kravietz / pam_tacplus Goto Github PK

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.

License: GNU Lesser General Public License v3.0

Shell 2.87% C 91.85% Makefile 1.64% M4 2.05% Roff 1.59%

tacacs-server tacacs-protocol pam-tacplus tacacs-client tacacs-plus authentication

pam_tacplus's Introduction

TACACS+ client toolkit

This repository contains three modules that are typically used to perform requests to a TACACS+ server:

libtac - core TACACS+ client library
pam_tacplus - PAM module for authenticating users against TACACS+
tacc - a simple command-line TACACS+ client

The following core TACACS+ functions are supported:

TACACS+ name	PAM name	What it does
Authentication	Authenticate	Is the user who they claim?
Authorization	Account management	Is the user entitled to service X?
Account	Session open/close	Record beginning and end of service

The TACACS+ protocol was designed by Cisco Systems back in 90's and was intended to provide simple means of validating users connecting to simple network routers (e.g. over PPP) against a central authentication server. The router can send queries about authentication (validate user credentials), authorization (entitlement for requested service) and accounting (marking the start and end of user's session). The server can respond with either simple yes/no response, or send back attributes, such as text of a password prompt, effectively instructing the router to present it to the user and send back the obtained password.

Unlike RADIUS, which was designed for similar purposes, the TACACS+ protocol offers basic packet encryption but, as with most crypto designed back then, it's not secure and definitely should not be used over untrusted networks.

This package has been successfully used with free tac_plus TACACS+ server on variety of operating systems.

Recognized options:

Option	Management group	Description
`debug`	ALL	output debugging information via syslog(3); note, that the debugging is heavy, including passwords!
`secret`	ALL	string can be specified more than once; secret key used to encrypt/decrypt packets sent/received from the server
`server`	auth, session	string hostname, IP or hostname:port, can be specified more than once
`timeout`	ALL	integer connection timeout in seconds; default is 5 seconds
`login`	auth	TACACS+ authentication service, this can be pap, chap or login; default is pap
`prompt`	auth	string custom password prompt; use `_` instead of spaces
`acct_all`	session	if multiple servers are supplied, pam_tacplus will send accounting start/stop packets to all servers on the list
`service`	account, session	string TACACS+ service for authorization and accounting
`protocol`	account, session	string TACACS+ protocol for authorization and accounting

Semantics of these options only make sense in the context of the RFC 8907 (the TACACS+ specification) — for example, a dial-up router might request ppp service with protocol ip for their users, authenticating them with pap protocol which reflects the typical usage of TACACS+ back in 90's. These values however do not really need to match the actual service offered by your server as the TACACS+ server only cares about the service and protocol fields matching what it has in its configuration.

Basic installation:

The module is available on most Linux distibutions:

$ sudo apt install libpam-tacplus

To compile from source, the code uses GNU autotools and gnulib:

$ sudo apt install libpam-tacplus autoconf build-essential libtool automake libpam-dev libssl-dev gnulib
$ git clone https://github.com/kravietz/pam_tacplus.git
$ cd pam-tacplus
$ gnulib-tool --makefile-name=Makefile.gnulib --libtool --import \
                  fcntl crypto/md5 array-list list xlist getrandom realloc-posix \
                  explicit_bzero xalloc getopt-gnu
$ autoreconf -f -v -i
$ ./configure
$ make
$ sudo make install

You can use ./configure --libdir=/lib option to ensure pam_tacplus.so is installed into /lib/security along with rather than in /usr/local. In such case you need to adjust the lines in /etc/pam.d file accordingly.

Outdated gnulib

If you get errors like the one below during ./configure, you most likely have an outdated gnulib (notably, FreeBSD uses 2014 version):

error: GL_GENERATE_ALLOCA_H does not appear in AM_CONDITIONAL

This is fixed by installing the latest gnulib:

$ git clone https://git.savannah.gnu.org/git/gnulib.git $HOME/gnulib
$ $HOME/gnulib/gnulib-tool --makefile-name=Makefile.gnulib --libtool --import \
                  fcntl crypto/md5 array-list list xlist getrandom realloc-posix \
                  explicit_bzero xalloc
$ autoreconf -f -v -i
$ ./configure
...

Quick start

TACACS+ server

To do anything with TACACS+ protocol we need a TACACS+ server. Here's where fun begins as of 2021. There are two TACACS+ servers currently available - they have the same name and temptingly similar but different configuration syntax:

pro-bono-publico tac_plus, available in FreeBSD net/tacacs
shrubbery tac_plus, available on Debian as tacacs+

Unfortunately, as of Ubuntu 20.04 the tacacs+ package is no longer available. Unless on Ubuntu 18.04 or FreeBSD, you'll need to install from source.

FreeBSD

$ sudo pkg install net/tacacs

Ubuntu 18.04 or older

$ sudo apt install tacacs+

From source

$ git clone https://github.com/facebook/tac_plus.git
$ cd tac_plus
$ ./configure
$ make
$ sudo make install

pamtester

I recommend PAM testing utility pamtester:

apt install pamtester

PAM configuration

Create /etc/pam.d/test with the following contents:

#%PAM-1.0
auth       required /usr/local/lib/security/pam_tacplus.so server=127.0.0.1 secret=testkey123
account	   required /usr/local/lib/security/pam_tacplus.so server=127.0.0.1 secret=testkey123 service=ppp protocol=ip
session    required /usr/local/lib/security/pam_tacplus.so server=127.0.0.1 secret=testkey123 server=127.0.0.2 secret=testkey123 service=ppp protocol=ip

Ensure /etc/tacacs+/tac_plus.conf contains the following options (shrubbery syntax):

key = testkey123
user = testuser1 {
        global = cleartext "testpass123"
        service = ppp protocol = ip {
                addr=1.2.3.4
        }
}
user = testuser2 {
        global = cleartext "testpass123"
        service = ppp protocol = ip {
                addr=2.3.4.5
        }
}

As explained above, the service and protocol parameters could be really anything, they however need to match whatever is set in TACACS+ server configuration. The TACACS+ protocol transport encryptio key must be however the same on both TACACS+ (key=) and PAM (secret=) sides.

Note the above example uses absolutely trivial "authentication database" in the form of statically configured usernames and plaintext passwords. TACACS+ servers can do much more than that in real life.

Next, ensure the TACACS+ server is not running system-wide (systemctl stop tacacs_plus.service) and run it as root in foreground in debugging mode:

# tac_plus -C tac_plus.conf -G -g -d 512
Reading config
Version F4.0.4.27a Initialized 1
tac_plus server F4.0.4.27a starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=911824672

In another terminal run the pamtester command:

# pamtester -v -I rhost=localhost test testuser1 authenticate acct_mgmt open_session close_session
pamtester: invoking pam_start(test, testuser1, ...)
pamtester: performing operation - authenticate
Password: (enter testpass123)
pamtester: successfully authenticated
pamtester: performing operation - open_session
pamtester: successfully opened a session
pamtester: performing operation - close_session
pamtester: session has successfully been closed.

System logs (journalctl -e) will show debugging output from the pam_tacplus module:

Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: 2 servers defined
Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: server[0] { addr=127.0.0.1:49, key='testke
Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: server[1] { addr=127.0.0.2:49, key='testke
Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: tac_service='ppp'
Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: tac_protocol='ip'
Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: tac_prompt=''
Oct 04 18:24:05 sweet-jaguarundi PAM-tacplus[4530]: tac_login=''
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: [stop] called (pam_tacplus v1.
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: tac_srv_no=2
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: username [testuser2] obtained
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: tty [pts/0] obtained
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: rhost [localhost] obtained
Oct 04 18:24:05 sweet-jaguarundi tac_plus[4526]: connect from 127.0.0.1 [127.0.0.1]
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: connected with fd=4 (srv 0)
Oct 04 18:24:05 sweet-jaguarundi pamtester[4530]: _pam_account: [stop] for [testuser2] sent

TACACS+ server confirms successful authentication:

connect from 127.0.0.1 [127.0.0.1]
pap-login query for 'testuser1' port pts/0 from 127.0.0.1 accepted

This confirms correct operations of the core functions of TACACS+ — authentication and accounting.

Now, if you change the secret set in /etc/pam.d/test to say testkey999, you will get the following errors from pam_tacplus module:

Oct 04 18:31:48 sweet-jaguarundi tac_plus[4526]: Error 127.0.0.1 pts/0: Invalid AUTHEN/START packet (check keys)
Oct 04 18:31:48 sweet-jaguarundi pamtester[4896]: tac_authen_read: inconsistent reply body, incorrect key?

