revision 3696) +++ CHANGES (working copy) @@ -484,3 +484,5 @@ F4.0.4.29 - spec file update - from Sten Spans + - add SHA512 support to tac_pwd - from Sten Spans + XXX needs a configure test to check for sha512 support. Index: tac_pwd.8 =================================================================== --- tac_pwd.8 (revision 3686) +++ tac_pwd.8 (working copy) @@ -1,25 +1,28 @@ .\" .hys 50 -.TH "tac_pwd" "8" "23 March 2012" +.TH "tac_pwd" "8" "13 February 2014" .SH NAME -tac_pwd \- generate DES or MD5 encryption of a password +tac_pwd \- generate SHA512, MD5 or DES encryption of a password .\" .SH SYNOPSIS .B tac_pwd -[\fB\-ehm\fP] +[\fB\-dehm\fP] [\c salt] .\" .SH DESCRIPTION .B tac_pwd -prompts for a clear-text password and produces a DES encryption of that -password on stdout which may be used in lieu of the clear-text representation -in the +prompts for a clear-text password and produces a hash of that password on +stdout which may be used in lieu of the clear-text representation in the .BR tac_plus.conf (5). .PP -The DES salt may be provided as a command-line argument. +The salt may be provided as a command-line argument. .PP .SH COMMAND-LINE OPTIONS + .TP +.B \-d +Generate an DES hash, instead of SHA512. +This is insecure, use with care. .TP .B \-e Do not echo the plain-text password to the terminal. @@ -30,7 +33,7 @@ .\" .TP .B \-m -Generate an MD5 encryption, instead of DES. +Generate an MD5 encryption, instead of SHA512. This only works if crypt() on your host supports MD5. .\" .SH "SEE ALSO" Index: tac_pwd.c =================================================================== --- tac_pwd.c (revision 3686) +++ tac_pwd.c (working copy) @@ -54,6 +54,7 @@ #define SALTBUFLEN 24 #define HASHBUFLEN 32 +#define SHA512BUFLEN 128 void usage(void); @@ -133,6 +134,21 @@ return hash; } +char * +do_sha512(char *passwd, char *salt) +{ + static char hash[SHA512BUFLEN]; + + if (salt == NULL) + salt = get_salt(); + if (strlen(salt) > 2) + salt[2] = '\0'; + snprintf(hash, SHA512BUFLEN, "$6$%s$", salt); + strncpy(hash, crypt(passwd, hash), SHA512BUFLEN); + + return hash; +} + int main(int argc, char **argv) { @@ -145,11 +161,16 @@ char *prompt = "Password to be encrypted: "; int opt_e = 0, /* do not echo passwd*/ opt_m = 0, /* create md5 string */ + opt_s = 1, /* create sha512 str */ n; struct termios t; - while ((n = getopt(argc, argv, "ehm")) != EOF) { + while ((n = getopt(argc, argv, "dehm")) != EOF) { switch (n) { + case 'd': + opt_m = 0; + opt_s = 0; + break; case 'e': opt_e = 1; break; @@ -159,6 +180,7 @@ break; case 'm': opt_m = 1; + opt_s = 0; break; default: usage(); @@ -191,6 +213,8 @@ if (opt_m) { result = do_md5(pass, salt); + } else if (opt_s) { + result = do_sha512(pass, salt); } else { result = do_des(pass, salt); } From vadud3 at gmail.com Thu Feb 19 19:34:25 2015 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 19 Feb 2015 14:34:25 -0500 Subject: [tac_plus] regex for pipe in command syntax Message-ID: Hi All, How do I allow ``show logging | include foo'' but not ``show logging'' ? Some security requirement that we are trying to achieve where you are allowed to search for specific string ``foo'', but not allowed to see all the logs. This is what I tried and did not work cmd = show { deny "^logging$" permit "^logging|include foo" # line 3409 deny .* } And I am getting Thu Feb 19 14:25:44 2015 [3506]: show logging permitted by line 3409 I ran router#show logging If I try ``permit "^logging\s+|include foo'' I get the following error Thu Feb 19 14:22:43 2015 [3434]: Error expecting '}' but found '+|' on line 3409 Any suggestion is appreciated. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Feb 20 04:40:54 2015 From: heas at shrubbery.net (heasley) Date: Fri, 20 Feb 2015 04:40:54 +0000 Subject: [tac_plus] regex for pipe in command syntax In-Reply-To: References: Message-ID: <20150220044054.GA67264@shrubbery.net> Thu, Feb 19, 2015 at 02:34:25PM -0500, Asif Iqbal: > Hi All, > > How do I allow ``show logging | include foo'' but not ``show logging'' ? > Some security requirement that we are trying to achieve where > you are allowed to search for specific string ``foo'', but not allowed to > see all the logs. > > This is what I tried and did not work > > cmd = show { > deny "^logging$" > permit "^logging|include foo" # line 3409 > deny .* > } > > And I am getting > > Thu Feb 19 14:25:44 2015 [3506]: show logging permitted by line 3409 > > I ran > router#show logging > > If I try ``permit "^logging\s+|include foo'' I get the following error \s is not a regex atom. > Thu Feb 19 14:22:43 2015 [3434]: Error expecting '}' but found '+|' on > line 3409 > > Any suggestion is appreciated. i suspect that you have an error on a previous line. but the router will reformat the command; add or compress spaces, etc. i guarantee that "^logging|include foo" will not match what the router will send. debugging tacacs on the router will show you what string it has sent. > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From alan.mckinnon at gmail.com Fri Feb 20 12:54:25 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 20 Feb 2015 14:54:25 +0200 Subject: [tac_plus] regex for pipe in command syntax In-Reply-To: References: Message-ID: The deny/permit statements are regexes, so it treats the pipe character as an "OR". Try this for 3409: permit "^logging\|include foo$" (pls excuse the top post, have to use Gmail in a browse for now) Alan On Thu, Feb 19, 2015 at 9:34 PM, Asif Iqbal wrote: > Hi All, > > How do I allow ``show logging | include foo'' but not ``show logging'' ? > Some security requirement that we are trying to achieve where > you are allowed to search for specific string ``foo'', but not allowed to > see all the logs. > > This is what I tried and did not work > > cmd = show { > deny "^logging$" > permit "^logging|include foo" # line 3409 > deny .