Re: NEW: Tacacs+ port - shrubbery.net version
Hi sthen, > Slightly tweaked version attached, this one's ok with me: > > - https homepage > - PERMIT_*_CDROM is not used for new ports > - whitespace nit in Makefile > - tweak comment in patch > - place @extraunexec above the @sample line, that way pkg_delete -c doesn't > complain about a missing dir. (pkg_delete without -c will complain about > not being able to remove the dir, that is no problem). > - regen plist to include pkg-readme > - adjust pkg-readme to set uid/gid on the files > - change group ownership of log dir to wheel, easier for admins thanks for the review, gonna commit this one.
Re: NEW: Tacacs+ port - shrubbery.net version
On 2019/05/23 20:09, Jan Vlach wrote: > Hi Gleydson, Stuart, ports, > > I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR. > > please see attached tgz for updated port. > > - I've taken Gleydson's latest work from openbsd-wip (I don't see the > unexec and/or doc/shared implemented in PLIST) * > - provided simplified tac_plus.conf.sample of stuff I have tested - > logging in as full admins with level 15 and limited show users that I > use for scripting/metrics. I can't really vouch for the functionality of > dialup users etc. The full-blown config file example is still in the > manpage > - fixed typo in manpage for accounting to syslog - using `accounting > syslog;` (including semicolon) does not work, but parser does not > complain. If I remove the semicolon, accounting info gets logged to > syslog as daemon.info (this was nasty :) ) > - fixed paths for tac.acct, tac.log and tac.who - all of them go to > /var/log/tac_plus directory that's owned by _tacacs:_tacacs > - ^ This fixes the case where you don't want to log into accounting file > and want syslog accounting only (disabling accounting file directive > leads to tacacs complaining of permission denied with with default path > of /var/log/tac.acct) Changing the default path to > /var/log/tac_plus/tac.acct and removing `accounting file = ...' > directive properly disables logging to this file. Go figure :) > - Updated paths in manpage (tac_plus.conf.5.in) as one is automatically > substituted from configure variables, while the other is hardcoded. > - Added README file to remind administrator to rotate his/her files. > > * I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm > not sure it works: > > On package deletion pkg_delete complains that directory is not empty: > [20:07][root@samsara:/var/log]# pkg_delete tacacs+ > tacacs+-4.0.4.28v0: ok > Read shared items: ok > --- -tacacs+-4.0.4.28v0 --- > You should also remove /etc/tac_plus.conf (which was modified) > You should also run rm -f /var/log/tac_plus/* > Error deleting directory /var/log/tac_plus: Directory not empty > You should also run /usr/sbin/userdel _tacacs > You should also run /usr/sbin/groupdel _tacacs > > I'm sorry, I've wrestled, but I don't understand how the doc/examples > directories work - > what needs to be done in pkg configure phase and what is done in PLIST? > > Cluestick please? > > I've tested the accounting part with py-tacacs_plus on -current, don't have a > real > network box around at this time. (Gonna dogfood this tomorrow or next > week) > > Could you please have a look if this is okay? > > jvl > > On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote: > > > Can you use the standard locations for doc/examples please rather > > > than /usr/local/share/tacacs? > > > > Yep. > > > > > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c. > > > > Done. > > Thanks for the feedback, i'm pushing it to openbsd-wip. > > > > PS.: I'm running it and works just fine It has a dozen of Cisco Nexus > > switches already connected. > > privdrop (_tacacs) fine. > > > > I will add some changes to example files provided by Jan Vlach, for > > pointing out how to use tac_plus on the fly on OpenBSD.(like features > > available with and without privdrop / etc). > > > > Also should be nice sent patches upstream. Jan Vlach, what do you think > > about? > > > > Cheers, > > Slightly tweaked version attached, this one's ok with me: - https homepage - PERMIT_*_CDROM is not used for new ports - whitespace nit in Makefile - tweak comment in patch - place @extraunexec above the @sample line, that way pkg_delete -c doesn't complain about a missing dir. (pkg_delete without -c will complain about not being able to remove the dir, that is no problem). - regen plist to include pkg-readme - adjust pkg-readme to set uid/gid on the files - change group ownership of log dir to wheel, easier for admins tacacs+,3.tgz Description: application/tar-gz
Re: NEW: Tacacs+ port - shrubbery.net version
Hi, tac_plus compiles and runs fine on octeon too. (Edge Router Lite, -current) Tested slightly with py_tacacs_plus. Encrypted and cleartext logins work, and authentication both to syslog and dedicated file. jvl On Fri, May 24, 2019 at 01:49:29PM +0200, Ampie Niemand wrote: > This does the trick and installs perfectly on macppc, will test i386 > and amd64 when I get home. > > My thoughts are that because all the TACACS+ ports were obsolete after > 6.2, the _tacacs user was sort of "deauthorized" in the infrastructure > userlist. > Reading the error message properly this time it confirms 100% what you > said so that even I can understand it. :-D > > Thanks, this is amazing. > > Regards > Ampie > >
Re: NEW: Tacacs+ port - shrubbery.net version
This does the trick and installs perfectly on macppc, will test i386
and amd64 when I get home.