And accordingly from tac_plus server:

connect from 127.0.0.1 [127.0.0.1]
127.0.0.1 pts/0: Invalid AUTHEN/START packet (check keys)

Note that semantics of these operation is outside of the scope of this quick guide and is very much service dependent.

More on server lists:

Having more that one TACACS+ server defined for given management group has following effects on authentication:
- if the first server on the list is unreachable or failing pam_tacplus will try to authenticate the user against the other servers until it succeeds
- the first_hit option has been deprecated
- when the authentication function gets a positive reply from a server, it saves its address for future use by account management function (see below)
The account management (authorization) function asks only one TACACS+ server and it ignores the whole server list passed from command line. It uses server saved by authentication function after successful authenticating user on that server. We assume that the server is authoritative for queries about that user.
The session management (accounting) functions obtain their server lists independently from the other functions. This allows you to account user sessions on different servers than those used for authentication and authorization.
- normally, without the acct_all modifier, the extra servers on the list will be considered as backup servers, mostly like in point 1. i.e. they will be used only if the first server on the list will fail to accept our accounting packets.
- with acct_all pam_tacplus will try to deliver the accounting packets to all servers on the list; failure of one of the servers will make it try another one. This is useful when your have several accounting, billing or logging hosts and want to have the accounting information appear on all of them at the same time.

Short introduction to PAM via TACACS+:

This diagram should show general idea of how the whole process looks like:

Consider a login application:

Login accepts username and password from the user.
Login calls PAM function pam_authenticate() to verify if the supplied username/password pair is valid.
PAM loads pam_tacplus module (as defined in /etc/pam.d/login) and calls pam_sm_authenticate() function supplied by this module.
This function sends an authentication request packet to the TACACS+ server. The packet contains username and password to verify. TACACS+ server replies with either positive or negative response. If the reponse is negative, the failure is escalated back to the login program, and no further action is taken.
If authentication is successful, PAM calls another function from pam_tacplus — pam_sm_acct_mgmt(). This function is expected to verify whether the users are allowed to get the service they are requesting (in this case: Unix shell). The function again verifies the permission on TACACS+ server.
Before user gets the shell, PAM calls one another function from pam_tacplus — pam_sm_open_session(). This results in sending an accounting START packet to the server. Among other things it contains the terminal user logged in on and the time session started.
When user logs out, pam_sm_close_session() sends STOP packet to the server. The whole session is closed.

TACACS+ client program

The library comes with a simple TACACS+ client program tacc which can be used for testing as well as simple scripting. Sample usage:

tacc --authenticate --authorize --account --username user1
    --password pass1 --server localhost --remote 1.1.1.1 --tty ttyS0
    --secret enckey1 --service ppp --protocol ip --login pap

This configuration runs full AAA round (authentication, authorization and accounting). The server and secret option specify server connection parameters and all remaining options supply data specific to TACACS+ protocol. The tac_plus daemon (found in tacacs+ package in Debian and Ubuntu) can be used for testing with the following example configuration:

key = enckey1
user = user1 {
    global = cleartext "pass1"
    service = ppp protocol = ip {
            addr=8.8.8.8
    }
}

For debugging run the tac_plus server with the following options - the -d 512 will debug encryption, for other values see man 8 tac_plus:

tac_plus -C /etc/tacacs+/tac_plus.conf -G -g -d 512

Limitations:

only subset of TACACS+ protocol is supported; it's enough for most need, though
tacc does not support password prompts and other interactive protocol features

References:

Authors:

Pawel Krawczyk [email protected] https://krvtz.net/
Jeroen Nijhof [email protected]

pam_tacplus's People

Stargazers

Watchers

Forkers

walterdejong wems hadong krihal gollub viniciussalmeida grwlf pwdng benschumacher ehoffman2 karl-wu suohd muthuraman-sankaran dstape abeyt zhulianhai kspviswa evansjr2000 joakim-tjernlund savitakulkarni cfshope friofry plexxi kshridha leiwanghoward srinsriv georgejguo opengear dbrockus pprindeville jiaqi-gu stanatatl xianlimei somandubey imageset11 chixsh vijendra-kumar kyeongy netravnen drivenets ashang liuqu jmattfeld vinodkumarvellanki bdlamprecht edwardbetts martin-belanger msupinodn alextomko daveolson53 anlancs karanbazaz prsouren yiqifeiyang fnc-bmh deastoe opx-infra greenpau dougs1985 glen61y141 vmwalex lvennard chaoskao migzone jihaix attackgithub lyq140 marhbere vinoth-sathiyamoorthy charlesparent w8y8p8 akhileshsingh-saithwar manish364824 liujian2014 liuh-80 damiankaczkowski bugbaron jimsdog sbrahul olivierlourdaisbpk edmund03 yuanbg auskai reddream zj-zj-rjk adimgong amrelsayyad amarddx chamsatgithub lsang6wind ffontaine alangefe m-shibata exatel

pam_tacplus's Issues

ssh allowing login when tacacs exits with status 7, [PAM_PERM_DENIED]

I've tried many configurations of /etc/pam.d/sshd but can't quite get it to work properly. The current configuration is:

#%PAM-1.0
auth       include      tacacs
#auth       include      radius
auth       required     pam_sepermit.so
auth       include     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
#-auth      optional     pam_reauthorize.so prepare
account    include      tacacs
#account    include      radius
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
#session    include      tacacs
#session    include      radius
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

However this is allowing any tacacs user to login as long as they provide the correct password. Here is the debug trace. The require level is level 10 so an admin can login in. However, in this example. the tacacsOperator is only level 5 and this is correct returned by the Tacacs server but ssh does not seem to respect the return code from pam_sm_acct_mgmt: exiting with status 7 and allows the login.

Mar 21 17:28:02 zr6 PAM-tacplus[12021]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_service=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_priv_level='15'
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: user [tacacsOperator] obtained
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password: called
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password; in final else
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password; msg.msg: Password:
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password; resp not equal null
Mar 21 17:28:02 zr6 sshd[12021]: tacacs_get_password: obtained password pass5
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: password obtained
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: tty [ssh] obtained
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: rhost [tron.tavve.com] obtained
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: trying srv 0
Mar 21 17:28:02 zr6 sshd[12021]: tacacs status: TAC_PLUS_AUTHEN_STATUS_PASS
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: active srv 0
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_authenticate: exit with pam status: 0
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_service='zoneranger'
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_priv_level='10'
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: called (pam_tacplus v1.3.8)
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: username obtained [tacacsOperator]
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: tty obtained [ssh]
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: rhost obtained [tron.tavve.com]
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: active server is [10.254.1.117:49]
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: SM: TACACS+ protocol type not configured (IGNORED)
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: SM: TACACS+ command type not configured (IGNORED)
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: sent authorization request
Mar 21 17:28:02 zr6 sshd[12021]: Args cnt 1
Mar 21 17:28:02 zr6 sshd[12021]: Adding buf/value pair (priv-lvl,5)
**Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: user [tacacsOperator] successfully authorized
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: attribute priv-lvl value =5
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: priv-level was 5 but needs to be at least 10
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: returned attribute `PRIV_LVL=5' from server
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_acct_mgmt: exiting with status 7**
Mar 21 17:28:02 zr6 sshd[12021]: Accepted password for tacacsOperator from 10.254.1.180 port 41730 ssh2
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_service=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12021]: tac_priv_level='15'
Mar 21 17:28:02 zr6 sshd[12021]: pam_sm_setcred: called (pam_tacplus v1.3.8)
Mar 21 17:28:02 zr6 systemd: Created slice user-511.slice.
Mar 21 17:28:02 zr6 systemd: Starting user-511.slice.
Mar 21 17:28:02 zr6 systemd-logind: New session 28 of user tv_config.
Mar 21 17:28:02 zr6 systemd: Started Session 28 of user tv_config.
Mar 21 17:28:02 zr6 systemd: Starting Session 28 of user tv_config.
Mar 21 17:28:02 zr6 sshd[12021]: pam_unix(sshd:session): session opened for user tacacsOperator by (uid=0)
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: 1 servers defined
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: server[0] { addr=10.254.1.117:49, key='andy' }
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_service=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_protocol=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_prompt=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_login=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_command=''
Mar 21 17:28:02 zr6 PAM-tacplus[12023]: tac_priv_level='15'
Mar 21 17:28:02 zr6 sshd[12023]: pam_sm_setcred: called (pam_tacplus v1.3.8)

Any pointers with this issue are greatly appreciated.

Thank you.

pam_tacplus-1.3.9 - install issues

Platform - pam_tacplus.1.3.9 - redhat 6.4 - VM

I can't seem to get a version of "configure" into the installation media.
I've tried autoreconf -i
running the auto.sh
Nothing seems to work

Can you kindly let me know where I'm going wrong?