* > } > > And I am getting > > Thu Feb 19 14:25:44 2015 [3506]: show logging permitted by line 3409 > > I ran > router#show logging > > If I try ``permit "^logging\s+|include foo'' I get the following error > > Thu Feb 19 14:22:43 2015 [3434]: Error expecting '}' but found '+|' on > line 3409 > > Any suggestion is appreciated. > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150219/d92d91d9/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan dot mckinnon at gmail dot com -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Feb 20 15:23:00 2015 From: heas at shrubbery.net (John Heasley) Date: Fri, 20 Feb 2015 07:23:00 -0800 Subject: [tac_plus] regex for pipe in command syntax In-Reply-To: References: Message-ID: Am 20.02.2015 um 04:54 schrieb Alan McKinnon : > > The deny/permit statements are regexes, so it treats the pipe character as > an "OR". Try this for 3409: > > permit "^logging\|include foo$" | should only be a regex atom inside ()s. So it should not need to be escaped, though it should have no effect. > > (pls excuse the top post, have to use Gmail in a browse for now) > > Alan > > >> On Thu, Feb 19, 2015 at 9:34 PM, Asif Iqbal wrote: >> >> Hi All, >> >> How do I allow ``show logging | include foo'' but not ``show logging'' ? >> Some security requirement that we are trying to achieve where >> you are allowed to search for specific string ``foo'', but not allowed to >> see all the logs. >> >> This is what I tried and did not work >> >> cmd = show { >> deny "^logging$" >> permit "^logging|include foo" # line 3409 >> deny .* >> } >> >> And I am getting >> >> Thu Feb 19 14:25:44 2015 [3506]: show logging permitted by line 3409 >> >> I ran >> router#show logging >> >> If I try ``permit "^logging\s+|include foo'' I get the following error >> >> Thu Feb 19 14:22:43 2015 [3434]: Error expecting '}' but found '+|' on >> line 3409 >> >> Any suggestion is appreciated. >> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150219/d92d91d9/attachment.html >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > -- > Alan McKinnon > alan dot mckinnon at gmail dot com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From vadud3 at gmail.com Fri Feb 20 16:03:01 2015 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 20 Feb 2015 11:03:01 -0500 Subject: [tac_plus] regex for pipe in command syntax In-Reply-To: References: Message-ID: On Fri, Feb 20, 2015 at 10:23 AM, John Heasley wrote: > Am 20.02.2015 um 04:54 schrieb Alan McKinnon : > > > > The deny/permit statements are regexes, so it treats the pipe character > as > > an "OR". Try this for 3409: > > > > permit "^logging\|include foo$" > > | should only be a regex atom inside ()s. So it should not need to be > escaped, though it should have no effect. > > John, Yep. | has not effect. Alan, permit "^logging|include foo$" is the correct syntax. permit "^logging\|include foo$" gets complain like below Fri Feb 20 10:54:34 2015 [4614]: Error expecting '}' but found 'include' on line 3409 With permit "^logging|include foo$" I see T+ only sees ``show logging'' Fri Feb 20 10:59:41 2015 [4658]: line 3409 compare show permit '^logging | include ERRINTR' & 'logging ' no match Fri Feb 20 10:59:41 2015 [4658]: show logging permitted by line 3409 So it looks like T+ only sees whatever before the pipe(|) and makes decision on permit/deny based on that. > (pls excuse the top post, have to use Gmail in a browse for now) > > > > Alan > > > > > >> On Thu, Feb 19, 2015 at 9:34 PM, Asif Iqbal wrote: > >> > >> Hi All, > >> > >> How do I allow ``show logging | include foo'' but not ``show logging'' ? > >> Some security requirement that we are trying to achieve where > >> you are allowed to search for specific string ``foo'', but not allowed > to > >> see all the logs. > >> > >> This is what I tried and did not work > >> > >> cmd = show { > >> deny "^logging$" > >> permit "^logging|include foo" # line 3409 > >> deny .