My thoughts are that because all the TACACS+ ports were obsolete after
6.2, the _tacacs user was sort of "deauthorized" in the infrastructure
userlist.
Reading the error message properly this time it confirms 100% what you
said so that even I can understand it. :-D
Thanks, this is amazing.
Regards
Ampie
On Fri, 24 May 2019 at 13:37, Gleydson Soares wrote:
>
> Try with the change below and Let us know if it works for you,
>
> Thank you
>
> sent from my mobile device
>
> On Fri, May 24, 2019, at 7:43 AM, Gleydson Soares wrote:
>
> it requires _tacacs user due to privdrop, so you need to uncomment the
> folllwing line:
> {x250} /usr/ports $ grep -rn tacacs /usr/ports/infrastructure/*
> /usr/ports/infrastructure/db/user.list:22:#511 _tacacs _tacacs
> net/tacacs+
>
> i'm with limited internet access till tomorrow morning, i will take look at
> this port and diffs tomorrow
>
>
>
> On Fri, May 24, 2019, at 7:37 AM, Ampie Niemand wrote:
> > Hi, all.
> >
> > Thanks for reviving this awesome service.
> >
> > I'm failing at the last hurdle with both macppc and amd64:
> >
> > ..
> > ..
> > ===> Building package for tacacs+-4.0.4.28v0
> > Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
> > Creating package tacacs+-4.0.4.28v0
> > Error: newgroup _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Error: newuser _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Fatal error: can't continue
> > at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
> > '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
> > '_internal-package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
> > '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
> > *** Error 1 in /usr/ports/mystuff/net/tacacs+
> > (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'install')
> >
> > .
> >
> > On Mon, 20 May 2019 at 21:56, Gleydson Soares
> > wrote:
> > >
> > > Hi Jan,
> > >
> > > thank you for your effort on this port.
> > > i've pushed it to openbsd-wip at
> > > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> > > it addresses the joint work of you and sthen@
> > >
> > > are you still ok regarding of taking maintanership?
> > >
> > > i will give some extra tests and double review next days.
> > >
> > > Thank you,
> > > Gleydson.
> > >
> >
>
>
>
Re: NEW: Tacacs+ port - shrubbery.net version
Try with the change below and Let us know if it works for you,
Thank you
sent from my mobile device
On Fri, May 24, 2019, at 7:43 AM, Gleydson Soares wrote:
> it requires _tacacs user due to privdrop, so you need to uncomment the
> folllwing line:
> {x250} /usr/ports $ grep -rn tacacs /usr/ports/infrastructure/*
> /usr/ports/infrastructure/db/user.list:22:#511 _tacacs _tacacs net/tacacs+
>
> i'm with limited internet access till tomorrow morning, i will take look at
> this port and diffs tomorrow
>
>
>
> On Fri, May 24, 2019, at 7:37 AM, Ampie Niemand wrote:
> > Hi, all.
> >
> > Thanks for reviving this awesome service.
> >
> > I'm failing at the last hurdle with both macppc and amd64:
> >
> > ..
> > ..
> > ===> Building package for tacacs+-4.0.4.28v0
> > Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
> > Creating package tacacs+-4.0.4.28v0
> > Error: newgroup _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Error: newuser _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Fatal error: can't continue
> > at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
> > '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
> > '_internal-package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
> > '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
> > *** Error 1 in /usr/ports/mystuff/net/tacacs+
> > (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'install')
> >
> > .
> >
> > On Mon, 20 May 2019 at 21:56, Gleydson Soares
> > wrote:
> > >
> > > Hi Jan,
> > >
> > > thank you for your effort on this port.
> > > i've pushed it to openbsd-wip at
> > > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> > > it addresses the joint work of you and sthen@
> > >
> > > are you still ok regarding of taking maintanership?