Martin
HP Erskine - UK

clang (Apple llvm-gcc)

I get:

./auto.sh
./configure
make
...
support.c:115:11: error: explicitly assigning value of variable of type 'int' to itself [-Werror,-Wself-assign]
    flags = flags;                              /* unused */
    ~~~~~ ^ ~~~~~
1 error generated.
make[1]: *** [pam_tacplus_la-support.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
pam_tacplus.c:512:7: error: explicitly assigning value of variable of type 'pam_handle_t _' (aka 'struct pam_handle *') to itself [-Werror,-Wself-assign]
        pamh = pamh;
        ~~~~ ^ ~~~~
pam_tacplus.c:513:8: error: explicitly assigning value of variable of type 'int' to itself [-Werror,-Wself-assign]
        flags = flags;                          /* unused */
        ~~~~~ ^ ~~~~~
pam_tacplus.c:538:8: error: explicitly assigning value of variable of type 'int' to itself [-Werror,-Wself-assign]
        flags = flags;                          /* unused */
        ~~~~~ ^ ~~~~~
pam_tacplus.c:707:8: error: explicitly assigning value of variable of type 'int' to itself [-Werror,-Wself-assign]
        flags = flags;                          /* unused */
        ~~~~~ ^ ~~~~~
pam_tacplus.c:720:8: error: explicitly assigning value of variable of type 'int' to itself [-Werror,-Wself-assign]
        flags = flags;                          /* unused */
        ~~~~~ ^ ~~~~~
5 errors generated.
make[1]: *** [pam_tacplus_la-pam_tacplus.lo] Error 1
make: *** [all] Error 2

gcc --version
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 8.0.0 (clang-800.0.38)
Target: x86_64-apple-darwin15.6.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin

llvm-gcc --version
Apple LLVM version 8.0.0 (clang-800.0.38)
Target: x86_64-apple-darwin15.6.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin

I've tried the following, to no avail:

export CCACHE_CPP2=yes
export run_second_cpp=true

pam_tacplus not working - logs error "PAM unable to dlopen & PAM adding faulty module - cannot open shared object file" tacc does not build and "-ldcrypto -ldtacc" not in "dependency_libs=" in files "libtac.la & pam_tacplus.la" on clean OS installs: Debian 5-8

I have configured /etc/pam.d/sshd with this at the top:

auth include tacacs

I have configured /etc/pam.d/tacacs with this:

#%PAM-1.0
    auth       sufficient   /usr/local/lib/security/pam_tacplus.so debug server=xxx secret=xxx server=xxx secret=xxx
    account    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=xxx secret=xxx server=xxx secret=xxx service=shell protocol=ssh
    session    sufficient   /usr/local/lib/security/pam_tacplus.so debug server=xxx secret=xxx server=xxxx secret=xxx service=shell protocol=ssh

It never even tries to talk to the server - I run a tcpdump.

This is what I see in /var/log/auth.log - it fails to try to even talk to the tacacs server and the acs server never receives tcp traffic from linux. Notably I have another server with exactly the same identical working configuration - it happens to be that no other fresh installed debian 8.8 server works - only got lucky with server #1.

sshd[6459]: PAM unable to dlopen(/usr/local/lib/security/pam_tacplus.so): libtac.so.2: cannot open shared object file: No such file or directory
sshd[6459]: PAM adding faulty module: /usr/local/lib/security/pam_tacplus.so
sshd[6459]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=

About the session_id

The session_id of the authentication and authorization is inconsistent, the tacplus server cannot identify a session that belongs to a session of SSH.
BTW, the accounting request cannot be send out when executing command in shell

tacc not found

Seems that tacc is not compiled.
Could not found the program after installing pam_tacplus.

magic.c should not close random file fd.

In magic.c (the file that generate random numbers), the first time the function magic() is called, magic is initialized. Upon initialization, magic_inited is set (a global static), and rfd (the file descriptor for urandom) is also set.

Then, in main magic() function, a randum number is read from rfd, followed immediately by a close() of rfd.

[...]
magic_init();

if(rfd > -1) {
    u_int32_t ret;
    int nb_read = read(rfd, &ret, sizeof(ret));
    close(rfd);

[...]

This cause error on subsequent calls. In my case it cause the side effect of hanging the library because that file descriptor is re-assigned to the TACACS network socket (accounting hang). Accounting try to get another random number, and hang reading the network socket instead of urandom.

rfd must not be closed. It is a one-time statically initialized variable.

This bug was just lately introduced (Nov 26, 2014).

Regards,
Eric

Issue with the supplied md5.h on Sol10 x86 + gcc 4.9.2

Compilation is blowing up spectacularly, on a Solaris 10 x86 box w/CSW tooling installed.

I wouldn't even begin to know where to go with this:

libtool: compile: gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-authen_s.lo -MD -MP -MF libtac/lib/.deps/libtac_la-authen_s.Tpo -c libtac/lib/authen_s.c -fPIC -DPIC -o libtac/lib/.libs/libtac_la-authen_s.o
In file included from libtac/lib/authen_s.c:35:0:
libtac/lib/md5.h:37:17: error: expected declaration specifiers or '...' before '(' token
void MD5Init__P((MD5_CTX_));
^
libtac/lib/md5.h:38:19: error: expected declaration specifiers or '...' before '(' token
void MD5Update__P((MD5_CTX_, unsigned char_, UINT4));
^
libtac/lib/md5.h:39:18: error: expected declaration specifiers or '...' before '(' token
void MD5Final__P((unsigned char[], MD5_CTX_));
^
libtac/lib/authen_s.c: In function 'tac_authen_send':
libtac/lib/authen_s.c:152:2: warning: incompatible implicit declaration of built-in function 'bcopy'
bcopy(&tb, pkt + pkt_len, sizeof(tb)); /* packet body beginning /
^
** Error code 1
make: Fatal error: Command failed for target libtac/lib/libtac_la-authen_s.lo' Current working directory /export/home/gmelanso/pam_tacplus-master *** Error code 1 make: Fatal error: Command failed for targetall'

.. thoughts?

Invalid free in pm_sm_acct_mgmt

I observed a crash in pam_sm_acct_mgmt API. This is easy to reproduce where authentication request reaches TACACS+ server but authorization request fails. The code tries to free arep.msg and that's when pam_tacplus and SSHD core

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: junk [priv]   '.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f0ead699c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007f0ead699c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f0ead69d028 in __GI_abort () at abort.c:89
#2  0x00007f0ead6d62a4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f0ead7e8310 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f0ead6e282e in malloc_printerr (ptr=<optimized out>, str=0x7f0ead7e445e "free(): invalid pointer", action=1) at malloc.c:4998
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3842
#5  0x00007f0eab95d77b in pam_sm_acct_mgmt () from /lib/security/pam_tacplus.so
#6  0x00007f0eaf1e1dff in ?? () from /lib/x86_64-linux-gnu/libpam.so.0
#7  0x00007f0eaf1e15dc in pam_acct_mgmt () from /lib/x86_64-linux-gnu/libpam.so.0
#8  0x00007f0eafa740fe in ?? ()
#9  0x00007f0eafa69b54 in ?? ()
#10 0x00007f0eafa6b78d in ?? ()
#11 0x00007f0eafa4fe03 in ?? ()
#12 0x00007f0ead684f45 in __libc_start_main (main=0x7f0eafa4dbf0, argc=3, argv=0x7fff63c603a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff63c60398)
    at libc-start.c:287
#13 0x00007f0eafa509bd in ?? ()

Here is the diff which should fix the crash. No need to free msg before we have read TACACS+ response

diff --git a/pam_tacplus.c b/pam_tacplus.c
index 19e2aca..4962a76 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -52,6 +52,7 @@ static tacplus_server_t active_server;
 struct addrinfo active_addrinfo;
 struct sockaddr active_sockaddr;
 char active_key[TAC_SECRET_MAX_LEN+1];
+int tac_encryption;
 
 /* accounting task identifier */
 static short int task_id = 0;
@@ -611,8 +612,6 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
                        tac_timeout);
        if (tac_fd < 0) {
                _pam_log(LOG_ERR, "TACACS+ server unavailable");
-               if (arep.msg != NULL)
-                       free(arep.msg);
                return PAM_AUTH_ERR;
        }
 
@@ -622,9 +621,6 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
 
        if (retval < 0) {
                _pam_log(LOG_ERR, "error getting authorization");
-               if (arep.msg != NULL)
-                       free(arep.msg);
-
                close(tac_fd);
                active_server.addr = NULL;
                return PAM_AUTH_ERR;

debian wheezy 64-bit pam_tacplus segfault

pam_tacplus segfaults on debian wheezy 64-bits:

Mar 21 14:34:04 n1 kernel: [84334.929579] sudo[9336]: segfault at 0 ip 00007f80b57c35cb sp 00007fff7f12dfc0 error 4 in pam_tacplus.so[7f80b57bd000+a000]

This is pam_tacplus 1.3.6
I also built 1.3.8 on this system, and it segfaults as well:

Mar 21 15:20:38 n1 kernel: [87123.676143] sudo[10129]: segfault at 0 ip 00007fbf7f54868b sp 00007fff125c2a80 error 4 in pam_tacplus.so[7fbf7f542000+a000]

passing string parameters as char * in tac_authen_send

https://github.com/jeroennijhof/pam_tacplus/blob/master/libtac/lib/authen_s.c#L48

Why not to use "const char *" ?

error: passing argument 3 of 'tac_authen_send' discards 'const' qualifier from pointer target type [-Werror]
if (tac_authen_send(tac_fd, user, pass, tty, user_ip, TAC_PLUS_AUTHEN_LOGIN) < 0)

Autotools issue on CentOS 6.5

I've seriously tried to figure this out and am having no luck. I've got an autotools issue against HEAD on CentOS 6.5.