* > >> } > >> > >> And I am getting > >> > >> Thu Feb 19 14:25:44 2015 [3506]: show logging permitted by line > 3409 > >> > >> I ran > >> router#show logging > >> > >> If I try ``permit "^logging\s+|include foo'' I get the following error > >> > >> Thu Feb 19 14:22:43 2015 [3434]: Error expecting '}' but found '+|' on > >> line 3409 > >> > >> Any suggestion is appreciated. > >> > >> > >> > >> > >> -- > >> Asif Iqbal > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > >> A: Because it messes up the order in which people normally read text. > >> Q: Why is top-posting such a bad thing? > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: < > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150219/d92d91d9/attachment.html > >> _______________________________________________ > >> tac_plus mailing list > >> tac_plus at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > > > > -- > > Alan McKinnon > > alan dot mckinnon at gmail dot com > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150220/07bd05ce/attachment.html > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Feb 20 17:27:01 2015 From: heas at shrubbery.net (John Heasley) Date: Fri, 20 Feb 2015 17:27:01 +0000 Subject: [tac_plus] regex for pipe in command syntax In-Reply-To: References: Message-ID: <20150220172701.GF83222@shrubbery.net> Fri, Feb 20, 2015 at 11:03:01AM -0500, Asif Iqbal: > On Fri, Feb 20, 2015 at 10:23 AM, John Heasley wrote: > > > Am 20.02.2015 um 04:54 schrieb Alan McKinnon : > > > > > > The deny/permit statements are regexes, so it treats the pipe character > > as > > > an "OR". Try this for 3409: > > > > > > permit "^logging\|include foo$" > > > > | should only be a regex atom inside ()s. So it should not need to be > > escaped, though it should have no effect. > > > > > John, Yep. | has not effect. > > Alan, permit "^logging|include foo$" is the correct syntax. permit > "^logging\|include foo$" gets complain like below again, I think that you will find that the router *does not* send "logging|include foo" to tacacs, it is probably "logging | include foo". check it will debugging on the router or daemon. > Fri Feb 20 10:54:34 2015 [4614]: Error expecting '}' but found 'include' > on line 3409 > > With permit "^logging|include foo$" I see T+ only sees ``show logging'' > > Fri Feb 20 10:59:41 2015 [4658]: line 3409 compare show permit '^logging | > include ERRINTR' & 'logging ' no match > Fri Feb 20 10:59:41 2015 [4658]: show logging permitted by line 3409 > > So it looks like T+ only sees whatever before the pipe(|) and makes > decision on permit/deny based on that. again, I think that you may have a syntax error elsewhere. you can send your config file to me privately and I'll check it. But, I added the line you provided to a sample config and no errors resulted. From chandank.kumar at gmail.com Fri Feb 20 17:01:03 2015 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Fri, 20 Feb 2015 12:01:03 -0500 Subject: [tac_plus] tacacs+ custom reply messages Message-ID: Hello All, I am using tacacs+ server to autheticate Linux machines [CentOS-6] and using pam_tacplus.so. The basic authentication works perfect. I have a question regarding reply message from tacacs+ server. Unlike RADIUS I do not find any "Reply-Message" type of field in server configuration of TACPLUS server. Is there any way either during authorization or authentication phase to send a custom reply message or any flag, which could be used by the pam module to customize user info. [I will modify the pam module accordingly] Thanks Chandan -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sat Feb 21 18:58:25 2015 From: heas at shrubbery.net (heasley) Date: Sat, 21 Feb 2015 18:58:25 +0000 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: References: Message-ID: <20150221185825.GC28324@shrubbery.net> Fri, Feb 20, 2015 at 12:01:03PM -0500, Chandan Kumar: > Hello All, > > I am using tacacs+ server to autheticate Linux machines [CentOS-6] and > using pam_tacplus.so. The basic authentication works perfect. > > I have a question regarding reply message from tacacs+ server. Unlike > RADIUS I do not find any "Reply-Message" type of field in server > configuration of TACPLUS server. Is there any way either during > authorization or authentication phase to send a custom reply message or any > flag, which could be used by the pam module to customize user info. [I will > modify the pam module accordingly] IIRC, the only think that you can change is the prompt. see prompt in tac_plus.conf From heas at shrubbery.net Sat Feb 21 18:59:33 2015 From: heas at shrubbery.net (heasley) Date: Sat, 21 Feb 2015 18:59:33 +0000 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: References: Message-ID: <20150221185933.GD28324@shrubbery.net> Fri, Feb 20, 2015 at 12:01:03PM -0500, Chandan Kumar: > Hello All, > > I am using tacacs+ server to autheticate Linux machines [CentOS-6] and > using pam_tacplus.so. The basic authentication works perfect. > > I have a question regarding reply message from tacacs+ server. Unlike > RADIUS I do not find any "Reply-Message" type of field in server > configuration of TACPLUS server. Is there any way either during > authorization or authentication phase to send a custom reply message or any > flag, which could be used by the pam module to customize user info. [I will > modify the pam module accordingly] sorry for the 2nd msg; but in theory you could pass anything that you want back to the agent with optional AVPs; again see tac_plus.conf. From chandank.kumar at gmail.com Mon Feb 23 16:42:04 2015 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 23 Feb 2015 11:42:04 -0500 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: <20150221185933.GD28324@shrubbery.net> References: <20150221185933.GD28324@shrubbery.net> Message-ID: Hi Heasley, Thanks for your response. Basically