<div dir="ltr"><div><div><div>So the patch to drop privileges seem to work, in tacacs-F4.0.4.28 so I am all set with that.<br><br></div>I am using tac_plus to perform radius auth through PAM, that is also working correctly. The one issue I currently have is logging to the auth.log through syslog successful and failed attempts to authenticate. <br></div>I have added some logging to authen.c, although it feels like i shoe horned in the logging with the global flag for authentication. So any suggestions would be welcome.<br></div>Understanding that the rem_addr and rem_addr_len are "best effort" from the rfc draft. That being said, my implementation is network appliance centric and so far have not run across issues. Are there any pitfalls you can see with my code or implementation?<br><div><div><div><br>< /* add static global for pass/fail return */<br>< static int auth_pass = 0;<br>< <br>153,165d149<br>< /* add syslog auth <br></div><div> will remove stderr prt <br>*/<br></div><div>< if(auth_pass) {<br>< fprintf(stderr,"DEBUG: auth passed user=%s host=%s shost=%s \n",<br>< identity.username,identity.NAS_ip,identity.NAC_address);<br>< syslog(LOG_INFO | LOG_AUTH, "user=%s host=%s user_ip=%s SUCCESSFULLY AUTH",<br>< identity.username,identity.NAS_ip,identity.NAC_address);<br>< } else {<br>< fprintf(stderr,"DEBUG: auth failed user=%s host=%s shost=%s \n",<br>< identity.username,identity.NAS_ip,identity.NAC_address);<br>< syslog(LOG_INFO | LOG_AUTH, "user=%s host=%s user_ip=%s FAILED AUTH",<br>< identity.username,identity.NAS_ip,identity.NAC_address);<br>< }<br>< <br>360,361d340<br>< /* set global in case TAC_PLUS_AUTHEN_STATUS_PASS <br></div><div> auth log only needs to know pass/fail, username, remote_ip, remote_user_ip<br>*/<br></div><div>< auth_pass = 1;<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 29, 2018 at 11:23 AM, heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thu, Apr 26, 2018 at 10:26:43AM -0400, Cory Cartwright:<br>
> Yes, the patch and the consequently the uid/gid downgrade is working.<br>
> <br>
> I have been able to add the logging an source IP in pwlib.c via<br>
> session.peerip. however I would also like to get the rem_addr_len from the<br>
> START packet body, and having trouble understanding how to bring in the<br>
> value to pwlib.c.<br>
<br>
please be more specific about the where in the code you are trying to do<br>
that. also, not that rem_addr may not be supplied by the client; it is<br>
"best effort" and sometimes is not relevant.<br>
<br>
> thanks!<br>
> <br>
> On Wed, Apr 25, 2018 at 6:54 AM, heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> wrote:<br>
> <br>
> > Tue, Apr 24, 2018 at 11:47:58AM -0400, Cory Cartwright:<br>
> > > I know this post (<br>
> > > <a href="http://www.shrubbery.net/pipermail/tac_plus/2014-December/001530.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/<wbr>pipermail/tac_plus/2014-<wbr>December/001530.html</a>)<br>
> > is<br>
> > > old, but what is the current level of maintenance, is there a current<br>
> > > maintainer? I am currently using tacacs-F4.0.4.28, and building with<br>
> > > non-root TACPLUS_USERID/GROUPID but I ran across the ..post and like the<br>
> > > idea of not having to rebuild for different systems, or statically<br>
> > > configure uid/gid.<br>
> ><br>
> > does the patch work? it could be back-ported.<br>
> ><br>
> > > I’m also working on adding AUTH logging for PAM radius authentication,<br>
> > as I<br>
> > > can’t seem to find a good or proper place to do it directly from<br>
> > > PAM_radius.so.<br>
> ><br>
> > do you mean that you want to use radius to perform the tacacs auth?<br>
> ><br>
</blockquote></div><br></div></div></div></div></div>