Here's what I see when I run configure:

$ ./configure 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc

... snip ...

checking whether time.h and sys/time.h may both be included... yes
./configure: line 12103: syntax error near unexpected token `AX_CHECK_COMPILE_FLAG'
./configure: line 12103: `AX_CHECK_COMPILE_FLAG("-fstack-protector-all", AX_APPEND_FLAG(["-fstack-protector-all"],[CFLAGS]), )'

I've tried a variety of things to get past this -- mostly just moving around the m4 files and such, but nothing seems to work. Would really appreciate if anybody with more autotools-fu could help figure this out. AFAICT this is related to commit 33e9072. I'm going to go back to its parent just to make sure.

Thanks.

modifying /etc/pam.d files is evil

Installing the debian package will modify the files:

common-account
common-auth
common-auth.saved
common-password
common-session
common-session-noninteractive

It will add a line to each file like:

auth sufficient pam_tacplus.so

This is crazy because no server is configured. More importantly, it completely breaks the system -- no users can log in anymore!! This happens because of the config in /etc/pam.d/common-session:

session sufficient        pam_tacplus.so
session requisite         pam_deny.so

But since there is no server configured, pam_tacplus will fail. Consequently pam_deny will be hit. No user can login any more, not even root, not even on a console.

Proposed fix: The debian package scripts should leave the pam.d/ files untouched or it should insert a commented line. It should also report to the user that pam_tacplus needs more configuration by hand.

debian/rules binary fails with error

Do a clean "git clone" and try to build a package:

~/sw/pam_tacplus $ fakeroot debian/rules binary
dh  binary
   dh_testdir
   debian/rules override_dh_auto_configure
make[1]: Entering directory `/home/walter/sw/pam_tacplus'
dh_auto_configure -- --libdir=/lib --docdir=/usr/share/doc/libpam-tacplus
make[1]: Leaving directory `/home/walter/sw/pam_tacplus'
   dh_auto_build
   dh_auto_test
   dh_testroot
   dh_prep
   dh_installdirs
   dh_auto_install
   debian/rules override_dh_install
make[1]: Entering directory `/home/walter/sw/pam_tacplus'
mkdir debian/libpam-tacplus/usr/share/pam-configs
mkdir: cannot create directory `debian/libpam-tacplus/usr/share/pam-configs': No such file or directory
make[1]: *** [override_dh_install] Error 1
make[1]: Leaving directory `/home/walter/sw/pam_tacplus'
make: *** [binary] Error 2

Note that you will succeed in building the package after doing the libtoolize,aclocal,autoconf,autoheader,automake,configure dance. But debian/rules was supposed to make that easy.

Add attributes not working in tac_author_read()

I'm looking at this code:

int tac_author_read(int fd, struct areply *re) {
    ...

    bzero(re, sizeof(struct areply));

followed by:

    /* prepare status */
    switch(tb->status) {
        /* success conditions */
        /* XXX support optional vs mandatory arguments */
        case TAC_PLUS_AUTHOR_STATUS_PASS_REPL:
            tac_free_attrib(&re->attr);

        case TAC_PLUS_AUTHOR_STATUS_PASS_ADD:
            {
                u_char *argp; 

                if(!re->msg) re->msg=xstrdup(author_ok_msg);
                    re->status=tb->status;

                /* add attributes received to attribute list returned to
                   the client */

and it strikes me that the comment rings false. We can't add new attributes to the list, because the list has been clobbered (along with the other members of *re).

For that matter, the tac_free_attrib() will always be a no-op because re->attr will be NULL.

The bzero() at the top of the function seems wrong. And if re->msg is an xstrdup()'d pointer, isn't this going to cause a leak?

pam tacacs fallback not working

hello i try to use pam_tacplus1.3.6 to authenticate users that try to connect to linux server using cisco ACS as a tacacs server . the authentication work fine if the tacacs server is alive but if all tacacs servers are dead i can't authentifiacte using my local account

this is my sshd config

auth sufficient pam_tacplus.so debug server=192.168.253.10 secret=natel221!
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account sufficient pam_tacplus.so debug service=ppp protocol=lcp
account include password-auth
password include password-auth

pam_selinux.so close should be the first session rule

session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_tacplus.so debug server=192.168.253.10 secret=natel221! service=ppp protocol=lcp

pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

no option to set 'login' tacc command line tool

It is not possible to change 'login' parameter which sets 'tac_login' variable required by libtac.

Permission Denied for RHEL 7.1 client

Hello,

After installing the module in a RHEL 7.1 machine and applying the following configuration:

Add in the /etc/pam.d/sshd the following line:

auth       include      tac_plus

Creating file /etc/pam.d/tac_plus:

# %PAM-1.0
   
auth       sufficient   /usr/local/lib/security/pam_tacplus.so  debug server=mytacacs-server-ip  secret=my-secret
account    sufficient   /usr/local/lib/security/pam_tacplus.so  debug server=mytacacs-server-ip secret=my-secret  service=system protocol=ssl
session    sufficient   /usr/local/lib/security/pam_tacplus.so  debug server=mytacacs-server-ip secret=my-secret  service=system protocol=ssl

I get the following error message, when trying ssh user@mytacacs-server-ip :

Oct  7 10:36:44 localhost sshd[27315]: tac_connect_single: connection to mytacacs-server-ip:49 failed: Permission denied
Oct  7 10:36:44 localhost PAM-tacplus[27315]: connection failed srv 0: Permission denied
Oct  7 10:36:44 localhost PAM-tacplus[27315]: no more servers to connect

I stopped the clients (RHEL 7.1) firewall but the problem persists.
Moreover I have a working TACACS+ client (RHEL 6.6) with the same configuration and everything is fine. So probably the server is well configured.

Is there any compatibility problem with Redhat 7.1 ?
How can I further troubleshoot that issue ?

Thanks

tacacs library and headers as a development package

Since libtac.so is installed as a shared library, and I've been using it
in some other tacacs projects, I'd like to switch from just copying the
libtac directory to using libtac.so from pam_tacplus, and the same
headers.

I think that would be best as a new libtacplus_devel package, but maybe
it should be a pam_tacplus development package?

Has anybody done the work for this yet, or thought through the issues?

For now, I'm going to just hand-copy the 3 header files to
/usr/include/tacplus, and I was thinking of that as the install
location.

Thoughts?

This is all to support the project described below.

I've got a working libnss_tacplus library and audisp_tacplus plugin using libtac and it's header files.

I'm trying to get away from having all tacplus users in the local password file (or ldap, etc.).

I'm doing that by having a tacacs0 and tacacs15 local user (and 1-14 too, if you want them), and then mapping from the privilege level returned by the tacplus server to the the local tacacs0...tacacs15 users, and keeping the mapping in a file similar to utmp (but simpler).

I'm using audit_setloginuid() to set a stable session id and audit userid that doesn't change across su, sudo, etc.

Transition to OpenSSL

Looking at the library code I think the time has come to finally get rid of this 90's code and transition to proper RAND_pseudo_bytes() from OpenSSL. We would also use their MD5 implementation instead of the bundled one. This would eventually end bugs related to archaic handling of /dev/urandom and properly handle all other situations related to entropy gathering. The code was originally written back in 90's when there was no /dev/urandom and this is why this is handled in such awkward way.

The code changes would be few (I did that already in the tacc project) and the main change would be in that the package would now depend on OpenSSL.

I just wanted to get opinnions and comments before actually implementing that.