I am not able to get a working example of how to use those AVPs in tac_plus.conf. Whatever I have used so far, they appear to have no impact on the server at all. [the basic authentication using file /etc/passwd is working though]. While googling I mostly get examples of how to configure CISCO device [client side] and very limited configuration examples associated with server configuration other than the file that is packaged with the tac_plus source code itself. Example 1: I want to send a prompt message to host connecting from 192.168.2.53 default authentication = file /etc/passwd host = 192.168.2.53 { prompt = "Welcome\n" } Now when I login, I do not see any "welcome" attched in the reply message in wireshark. I only see Status: 0x1 (Authetication Passed) Flags : 0x0 Server message length : 0 Data Lengh :0 I would appreciate if you could provide a working example of tac_plus.conf with some AVPs either at authentication or at authorization phase. I would appreciate any help in this regard. Thanks Chandan PS: In RADIUS it is very simple to send a reply with auth example: joe Cleartext-Password := "1234" Reply-Message := "Welcom" On auth success, the server sends this welcom string, which could be used by the client side to provide additional functionality. [I agree it is not the best way to do, this example is only for illustration purpose] -- http://about.me/chandank On Sat, Feb 21, 2015 at 1:59 PM, heasley wrote: > Fri, Feb 20, 2015 at 12:01:03PM -0500, Chandan Kumar: > > Hello All, > > > > I am using tacacs+ server to autheticate Linux machines [CentOS-6] and > > using pam_tacplus.so. The basic authentication works perfect. > > > > I have a question regarding reply message from tacacs+ server. Unlike > > RADIUS I do not find any "Reply-Message" type of field in server > > configuration of TACPLUS server. Is there any way either during > > authorization or authentication phase to send a custom reply message or > any > > flag, which could be used by the pam module to customize user info. [I > will > > modify the pam module accordingly] > > sorry for the 2nd msg; but in theory you could pass anything that you want > back to the agent with optional AVPs; again see tac_plus.conf. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Feb 23 18:49:57 2015 From: heas at shrubbery.net (heasley) Date: Mon, 23 Feb 2015 18:49:57 +0000 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: References: <20150221185933.GD28324@shrubbery.net> Message-ID: <20150223184957.GA84978@shrubbery.net> Mon, Feb 23, 2015 at 11:42:04AM -0500, Chandan Kumar: > Hi Heasley, > > Thanks for your response. Basically I am not able to get a working example > of how to use those AVPs in tac_plus.conf. Whatever I have used so far, > they appear to have no impact on the server at all. [the basic > authentication using file /etc/passwd is working though]. I'm fairly sure that IOS supports the syntax below to change the username prompt, but the device is not required to honor it, it is optional according to the spec and is not applicable in all contexts. the daemon sets a default if one isnt in the config, default_v0_fn.c:default_v0_fn(). > While googling I mostly get examples of how to configure CISCO device > [client side] and very limited configuration examples associated with > server configuration other than the file that is packaged with the tac_plus > source code itself. > > Example 1: > > I want to send a prompt message to host connecting from 192.168.2.53 > > > default authentication = file /etc/passwd > > host = 192.168.2.53 { > prompt = "Welcome\n" > } > > Now when I login, I do not see any "welcome" attched in the reply message > in wireshark. I only see > > Status: 0x1 (Authetication Passed) it would occur before this; in the GETUSER packet. > Flags : 0x0 > Server message length : 0 > Data Lengh :0 > > I would appreciate if you could provide a working example of tac_plus.conf > with some AVPs either at authentication or at authorization phase. see priv-lvl, autocmd, inacl, and outacl in the sample config. > I would appreciate any help in this regard. > > > Thanks > Chandan > > PS: In RADIUS it is very simple to send a reply with auth example: > > joe Cleartext-Password := "1234" > Reply-Message := "Welcom" > > On auth success, the server sends this welcom string, which could be used > by the client side to provide additional functionality. [I agree it is not > the best way to do, this example is only for illustration purpose] technically it is possible, afaict, to send any message back, but the daemon does not offer this. it sends actualy status messages, like "failed", "succees", etc; for the daemon to provide this from the config it would need to differentiate between all those. From chandank.kumar at gmail.com Mon Feb 23 20:08:48 2015 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 23 Feb 2015 15:08:48 -0500 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: <20150223184957.GA84978@shrubbery.net> References: <20150221185933.GD28324@shrubbery.net> <20150223184957.GA84978@shrubbery.net> Message-ID: Thanks for the input. I am not using IOS, I am using/customizing pam_tacplus.so Linux module. I am trying to set AVP in