Hi Gleydson, Stuart, ports, I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR.
please see attached tgz for updated port. - I've taken Gleydson's latest work from openbsd-wip (I don't see the unexec and/or doc/shared implemented in PLIST) * - provided simplified tac_plus.conf.sample of stuff I have tested - logging in as full admins with level 15 and limited show users that I use for scripting/metrics. I can't really vouch for the functionality of dialup users etc. The full-blown config file example is still in the manpage - fixed typo in manpage for accounting to syslog - using `accounting syslog;` (including semicolon) does not work, but parser does not complain. If I remove the semicolon, accounting info gets logged to syslog as daemon.info (this was nasty :) ) - fixed paths for tac.acct, tac.log and tac.who - all of them go to /var/log/tac_plus directory that's owned by _tacacs:_tacacs - ^ This fixes the case where you don't want to log into accounting file and want syslog accounting only (disabling accounting file directive leads to tacacs complaining of permission denied with with default path of /var/log/tac.acct) Changing the default path to /var/log/tac_plus/tac.acct and removing `accounting file = ...' directive properly disables logging to this file. Go figure :) - Updated paths in manpage (tac_plus.conf.5.in) as one is automatically substituted from configure variables, while the other is hardcoded. - Added README file to remind administrator to rotate his/her files. * I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm not sure it works: On package deletion pkg_delete complains that directory is not empty: [20:07][root@samsara:/var/log]# pkg_delete tacacs+ tacacs+-4.0.4.28v0: ok Read shared items: ok --- -tacacs+-4.0.4.28v0 ------------------- You should also remove /etc/tac_plus.conf (which was modified) You should also run rm -f /var/log/tac_plus/* Error deleting directory /var/log/tac_plus: Directory not empty You should also run /usr/sbin/userdel _tacacs You should also run /usr/sbin/groupdel _tacacs I'm sorry, I've wrestled, but I don't understand how the doc/examples directories work - what needs to be done in pkg configure phase and what is done in PLIST? Cluestick please? I've tested the accounting part with py-tacacs_plus on -current, don't have a real network box around at this time. (Gonna dogfood this tomorrow or next week) Could you please have a look if this is okay? jvl On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote: > > Can you use the standard locations for doc/examples please rather > > than /usr/local/share/tacacs? > > Yep. > > > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c. > > Done. > Thanks for the feedback, i'm pushing it to openbsd-wip. > > PS.: I'm running it and works just fine It has a dozen of Cisco Nexus > switches already connected. > privdrop (_tacacs) fine. > > I will add some changes to example files provided by Jan Vlach, for pointing > out how to use tac_plus on the fly on OpenBSD.(like features available with > and without privdrop / etc). > > Also should be nice sent patches upstream. Jan Vlach, what do you think about? > > Cheers, >
tacacs+-20190523-2.tar.gz
Description: application/tar-gz