Incorrect status in tacc command line tool

    ret = tac_authen_read(tac_fd, &arep);
    if (ret == 0) {
        if (!quiet)
            printf("Authentication FAILED: %s\n", arep.msg);
        syslog(LOG_ERR, "authentication failed for %s: %s", user, arep.msg);
        exit(EXIT_FAIL);
    }

tac_authen_read returns TAC_PLUS_AUTHEN_STATUS_PASS (0x01) in case of success not zero.

NSS integration for TACACS+

Hello-

I've got a module that provides integration into GLIBC's NSS layer for TACACS+ based on the 'libtac' from this project. The module provides a mechanism for operators to rely solely on TACACS+ and PAM functionality to provide shell-level access to end users.

The code is working and is deployed as part of a project I was working on, and I've been working to get clearance to fully open source the code. I could spin up a separate GitHub project for it, but would be just as happy to make this additional functionality a part of this project.

Would that be interesting to to this community? It is currently maintained separately in our local VCS, but I could rework it to use the same build toolchain that is currently used by pam_tacplus, and send a pull request back to this project if that would be interesting.

I'd obviously be happy to provide more details about how it operates, as well.

Thanks,
Ben

ubuntu install problem

Hi
Problem when installing pam_tacplus-1.3.9 on ubuntu 15.10.
Details of error in console output below.
Let me know if you need more info. Can supply config.log if you need it?
Thanks

autoreconf -i

root@apaccomms-consvr:/tmp/chris/pam_tacplus-1.3.9# autoreconf -i
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `config'.
libtoolize: copying file `config/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `config'.
libtoolize: copying file `config/libtool.m4'
libtoolize: copying file `config/ltoptions.m4'
libtoolize: copying file `config/ltsugar.m4'
libtoolize: copying file `config/ltversion.m4'
libtoolize: copying file `config/lt~obsolete.m4'
configure.ac:26: installing 'config/compile'
configure.ac:30: installing 'config/config.guess'
configure.ac:30: installing 'config/config.sub'
configure.ac:19: installing 'config/install-sh'
configure.ac:19: installing 'config/missing'
Makefile.am: installing 'config/depcomp'

./configure

root@apaccomms-consvr:/tmp/chris/pam_tacplus-1.3.9# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for pam_start in -lpam... yes
checking for tac_connect in -ltac... no
checking for ANSI C header files... (cached) yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking CFLAGS for maximum warnings... -Wall
checking whether C compiler accepts "-fstack-protector-all"... yes
checking whether C compiler accepts "-Wl,-z,relro"... yes
checking whether C compiler accepts "-Wl,-z,now"... no
checking whether C compiler accepts "-fPIE"... no
checking whether C compiler accepts "-pie"... no
checking for stdlib.h... (cached) yes
checking for GNU libc compatible realloc... no
checking sys/select.h usability... no
checking sys/select.h presence... yes
configure: WARNING: sys/select.h: present but cannot be compiled
configure: WARNING: sys/select.h:     check for missing prerequisite headers?
configure: WARNING: sys/select.h: see the Autoconf documentation
configure: WARNING: sys/select.h:     section "Present But Cannot Be Compiled"
configure: WARNING: sys/select.h: proceeding with the compiler's result
configure: WARNING:     ## ppppppppppppppppppppppppppppppppppppp ##
configure: WARNING:     ## Report this to [email protected] ##
configure: WARNING:     ## ppppppppppppppppppppppppppppppppppppp ##
checking for sys/select.h... no
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,int *,struct timeval *
checking return type of signal handlers... void
checking for bzero... no
checking for gethostbyname... no
checking for gettimeofday... no
checking for inet_ntoa... no
checking for select... no
checking for socket... no
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating libtac.pc
config.status: creating pam_tacplus.spec
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

make

root@apaccomms-consvr:/tmp/chris/pam_tacplus-1.3.9# make
make  all-am
make[1]: Entering directory '/tmp/chris/pam_tacplus-1.3.9'
/bin/bash ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.     -Ilibtac/include -g -O2 -Wall -fstack-protector-all -Wl -O3 -D_FORTIFY_SOURCE=2 -MT libtac/lib/libtac_la-acct_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-acct_r.Tpo -c -o libtac/lib/libtac_la-acct_r.lo `test -f 'libtac/lib/acct_r.c' || echo './'`libtac/lib/acct_r.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -Ilibtac/include -g -O2 -Wall -fstack-protector-all -Wl -O3 -D_FORTIFY_SOURCE=2 -MT libtac/lib/libtac_la-acct_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-acct_r.Tpo -c libtac/lib/acct_r.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-acct_r.o
gcc: error: unrecognized command line option '-Wl'
Makefile:666: recipe for target 'libtac/lib/libtac_la-acct_r.lo' failed
make[1]: *** [libtac/lib/libtac_la-acct_r.lo] Error 1
make[1]: Leaving directory '/tmp/chris/pam_tacplus-1.3.9'
Makefile:437: recipe for target 'all' failed
make: *** [all] Error 2

Unable to build static binary of tacc

I'd like to create a static binary of tacc that would have all the shared libraries built into the binary. However, when I try to supply such arguments to ./configure, its not generating a static binary for tacc.

./configure --enable-static  && make && sudo make install

./configure LDFLAGS="-static" && make && sudo make install

did not help.

Any pointers on how to get a static tacc binary?

Thanks!

Limiting user access in one time

Hello,

Can we grant limiting SSH access to the server client, only let SSH from one IP only at one time, so when another people trying to connect, will be rejected or give some warning.
Many Thanks.

Best Regards,
David

Passwd changing with pam_tacplus?

From what I can tell TACACS+ supports changing passwd on the server.
Is there any support for this? If not, could it be added?

SSL & TACACS+

Is there a working web server model (software) using SSL and using tacacs+ to authenticate users? What server (ie. Apache) and any specific info would be helpful.
Thanks,

Issues in connecting to IPv6 TacacsPlus server

Hi Team,

Just wanted to know if there are any open known issues in connecting to IPv6 Tacacs servers.
I have observed issues in connecting to IPv6 server.
Hence added the below fix:
file: support.c
function: tac_copy_addr_info
code modified:
removed the below line:
memcpy (p_dst->ai_addr, p_src->ai_addr, sizeof(struct sockaddr));

added below checks:

  /* ipv6 check */
    if (p_dst->ai_family == AF_INET6) {
      memcpy (p_dst->ai_addr, p_src->ai_addr, sizeof(struct sockaddr_in6));
    } else {
       memcpy (p_dst->ai_addr, p_src->ai_addr, sizeof(struct sockaddr)); 
    }

with the above changes, authentication works correctly.
But accounting does not work.
Issue:
Ipv6 address copied in to "active_server" seems to be getting junk characters in pam_sm_acct_mgmt.

for example, if we set the Tacacs server address as : 2001:DB8:0:1::9
In pam_sm_authenticate function, code can get and connect to active server;

but in pam_sm_acct_mgmt, code fetches this address as " 2001:db8:0:1:6970::9", hence connecting to server does not work.
not sure, how this extra "6970" got introduced into active_server.
Below is the error:
tac_connect_single: connection failed with 2001:db8:0:1:6970::9:49: Transport endpoint is not connected

is there any known issues and fixes for this issue ?

Thank You.

Can't login with root user after join tacacs

Hello,

After I join PAM to tacacs, and already create a new user and can login with credential that given from tacacs server, I cant login with root user anymore.

Is there any compatibility problem with redhat 6.4 ?
How can I further troubleshoot this issue ?

Many Thanks
David

Makefile.am: C objects in subdir but `AM_PROG_CC_C_O' not in `configure.ac'

I am not able to run autoreconf. I get the following error:
"Makefile.am: C objects in subdir but AM_PROG_CC_C_O' not inconfigure.ac'"

Any hint is welcome

BR,
Alexandre

pam_tacplus does not build

The latest commit introduced a small error:
pam_tacplus.c: In function ‘pam_sm_chauthtok’:
pam_tacplus.c:754:18: error: too few arguments to function ‘tac_connect_single’
tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, NULL);
^
In file included from support.h:25:0,
from pam_tacplus.c:23:
./libtac/include/libtac.h:131:5: note: declared here
int tac_connect_single(struct addrinfo *, const char *, struct addrinfo *, int);

Easily fixed with:
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -751,7 +751,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
if (ctrl & PAM_TAC_DEBUG)
syslog(LOG_DEBUG, "%s: trying srv %d", FUNCTION, srv_i );

   tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, NULL);

   tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, NULL, tac_timeout);
 if (tac_fd < 0) {
     _pam_log(LOG_ERR, "connection failed srv %d: %m", srv_i);
     continue;

server=IP_ADDR and server=IP_ADDR:PORT options fail with IPV6 address

The parsing for optional ":PORT" gets confused by the ':'s in an IPV6 address. Works if you use an /etc/hosts entry that is IPV6 (tested it with "pro-bono" version of tac_plus) so its just the option parsing that's broken.