service=shell, but I am not able to get it right. user = joe { pap = cleartext 123 service = shell { default attribute = permit priv-lvl = 15 } And from client I am sending service=shell protocol=ssh. However, the server [tacplus daemon ] is not able to find these AVPs and returning error. Mon Feb 23 15:03:04 2015 [17466]: Start authorization request Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 attr=acl rec=1 Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL Mon Feb 23 15:03:04 2015 [17466]: do_author: user='joe' Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 attr=before rec=1 Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL Mon Feb 23 15:03:04 2015 [17466]: user joe No identifiable service/protocol in authorization request Mon Feb 23 15:03:04 2015 [17466]: Writing AUTHOR/ERROR size=75 What is the right format for using service=shell? It does not accept the service=shell protocol=ssh, it returns error Starting tacacs+: Error: expecting '{' but found 'protocol' on line 19 [FAILED] However, it works well for service= ppp protocol =ssh user = joe { pap = cleartext 123 service = ppp protocol = ssh { tunnel-id = my_nas ip-addresses = "173.20.12.19 173.20.12.20" source-ip = 173.5.10.1 } } This is accepted by the tacplu daemon. If I send service=ppp, protocol=ssh from the client. -- http://about.me/chandank On Mon, Feb 23, 2015 at 1:49 PM, heasley wrote: > Mon, Feb 23, 2015 at 11:42:04AM -0500, Chandan Kumar: > > Hi Heasley, > > > > Thanks for your response. Basically I am not able to get a working > example > > of how to use those AVPs in tac_plus.conf. Whatever I have used so far, > > they appear to have no impact on the server at all. [the basic > > authentication using file /etc/passwd is working though]. > > I'm fairly sure that IOS supports the syntax below to change the username > prompt, but the device is not required to honor it, it is optional > according > to the spec and is not applicable in all contexts. the daemon sets a > default > if one isnt in the config, default_v0_fn.c:default_v0_fn(). > > > While googling I mostly get examples of how to configure CISCO device > > [client side] and very limited configuration examples associated with > > server configuration other than the file that is packaged with the > tac_plus > > source code itself. > > > > Example 1: > > > > I want to send a prompt message to host connecting from 192.168.2.53 > > > > > > default authentication = file /etc/passwd > > > > host = 192.168.2.53 { > > prompt = "Welcome\n" > > } > > > > Now when I login, I do not see any "welcome" attched in the reply message > > in wireshark. I only see > > > > Status: 0x1 (Authetication Passed) > > it would occur before this; in the GETUSER packet. > > > Flags : 0x0 > > Server message length : 0 > > Data Lengh :0 > > > > I would appreciate if you could provide a working example of > tac_plus.conf > > with some AVPs either at authentication or at authorization phase. > > see priv-lvl, autocmd, inacl, and outacl in the sample config. > > > I would appreciate any help in this regard. > > > > > > Thanks > > Chandan > > > > PS: In RADIUS it is very simple to send a reply with auth example: > > > > joe Cleartext-Password := "1234" > > Reply-Message := "Welcom" > > > > On auth success, the server sends this welcom string, which could be used > > by the client side to provide additional functionality. [I agree it is > not > > the best way to do, this example is only for illustration purpose] > > technically it is possible, afaict, to send any message back, but the > daemon > does not offer this. it sends actualy status messages, like "failed", > "succees", etc; for the daemon to provide this from the config it would > need > to differentiate between all those. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Feb 24 00:22:23 2015 From: heas at shrubbery.net (heasley) Date: Tue, 24 Feb 2015 00:22:23 +0000 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: References: <20150221185933.GD28324@shrubbery.net> <20150223184957.GA84978@shrubbery.net> Message-ID: <20150224002223.GA1251@shrubbery.net> Mon, Feb 23, 2015 at 03:08:48PM -0500, Chandan Kumar: > Thanks for the input. > > I am not using IOS, I am using/customizing pam_tacplus.so Linux module. > > I am trying to set AVP in service=shell, but I am not able to get it right. > > user = joe { > pap = cleartext 123 > service = shell { > default attribute = permit > priv-lvl = 15 > } > > And from client I am sending service=shell protocol=ssh. However, the > server [tacplus daemon ] is not able to find these AVPs and returning error. > > > Mon Feb 23 15:03:04 2015 [17466]: Start authorization request > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 attr=acl > rec=1 > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL > Mon Feb 23 15:03:04 2015 [17466]: do_author: user='joe' > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 > attr=before rec=1 > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL > Mon Feb 23 15:03:04 2015 [17466]: user joe No identifiable service/protocol > in authorization request > Mon Feb 23 15:03:04 2015 [17466]: Writing AUTHOR/ERROR size=75 use debugging to make sure that the daemon is sending or receiving what you expect and that the config has a match for service or service/proto that is in the config to be matched. > What is the right format for using service=shell? It does not accept the > service=shell protocol=ssh, it returns error > > Starting tacacs+: Error: expecting '{' but found 'protocol' on line 19 > [FAILED] the daemon accepts both of these configs, though i do not know of protocol ssh. what version? > > However, it works well for service= ppp protocol =ssh > > user = joe { > pap = cleartext 123 > service = ppp protocol = ssh { > tunnel-id = my_nas > ip-addresses = "173.20.12.19 173.20.12.20" > source-ip = 173.5.10.1 > } > } > > This is accepted by the tacplu daemon. If I send service=ppp, protocol=ssh > from the client. > > > > > -- > http://about.me/chandank > > On Mon, Feb 23, 2015 at 1:49 PM, heasley wrote: > > > Mon, Feb 23, 2015 at 11:42:04AM -0500, Chandan Kumar: > > > Hi Heasley, > > > > > > Thanks for your response. Basically I am not able to get a working > > example > > > of how to use those AVPs in tac_plus.conf. Whatever I have used so far, > > > they appear to have no impact on the server at all. [the basic > > > authentication using file /etc/passwd is working though]. > > > > I'm fairly sure that IOS supports the syntax below to change the username > > prompt, but the device is not required to honor it, it is optional > > according > > to the spec and is not applicable in all contexts. the daemon sets a > > default > > if one isnt in the config, default_v0_fn.c:default_v0_fn(). > > > > > While googling I mostly get examples of how to configure CISCO device > > > [client side] and very limited configuration examples associated with > > > server configuration other than the file that is packaged with the > > tac_plus > > > source code itself. > > > > > > Example 1: > > > > > > I want to send a prompt message to host connecting from 192.168.2.53 > > > > > > > > > default authentication = file /etc/passwd > > > > > > host = 192.168.2.53 { > > > prompt = "Welcome\n" > > > } > > > > > > Now when I login, I do not see any "welcome" attched in the reply message > > > in wireshark. I only see > > > > > > Status: 0x1 (Authetication Passed) > > > > it would occur before this; in the GETUSER packet. > > > > > Flags : 0x0 > > > Server message length : 0 > > > Data Lengh :0 > > > > > > I would appreciate if you could provide a working example of > > tac_plus.conf > > > with some AVPs either at authentication or at authorization phase. > > > > see priv-lvl, autocmd, inacl, and outacl in the sample config. > > > > > I would appreciate any help in this regard. > > > > > > > > > Thanks > > > Chandan > > > > > > PS: In RADIUS it is very simple to send a reply with auth example: > > > > > > joe Cleartext-Password := "1234" > > > Reply-Message := "Welcom" > > > > > > On auth success, the server sends this welcom string, which could be used > > > by the client side to provide additional functionality. [I agree it is > > not > > > the best way to do, this example is only for illustration purpose] > > > > technically it is possible, afaict, to send any message back, but the > > daemon > > does not offer this. it sends actualy status messages, like "failed", > > "succees", etc; for the daemon to provide this from the config it would > > need > > to differentiate between all those. > > From chandank.kumar at gmail.com Tue Feb 24 14:48:19 2015 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Tue, 24 Feb 2015 09:48:19 -0500 Subject: [tac_plus] tacacs+ custom reply messages In-Reply-To: <20150224002223.GA1251@shrubbery.net> References: <20150221185933.GD28324@shrubbery.net> <20150223184957.GA84978@shrubbery.net> <20150224002223.GA1251@shrubbery.net> Message-ID: Version info: tac_plus -v tac_plus version F4.0.4.28 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ I tried using other service option including service=system, and it is working. but service=shell protocol=ssh does not. service = system { default attribute = permit priv-lvl = 15 } -- http://about.me/chandank On Mon, Feb 23, 2015 at 7:22 PM, heasley wrote: > Mon, Feb 23, 2015 at 03:08:48PM -0500, Chandan Kumar: > > Thanks for the input. > > > > I am not using IOS, I am using/customizing pam_tacplus.so Linux module. > > > > I am trying to set AVP in service=shell, but I am not able to get it > right. > > > > user = joe { > > pap = cleartext 123 > > service = shell { > > default attribute = permit > > priv-lvl = 15 > > } > > > > And from client I am sending service=shell protocol=ssh. However, the > > server [tacplus daemon ] is not able to find these AVPs and returning > error. > > > > > > Mon Feb 23 15:03:04 2015 [17466]: Start authorization request > > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 > attr=acl > > rec=1 > > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL > > Mon Feb 23 15:03:04 2015 [17466]: do_author: user='joe' > > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 > > attr=before rec=1 > > Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL > > Mon Feb 23 15:03:04 2015 [17466]: user joe No identifiable > service/protocol > > in authorization request > > Mon Feb 23 15:03:04 2015 [17466]: Writing