Just brain storming here:

Change the separator between IP_ADDR and PORT?
- Not sure what would make a good one. Maybe '/' or '+'.
- Its not backwards compatible, but maybe IPV6 is common enough to justify a switch?
- Least coding effort
Add a new option "port=PORT", and if its present, don't go fishing for ":PORT" in "server=IP_ADDR[:PORT]"?
- Backwards compatible for folks who don't care about IPV6.
- More coding effort.
Use a different separator when the IP_ADDR is IPV6?
- Count ':'s and if there are more than one, look for the other separator instead.
- Least disruptive solution I've though of so far. Backwards compatible and no new options.
- The most coding effort.

So maybe:
server=fd00:badd:caff:24::1:1/49 Possibly confused with CIDR notation?
or
server=fd00:badd:caff:24::1:1+49 Doesn't look too bad.

User becomes root in the middle of system-auth stack execution.

Hi,

I am using pam_tacplus 1.3.9 to authenticate a user against an existing server.
The auth part goes OK. A user which doesn't exist on the local machine is authenticated
remotely on the server and then the local machine we clone an account for it and then the pam_sm_acct_mgmt() function tries to authenticate that user again.
But this time for some reason the user becomes root! And since there is no root user on the server the authentication fails!
Why the user becomes root in the middle of the procedure?

Here is part of the log:

ar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: user [knatte] obtained
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: tacacs_get_password: called
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: tacacs_get_password: obtained password
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: password obtained
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: tty [pts/1] obtained
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: rhost [gentoo-akros.transmode.se] obtained
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: trying srv 0
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: tacacs status: TAC_PLUS_AUTHEN_STATUS_PASS
Mar 10 11:47:38 Manishacusfpv3-1-170 login[15729]: pam_sm_authenticate: active srv 0
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15729]: User does not exist; trying to clone oper
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15729]: passwdp->pw_name = 'oper'
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15729]: updated passwdp->pw_name = 'knatte'
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15729]: useradd -d /home/oper -c ",,,,Operator,profile=operator" -s /bin/mibshwrapper -g users -p "_" knatte
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: unrecognized option: encrypt
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: read_config: server [172.16.12.13]
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: read_config: key [1234567890]
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: 1 servers defined
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: server[0] { addr=172.16.12.13:49, key='1234567890' }
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: tac_service='raccess'
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: tac_protocol='unknown'
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: tac_prompt=''
Mar 10 11:47:38 Manishacusfpv3-1-170 PAM-tacplus[15731]: tac_login=''
Mar 10 11:47:38 Manishacusfpv3-1-170 useradd[15731]: pam_sm_acct_mgmt: called (pam_tacplus v1.3.8)
_Mar 10 11:47:38 Manishacusfpv3-1-170 useradd[15731]: pam_sm_acct_mgmt: username obtained [root]*
Mar 10 11:47:38 Manishacusfpv3-1-170 useradd[15731]: pam_sm_acct_mgmt: tty obtained [pts/1]
Mar 10 11:47:38 Manishacusfpv3-1-170 useradd[15731]: pam_sm_acct_mgmt: rhost obtained [unknown]

Invalid packet header and length test

The following test is invalid.

if (len_from_header > packet_read) {
        TACSYSLOG((LOG_ERR,
            "%s: length declared in the packet %d does not match actual packet size %d",
            __FUNCTION__,
            len_from_header, packet_read))
        re->status = LIBTAC_STATUS_PROTOCOL_ERR;
        free(tb);
        return re->status;
      }

packet_read contains length of header only. len_from_header contains length of packet body only. The two things are incomparable.
This code fragment occurs in three different files; authen_r.c, author_r.c, acct_r.c.
The remedy is to remove the test.

Unable to build deb package.

I am trying to build the debian package from the source code using dpkg-buildpackage -B command and getting the below error.

cp: cannot stat 'debian/tmp/usr/sbin': No such file or directory
dh_install: cp -a debian/tmp/usr/sbin debian/libtac2-bin//usr/ returned exit code 1
make[1]: *** [override_dh_install] Error 2
make[1]: Leaving directory `/root/pam_source/pam_tacplus-master'
make: *** [binary] Error 2
dpkg-buildpackage: error: debian/rules binary gave error exit status 2

On analysis the tacc file is installed into debian/tmp/usr/bin/tacc, but "debian/libtac2-bin.install" looks the files in usr/sbin. Changing this to usr/bin fixes the issue. Can you update the source code or let me how to handle it ?

File handle leak fix (50c0e0a/ec67b14 commits) seems to have introduced deadlock

I have been developing a prototype using pam_tacplus (1.3.9 tag) authenticating against a tac_plus server. I was experimenting with multiple servers and was passing the 'debug' option to pam_tacplus.so. During pam_sm_open_session() my test program (a modified pamtest.py from python-pam package) locked up. The deadlock was reproducible. Here is an strace leading to the deadlock:

socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
fcntl(5, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(5, {sa_family=AF_INET, sin_port=htons(49), sin_addr=inet_addr("192.168.40.85")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(6, [5], [5], NULL, {5, 0})       = 2 (in [5], out [5], left {2, 82133})
getpeername(5, 0x7fff1c051820, [128])   = -1 ENOTCONN (Transport endpoint is not connected)
sendto(3, "<35>Nov 21 23:50:11 python[15172"..., 131, MSG_NOSIGNAL, NULL, 0) = 131
sendto(3, "<36>Nov 21 23:50:11 PAM-tacplus["..., 78, MSG_NOSIGNAL, NULL, 0) = 78
close(3)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(3, {sa_family=AF_INET, sin_port=htons(49), sin_addr=inet_addr("192.168.40.86")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(4, [3], [3], NULL, {5, 0})       = 1 (out [3], left {4, 999905})
getpeername(3, {sa_family=AF_INET, sin_port=htons(49), sin_addr=inet_addr("192.168.40.86")}, [16]) = 0
fcntl(3, F_SETFL, O_RDWR)               = 0
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 6
connect(6, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 // connect to syslog
sendto(6, "<39>Nov 21 23:50:11 python[15172"..., 76, MSG_NOSIGNAL, NULL, 0) = 76 // send to syslog
read(6, ^C <unfinished ...> // read from syslog. OOPS!

As you can see from the last few lines, some code is trying to read from the syslog file descriptor. I captured a stack trace with gdb.

#0  0x00007f4001980d10 in __read_nocancel () from /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f3fff5507a1 in magic () from /usr/local/lib/libtac.so.1
#2  0x00007f3fff550675 in _tac_req_header () from /usr/local/lib/libtac.so.1
#3  0x00007f3fff54e3b2 in tac_acct_send () from /usr/local/lib/libtac.so.1
#4  0x00007f3fff75aa2c in _pam_send_account () from /usr/local/lib/security/pam_tacplus.so
#5  0x00007f3fff75acf3 in _pam_account () from /usr/local/lib/security/pam_tacplus.so
#6  0x00007f3fffd6bb45 in ?? () from /lib/x86_64-linux-gnu/libpam.so.0
#7  0x00007f3ffff7e237 in ?? () from /usr/lib/python2.7/dist-packages/PAMmodule.so
#8  0x0000000000497ea4 in PyEval_EvalFrameEx ()
#9  0x000000000049f1c0 in PyEval_EvalCodeEx ()
#10 0x00000000004a9081 in PyRun_FileExFlags ()
#11 0x00000000004a9311 in PyRun_SimpleFileExFlags ()
#12 0x00000000004aa8bd in Py_Main ()
#13 0x00007f400068176d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#14 0x000000000041b9b1 in _start ()
(gdb) quit

The top two stack frames lead me to line 81 of magic.c:

u_int32_t
magic()
{
    magic_init();

    if(rfd > -1) {
        u_int32_t ret;
        int nb_read = read(rfd, &ret, sizeof(ret));
        close(rfd); // rfd still has value obtained from open("/dev/urandom", O_RDONLY);
                    // If we pass here again, it will read() from whatever unfortunate
                    // fd happens to match (in this case, the syslog fd).

        if (nb_read < sizeof(ret)) {
            /* on read() error fallback to other method */
            return (u_int32_t)random();
       }
        return ret;
    }
    return (u_int32_t)random();
}

Obviously preventing the leak is important, especially for long running applications. But multiple calls to magic() in the life of an application is also a valid use case. Not being steeped in pam_tacplus, my naive solution would be to also reset rfd and magic_inited when closing rfd.

u_int32_t
magic()
{
    magic_init();

    if(rfd > -1) {
        u_int32_t ret;
        int nb_read = read(rfd, &ret, sizeof(ret));
        close(rfd);
        rfd = -1;
        magic_inited = 0;

        if (nb_read < sizeof(ret)) {
            /* on read() error fallback to other method */
            return (u_int32_t)random();
        }
        return ret;
    }
    return (u_int32_t)random();
}

Current master not building without openssl?