AUTHOR/ERROR size=75 > > use debugging to make sure that the daemon is sending or receiving what > you expect and that the config has a match for service or service/proto > that is in the config to be matched. > > > What is the right format for using service=shell? It does not accept the > > service=shell protocol=ssh, it returns error > > > > Starting tacacs+: Error: expecting '{' but found 'protocol' on line 19 > > [FAILED] > > the daemon accepts both of these configs, though i do not know of protocol > ssh. what version? > > > > > However, it works well for service= ppp protocol =ssh > > > > user = joe { > > pap = cleartext 123 > > service = ppp protocol = ssh { > > tunnel-id = my_nas > > ip-addresses = "173.20.12.19 173.20.12.20" > > source-ip = 173.5.10.1 > > } > > } > > > > This is accepted by the tacplu daemon. If I send service=ppp, > protocol=ssh > > from the client. > > > > > > > > > > -- > > http://about.me/chandank > > > > On Mon, Feb 23, 2015 at 1:49 PM, heasley wrote: > > > > > Mon, Feb 23, 2015 at 11:42:04AM -0500, Chandan Kumar: > > > > Hi Heasley, > > > > > > > > Thanks for your response. Basically I am not able to get a working > > > example > > > > of how to use those AVPs in tac_plus.conf. Whatever I have used so > far, > > > > they appear to have no impact on the server at all. [the basic > > > > authentication using file /etc/passwd is working though]. > > > > > > I'm fairly sure that IOS supports the syntax below to change the > username > > > prompt, but the device is not required to honor it, it is optional > > > according > > > to the spec and is not applicable in all contexts. the daemon sets a > > > default > > > if one isnt in the config, default_v0_fn.c:default_v0_fn(). > > > > > > > While googling I mostly get examples of how to configure CISCO device > > > > [client side] and very limited configuration examples associated with > > > > server configuration other than the file that is packaged with the > > > tac_plus > > > > source code itself. > > > > > > > > Example 1: > > > > > > > > I want to send a prompt message to host connecting from 192.168.2.53 > > > > > > > > > > > > default authentication = file /etc/passwd > > > > > > > > host = 192.168.2.53 { > > > > prompt = "Welcome\n" > > > > } > > > > > > > > Now when I login, I do not see any "welcome" attched in the reply > message > > > > in wireshark. I only see > > > > > > > > Status: 0x1 (Authetication Passed) > > > > > > it would occur before this; in the GETUSER packet. > > > > > > > Flags : 0x0 > > > > Server message length : 0 > > > > Data Lengh :0 > > > > > > > > I would appreciate if you could provide a working example of > > > tac_plus.conf > > > > with some AVPs either at authentication or at authorization phase. > > > > > > see priv-lvl, autocmd, inacl, and outacl in the sample config. > > > > > > > I would appreciate any help in this regard. > > > > > > > > > > > > Thanks > > > > Chandan > > > > > > > > PS: In RADIUS it is very simple to send a reply with auth example: > > > > > > > > joe Cleartext-Password := "1234" > > > > Reply-Message := "Welcom" > > > > > > > > On auth success, the server sends this welcom string, which could be > used > > > > by the client side to provide additional functionality. [I agree it > is > > > not > > > > the best way to do, this example is only for illustration purpose] > > > > > > technically it is possible, afaict, to send any message back, but the > > > daemon > > > does not offer this. it sends actualy status messages, like "failed", > > > "succees", etc; for the daemon to provide this from the config it would > > > need > > > to differentiate between all those. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From justin.labo at dena.com Thu Feb 26 00:11:54 2015 From: justin.labo at dena.com (Justin Labo) Date: Wed, 25 Feb 2015 16:11:54 -0800 Subject: [tac_plus] Issue: Incomplete passwords being accepted Message-ID: Hello, I'm having an issue with tac_plus and was hoping you could shed some light on it. tac_plus is accepting incomplete passwords as valid. For example, if my pasword was 'password' and I enter 'passwor', I can log in. Have you ever seen this before? We are running tac_plus version F4.0.4.17. I was planning on upgrading to the latest release and validating the existing tac_plus configs, but wanted to check in with you guys beforehand. Thanks, Justin LaBo System Administrator DeNA West -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Sat Feb 28 05:18:43 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Sat, 28 Feb 2015 07:18:43 +0200 Subject: [tac_plus] Issue: Incomplete passwords being accepted In-Reply-To: References: Message-ID: <20150228071843.0fae8394@hobbit> On Wed, 25 Feb 2015 16:11:54 -0800 Justin Labo wrote: > Hello, > > I'm having an issue with tac_plus and was hoping you could shed some > light on it. > > tac_plus is accepting incomplete passwords as valid. For example, if > my pasword was 'password' and I enter 'passwor', I can log in. Have > you ever seen this before? > > We are running tac_plus version F4.0.4.17. I was planning on > upgrading to the latest release and validating the existing tac_plus > configs, but wanted to check in with