I tried to build the repo but it fails... First because "md5.h" doesn't have spaces before __P() when declaring the exported functions, then because crypt.c uses MD5_LBLOCK instead of MD5_LEN, and finally because tacc.c seems to have a hard dependency on openssl for RAND_pseudo_bytes().

SLES install issues

I have problems to install tacplus to SLES 12

here are the outputs:

./auto.sh    
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I config
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `config'.
libtoolize: copying file `config/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `config'.
libtoolize: copying file `config/libtool.m4'
libtoolize: copying file `config/ltoptions.m4'
libtoolize: copying file `config/ltsugar.m4'
libtoolize: copying file `config/ltversion.m4'
libtoolize: copying file `config/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
autoreconf: Leaving directory `.'



./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking build system type... x86_64-suse-linux-gnu
checking host system type... x86_64-suse-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/x86_64-suse-linux/bin/ld
checking if the linker (/usr/x86_64-suse-linux/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-suse-linux-gnu file names to x86_64-suse-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-suse-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/x86_64-suse-linux/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/x86_64-suse-linux/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking whether gcc and cc understand -c and -o together... yes
checking for pam_start in -lpam... yes
checking for tac_connect in -ltac... no
checking for MD5_Init in -lcrypto... no
checking for RAND_pseudo_bytes in -lcrypto... no
checking for logwtmp in -lutil... yes
checking for ANSI C header files... (cached) yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking openssl/md5.h usability... no
checking openssl/md5.h presence... no
checking for openssl/md5.h... no
checking openssl/rand.h usability... no
checking openssl/rand.h presence... no
checking for openssl/rand.h... no
checking linux/random.h usability... yes
checking linux/random.h presence... yes
checking for linux/random.h... yes
checking sys/random.h usability... no
checking sys/random.h presence... no
checking for sys/random.h... no
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking whether CC supports -fstack-protector-all... yes
checking whether CC supports -Wl,-z,relro... yes
checking whether CC supports -Wl,-z,now... yes
checking whether CC supports -fPIE... yes
checking whether CC supports -pie... yes
checking whether CC supports -U_FORTIFY_SOURCE... yes
checking whether CC supports -D_FORTIFY_SOURCE=2... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible realloc... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking return type of signal handlers... void
checking for bzero... yes
checking for gethostbyname... yes
checking for gettimeofday... yes
checking for inet_ntoa... yes
checking for select... yes
checking for socket... yes
checking for logwtmp... yes
checking for getrandom... no
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating libtac.pc
config.status: creating pam_tacplus.spec
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands


make
make  all-am
make[1]: Entering directory '/home/ui492521/pam_tacplus-1.4.1'
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.    -fstack-protector-all -Wl,-z,relro -Wl,-z,now -fPIE -pie -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-acct_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-acct_r.Tpo -c -o libtac/lib/libtac_la-acct_r.lo `test -f 'libtac/lib/acct_r.c' || echo './'`libtac/lib/acct_r.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-acct_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-acct_r.Tpo -c libtac/lib/acct_r.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-acct_r.o
mv -f libtac/lib/.deps/libtac_la-acct_r.Tpo libtac/lib/.deps/libtac_la-acct_r.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.    -fstack-protector-all -Wl,-z,relro -Wl,-z,now -fPIE -pie -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-acct_s.lo -MD -MP -MF libtac/lib/.deps/libtac_la-acct_s.Tpo -c -o libtac/lib/libtac_la-acct_s.lo `test -f 'libtac/lib/acct_s.c' || echo './'`libtac/lib/acct_s.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-acct_s.lo -MD -MP -MF libtac/lib/.deps/libtac_la-acct_s.Tpo -c libtac/lib/acct_s.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-acct_s.o
mv -f libtac/lib/.deps/libtac_la-acct_s.Tpo libtac/lib/.deps/libtac_la-acct_s.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.    -fstack-protector-all -Wl,-z,relro -Wl,-z,now -fPIE -pie -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-attrib.lo -MD -MP -MF libtac/lib/.deps/libtac_la-attrib.Tpo -c -o libtac/lib/libtac_la-attrib.lo `test -f 'libtac/lib/attrib.c' || echo './'`libtac/lib/attrib.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-attrib.lo -MD -MP -MF libtac/lib/.deps/libtac_la-attrib.Tpo -c libtac/lib/attrib.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-attrib.o
mv -f libtac/lib/.deps/libtac_la-attrib.Tpo libtac/lib/.deps/libtac_la-attrib.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.    -fstack-protector-all -Wl,-z,relro -Wl,-z,now -fPIE -pie -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-authen_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-authen_r.Tpo -c -o libtac/lib/libtac_la-authen_r.lo `test -f 'libtac/lib/authen_r.c' || echo './'`libtac/lib/authen_r.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-authen_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-authen_r.Tpo -c libtac/lib/authen_r.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-authen_r.o
mv -f libtac/lib/.deps/libtac_la-authen_r.Tpo libtac/lib/.deps/libtac_la-authen_r.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.    -fstack-protector-all -Wl,-z,relro -Wl,-z,now -fPIE -pie -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-authen_s.lo -MD -MP -MF libtac/lib/.deps/libtac_la-authen_s.Tpo -c -o libtac/lib/libtac_la-authen_s.lo `test -f 'libtac/lib/authen_s.c' || echo './'`libtac/lib/authen_s.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-authen_s.lo -MD -MP -MF libtac/lib/.deps/libtac_la-authen_s.Tpo -c libtac/lib/authen_s.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-authen_s.o
mv -f libtac/lib/.deps/libtac_la-authen_s.Tpo libtac/lib/.deps/libtac_la-authen_s.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.    -fstack-protector-all -Wl,-z,relro -Wl,-z,now -fPIE -pie -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-author_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-author_r.Tpo -c -o libtac/lib/libtac_la-author_r.lo `test -f 'libtac/lib/author_r.c' || echo './'`libtac/lib/author_r.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -fstack-protector-all -Wl,-z,relro -Wl,-z,now -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -I ./libtac/include -g -O2 -MT libtac/lib/libtac_la-author_r.lo -MD -MP -MF libtac/lib/.deps/libtac_la-author_r.Tpo -c libtac/lib/author_r.c  -fPIC -DPIC -o libtac/lib/.libs/libtac_la-author_r.o
libtac/lib/author_r.c: In function 'tac_author_read':
libtac/lib/author_r.c:135:5: error: 'for' loop initial declarations are only allowed in C99 mode
     for (unsigned int r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT; r++) {
     ^
libtac/lib/author_r.c:135:5: note: use option -std=c99 or -std=gnu99 to compile your code
libtac/lib/author_r.c:208:3: error: 'for' loop initial declarations are only allowed in C99 mode
   for (unsigned int r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT;
   ^
Makefile:765: recipe for target 'libtac/lib/libtac_la-author_r.lo' failed
make[1]: *** [libtac/lib/libtac_la-author_r.lo] Error 1
make[1]: Leaving directory '/home/ui492521/pam_tacplus-1.4.1'
Makefile:446: recipe for target 'all' failed
make: *** [all] Error 2

Can somebody help me?
Thanks

Best Regards
gentlel

Timescale for v2 API

Hi @pprindeville,

Long time no speak :)

In the "Releases" section it states that, "Master will be branching soon as v1.5.x ... [and then it] will then be released as v2.0.0 which will break ABI/API compatibility".

Do you have any ideas about when that will happen? Is there further work that must be done first? If so, I can help out with that.

Thanks,
David

configure fails for Redhat 6.4 and Redhat 6.6

Hello,

I have issues with RHEL 6.4 and RHEL 6.6:

./configure: line 12103: syntax error near unexpected token AX_CHECK_COMPILE_FLAG' ./configure: line 12103:AX_CHECK_COMPILE_FLAG("-fstack-protector-all", AX_APPEND_FLAG(["-fstack-protector-all"],[CFLAGS]), )'

The configure script fails.

I believe it is related with issue: #22

Thanks,
George

configure script is missing.