you guys beforehand. What password hash types are you using? You get this behaviour with classic Unix crypt hashes (3DES). crypt will accept up to 11 characters as an entered password but only use the first 9. Entering more than 11 is an error. Alan From heas at shrubbery.net Sat Feb 28 09:11:13 2015 From: heas at shrubbery.net (Heasley) Date: Sat, 28 Feb 2015 10:11:13 +0100 Subject: [tac_plus] Issue: Incomplete passwords being accepted In-Reply-To: <20150228071843.0fae8394@hobbit> References: <20150228071843.0fae8394@hobbit> Message-ID: <95CCE340-E6D5-46E6-A28A-EF3D2D83E131@shrubbery.net> Am 28.02.2015 um 06:18 schrieb Alan McKinnon : > > On Wed, 25 Feb 2015 16:11:54 -0800 > Justin Labo wrote: > >> Hello, >> >> I'm having an issue with tac_plus and was hoping you could shed some >> light on it. >> >> tac_plus is accepting incomplete passwords as valid. For example, if >> my pasword was 'password' and I enter 'passwor', I can log in. Have >> you ever seen this before? Besides what Alan mentions, no. Ill test it though and report if I find a problem. >> >> We are running tac_plus version F4.0.4.17. That is not the most recent version, btw. >> I was planning on >> upgrading to the latest release and validating the existing tac_plus >> configs, but wanted to check in with you guys beforehand. > > > What password hash types are you using? > > You get this behaviour with classic Unix crypt hashes (3DES). crypt > will accept up to 11 characters as an entered password but only use the > first 9. Entering more than 11 is an error. > The first 8 and ignoring trailing bytes is more typical. > Alan > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From malmgren at skyfire.com Sat Feb 28 16:29:42 2015 From: malmgren at skyfire.com (Matt Almgren) Date: Sat, 28 Feb 2015 08:29:42 -0800 Subject: [tac_plus] Issue: Incomplete passwords being accepted In-Reply-To: <95CCE340-E6D5-46E6-A28A-EF3D2D83E131@shrubbery.net> References: <20150228071843.0fae8394@hobbit>, <95CCE340-E6D5-46E6-A28A-EF3D2D83E131@shrubbery.net> Message-ID: <361FC21836C35F4DA4C9D78CC73244610251D6A5F56B@EXVMBX015-4.exch015.msoutlookonline.net> I never noticed this before, but I see the same 8-character problem with version F4.0.4.27a and CentOS 6.4. -- Matt ________________________________________ From: tac_plus [tac_plus-bounces at shrubbery.net] On Behalf Of Heasley [heas at shrubbery.net] Sent: Saturday, February 28, 2015 1:11 AM To: Alan McKinnon Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Issue: Incomplete passwords being accepted Am 28.02.2015 um 06:18 schrieb Alan McKinnon : > > On Wed, 25 Feb 2015 16:11:54 -0800 > Justin Labo wrote: > >> Hello, >> >> I'm having an issue with tac_plus and was hoping you could shed some >> light on it. >> >> tac_plus is accepting incomplete passwords as valid. For example, if >> my pasword was 'password' and I enter 'passwor', I can log in. Have >> you ever seen this before? Besides what Alan mentions, no. Ill test it though and report if I find a problem. >> >> We are running tac_plus version F4.0.4.17. That is not the most recent version, btw. >> I was planning on >> upgrading to the latest release and validating the existing tac_plus >> configs, but wanted to check in with you guys beforehand. > > > What password hash types are you using? > > You get this behaviour with classic Unix crypt hashes (3DES). crypt > will accept up to 11 characters as an entered password but only use the > first 9. Entering more than 11 is an error. > The first 8 and ignoring trailing bytes is more typical. > Alan > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message is being sent by Skyfire Labs, Inc. It is intended exclusively for the individuals and entities to which it is addressed. This communication, including any attachments, may contain information that is proprietary, privileged, confidential, or otherwise subject to restrictions on disclosure pursuant to applicable law. If you are not the named addressee, you are not authorized to read, print, retain copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by email and delete all copies of this message. This message is protected by applicable legal privileges and is confidential. From alan.mckinnon at gmail.com Sat Feb 28 18:01:23 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Sat, 28 Feb 2015 20:01:23 +0200 Subject: [tac_plus] Issue: Incomplete passwords being accepted In-Reply-To: <361FC21836C35F4DA4C9D78CC73244610251D6A5F56B@EXVMBX015-4.exch015.msoutlookonline.net> References: <20150228071843.0fae8394@hobbit> <95CCE340-E6D5-46E6-A28A-EF3D2D83E131@shrubbery.net> <361FC21836C35F4DA4C9D78CC73244610251D6A5F56B@EXVMBX015-4.exch015.msoutlookonline.net> Message-ID: <20150228200123.6c150337@hobbit> On Sat, 28 Feb 2015 08:29:42 -0800 Matt Almgren wrote: > I never noticed this before, but I see the same 8-character problem > with version F4.0.4.27a and CentOS 6.4. You will see it on all versions of tac_plus on all distros. The password encryption is done in the crypt() system call which is where DES is implemented. It's not a bug it's a feature, it's just the way DES works. One more reason why you should not use DES for password hashing, superior types exist. Alan