INSTALL text file instructions contain the typical "configure, make, make install" steps, but configure script is missing from release.
I tried to invoke autoconf but it fails with the following message:
configure.ac:19: error: possibly undefined macro: AM_INIT_AUTOMAKE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:29: error: possibly undefined macro: AM_PROG_LIBTOOL

module works with SSHD but not sudo

we just recently updated to centos 7 and the previous module we had built based on the Sourceforge version stopped working

we managed to compile this version correctly and tweak our tacacs pam.d file to allow SSH logins however sudo is no longer working with following errors (private info modified)

sudo: pam_authenticate: Insufficient credentials to access authentication data

secure/messages log files have the following:

==> /var/log/messages <==
Jul 11 11:14:00 ant-test PAM-tacplus[3463]: (pam_tacplus) converse returned 7
Jul 11 11:14:00 ant-test PAM-tacplus[3463]: that is: Authentication failure
Jul 11 11:14:00 ant-test PAM-tacplus[3463]: unable to obtain password

==> /var/log/secure <==
Jul 11 11:14:00 ant-test sudo[3463]: pam_unix(sudo-i:auth): conversation failed
Jul 11 11:14:00 ant-test sudo[3463]: pam_unix(sudo-i:auth): auth could not identify password for [username]
Jul 11 11:14:00 ant-test sudo: asomerset : pam_authenticate: Insufficient credentials to access authentication data ; TTY=pts/1 ; PWD=/home/username ; USER=root ; COMMAND=/bin/bash

my tacacs-auth file presently looks like this:

#%PAM-1.0
auth            required      /lib64/security/pam_env.so
auth       [success=done authinfo_unavail=ignore default=bad]     /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testingtesting
auth        include        system-auth
account    [success=done auth_err=ignore default=bad] /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testingtesting service=shell protocol=ssh
account     include        system-auth
password   required /lib64/security/pam_cracklib.so
password   required     pam_deny.so
session    [success=done session_err=ignore default=bad] /usr/local/lib/security/pam_tacplus.so debug server=SERVER secret=testingtesting service=shell protocol=ssh
session     include        system-auth

any thoughts?

TaskId doesn't match for start and stop messages of accounting

Opened three ssh sessions using pam_tacplus.so library and observed that task ids are not matching in the start and stop messages.

Dump of start accounting messages

session#1      Got taskid=17774  for the user abc3

Jun 28 10:46:49 167.254.219.122 abc3        unknown 10.0.2.2        start           start_time=1496312841   task_id=17774   service=fujitsu-1finity-exec    protocol=ip

session#2     Got taskid=49387 for the user abc1

Jun 28 10:46:52 167.254.219.122 abc1        unknown 10.0.2.2        start           start_time=1496312845   task_id=49387   service=fujitsu-1finity-exec    protocol=ip

session#3     Got taskid=41556  for the user abc2

Jun 28 10:46:56 167.254.219.122 abc2        unknown 10.0.2.2        start           start_time=1496312848   task_id=41556   service=fujitsu-1finity-exec    protocol=ip

Now i closed the ssh session in the order of abc3, abc1 and abc2
But i observe same task_id 41556 for all stop messages.

Dump of stop accounting messages:

Jun 28 10:47:05 167.254.219.122 abc3        unknown 10.0.2.2        stop            stop_time=1496312858    task_id=41556   service=fujitsu-1finity-exec    protocol=ip
Jun 28 10:47:10 167.254.219.122 abc1        unknown 10.0.2.2        stop            stop_time=1496312862    task_id=41556     service=fujitsu-1finity-exec    protocol=ip
Jun 28 10:47:17 167.254.219.122 abc2        unknown 10.0.2.2        stop            stop_time=1496312870    task_id=41556   service=fujitsu-1finity-exec    protocol=ip

Expected : taskid for abc3 is to be 17774 but it shows task_id as 41556

Undefined symbol 'magic' in pam_tacplus.so

Looks like when the calls to magic() were being replaced by equivalent openssl RAND_pseudo_bytes() calls, one spot was missed: in the top-level pam_tacplus.c itself (in pam_sm_open_session()).

Patch : https://gist.github.com/shankarunni/57f3467931bbf97d90000c0f7df78764

Incorrect clearing of areply struct

There are two blocks of code with this sort of structure in pam_tacplus.c

    while (communicating) {
        struct areply re = { .attr = NULL, .msg = NULL, status = 0, flags = 0 };

The problem is that there's a missing . before status and flags. At least with my compiler, and I suspect all compilers, this does not clear re.status, but rather the enclosing local variable status(and presumably flags, but I'm not interested in that one).

The unfortunate consequence of the above is that the status field had been set to something 'bad' intentionally in the outer context. For instance, PAM_AUTHINFO_UNAVAIL. This would normally mean that if all servers couldn't be contacted or had other problems(like bad shared secret), the return would be some form of failure.

With this bug in place, that status becomes PAM_SUCCESS immediately upon entry of the while loop, and if no servers can be contacted(or even the first server can't be contacted), the return from this function is PAM_SUCCESS, and users are mistakenly authenticated.

License of libtac

Hello,

If I want to use only the libtac part (the library alone) from this project, will
it be under GPL, or LGPL?

Thanks.

trouble with make on native ARM device

Hello,
We are building the pam_tacplus package on a native ARM device.
Of course we follow the steps
autoreconf -i
./configure
make

at the end of the make we are getting errors from the linker
cannot find -lssp_nonshared
cannot find -lssp

Is there a way to disable the stack smashing libs (i am guessing the ssp library is the stack smashing libs) from being called?

Thanks

How to retrieve per-user AV pairs

Is per-user AV pair mechanism supported in this TACACS+ client?

Solaris 11.3 installation assist

Hello, I was able to get Oracle to help me get the source code compiled, but need some insight regarding the PAM properties in general. The files that created do not end up with the same filename extensions as what is in the example.
Here's what I have:
-rw-r--r-- 1 root root 1730 Nov 12 03:19 support.h
-rw-r--r-- 1 root root 3797 Nov 12 03:20 config.h.in~
-rw-r--r-- 1 root root 4170 Nov 12 03:29 config.h
-rw-r--r-- 1 root root 2913 Nov 12 12:17 configure.ac
-rw-r--r-- 1 root root 36257 Nov 12 12:18 aclocal.m4
-rwxr-xr-x 1 root root 427892 Nov 12 12:18 configure
-rw-r--r-- 1 root root 3797 Nov 12 12:18 config.h.in
drwxr-xr-x 2 root root 9 Nov 12 12:18 autom4te.cache
drwxr-xr-x 2 root root 15 Nov 12 12:18 config
-rw-r--r-- 1 root root 57727 Nov 12 12:18 Makefile.in
-rwxr-xr-x 1 root root 62229 Nov 12 12:19 config.status
-rw-r--r-- 1 root root 53949 Nov 12 12:19 Makefile
-rw-r--r-- 1 root root 275 Nov 12 12:19 libtac.pc
-rw-r--r-- 1 root root 1683 Nov 12 12:19 pam_tacplus.spec
-rw-r--r-- 1 root root 23 Nov 12 12:19 stamp-h1
-rwxr-xr-x 1 root root 292507 Nov 12 12:19 libtool
-rw-r--r-- 1 root root 43509 Nov 12 12:19 config.log
-rw-r--r-- 1 root root 907 Nov 12 12:19 libtac.la
-rw-r--r-- 1 root root 33664 Nov 12 12:19 pam_tacplus_la-pam_tacplus.o
-rw-r--r-- 1 root root 330 Nov 12 12:19 pam_tacplus_la-pam_tacplus.lo
-rw-r--r-- 1 root root 19580 Nov 12 12:19 pam_tacplus_la-support.o
-rw-r--r-- 1 root root 318 Nov 12 12:19 pam_tacplus_la-support.lo
drwxr-xr-x 2 root root 4 Nov 12 12:19 .deps
-rw-r--r-- 1 root root 1394 Nov 12 12:19 pam_tacplus.la
drwxr-xr-x 2 root root 13 Nov 12 12:19 .libs

thanks,
RickO

tacc doesn't support TAC_PLUS_AUTHEN_STATUS_GETPASS reply

If tac_auth_read returns TAC_PLUS_AUTHEN_STATUS_GETPASS tacc tool should try to send password again tac_cont_send(tac_fd, pass).

kravietz / pam_tacplus Goto Github PK

pam_tacplus's Introduction

TACACS+ client toolkit

Recognized options:

Basic installation:

Outdated gnulib

Quick start

TACACS+ server

FreeBSD

Ubuntu 18.04 or older

From source

pamtester

PAM configuration

More on server lists:

Short introduction to PAM via TACACS+:

TACACS+ client program

Limitations:

References:

Authors:

pam_tacplus's People

Stargazers

Watchers

Forkers

pam_tacplus's Issues

this is my sshd config

pam_selinux.so close should be the first session rule

pam_selinux.so open should only be followed by sessions to be executed in the user context

Recommend Projects

Recommend Topics

Recommend Org