> > >
> > > i will give some extra tests and double review next days.
> > >
> > > Thank you,
> > > Gleydson.
> > >
> >
>
>
Re: NEW: Tacacs+ port - shrubbery.net version
it requires _tacacs user due to privdrop, so you need to uncomment the
folllwing line:
{x250} /usr/ports $ grep -rn tacacs /usr/ports/infrastructure/*
/usr/ports/infrastructure/db/user.list:22:#511 _tacacs _tacacs
net/tacacs+
i'm with limited internet access till tomorrow morning, i will take look at
this port and diffs tomorrow
On Fri, May 24, 2019, at 7:37 AM, Ampie Niemand wrote:
> Hi, all.
>
> Thanks for reviving this awesome service.
>
> I'm failing at the last hurdle with both macppc and amd64:
>
> ..
> ..
> ===> Building package for tacacs+-4.0.4.28v0
> Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
> Creating package tacacs+-4.0.4.28v0
> Error: newgroup _tacacs: not registered in
> /usr/ports/infrastructure/db/user.list
> Error: newuser _tacacs: not registered in
> /usr/ports/infrastructure/db/user.list
> Fatal error: can't continue
> at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
> '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
> '_internal-package')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> 'package')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
> '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
> *** Error 1 in /usr/ports/mystuff/net/tacacs+
> (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> 'install')
>
> .
>
> On Mon, 20 May 2019 at 21:56, Gleydson Soares wrote:
> >
> > Hi Jan,
> >
> > thank you for your effort on this port.
> > i've pushed it to openbsd-wip at
> > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> > it addresses the joint work of you and sthen@
> >
> > are you still ok regarding of taking maintanership?
> >
> > i will give some extra tests and double review next days.
> >
> > Thank you,
> > Gleydson.
> >
>
Re: NEW: Tacacs+ port - shrubbery.net version
Hi, all. Thanks for reviving this awesome service. I'm failing at the last hurdle with both macppc and amd64: .. .. ===> Building package for tacacs+-4.0.4.28v0 Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz Creating package tacacs+-4.0.4.28v0 Error: newgroup _tacacs: not registered in /usr/ports/infrastructure/db/user.list Error: newuser _tacacs: not registered in /usr/ports/infrastructure/db/user.list Fatal error: can't continue at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675. *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026 '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487 '_internal-package') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466 'package') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039 '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS') *** Error 1 in /usr/ports/mystuff/net/tacacs+ (/usr/ports/infrastructure/mk/bsd.port.mk:2466 'install') . On Mon, 20 May 2019 at 21:56, Gleydson Soares wrote: > > Hi Jan, > > thank you for your effort on this port. > i've pushed it to openbsd-wip at > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B > it addresses the joint work of you and sthen@ > > are you still ok regarding of taking maintanership? > > i will give some extra tests and double review next days. > > Thank you, > Gleydson. >
Re: NEW: Tacacs+ port - shrubbery.net version
> > Also should be nice sent patches upstream. Jan Vlach, what do you think > > about? > > not sure there's an upstream at all: fwiw, there is some faint activity at tac_p...@shrubbery.net, with mostly John Heasley helping poor souls. Patches should be welcomed here I guess. many thanks for bringing tac_plus back :)
Re: NEW: Tacacs+ port - shrubbery.net version
Gleydson, > Done. > Thanks for the feedback, i'm pushing it to openbsd-wip. is this the correct openbsd-wip? https://github.com/jasperla/openbsd-wip I don't see the changes sthen@ pointed out there ... > PS.: I'm running it and works just fine It has a dozen of Cisco Nexus > switches already connected. > privdrop (_tacacs) fine. > > I will add some changes to example files provided by Jan Vlach, for pointing > out how to use tac_plus on the fly on OpenBSD.(like features available with > and without privdrop / etc). > > Also should be nice sent patches upstream. Jan Vlach, what do you think about? not sure there's an upstream at all: lftp ftp.shrubbery.net:/pub/tac_plus> ls -l *28* -r--r--r-- 1 7053 wheel 530049 Jan 6 2015 tacacs-F4.0.4.28.tar.gz -r--r--r-- 1 7053 wheel 287 Apr 9 2018 tacacs-F4.0.4.28.tar.gz.sig
Re: NEW: Tacacs+ port - shrubbery.net version
Hi Gleydson, Stuart, ports, I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR. please see attached tgz for updated port. - I've taken Gleydson's latest work from openbsd-wip (I don't see the unexec and/or doc/shared implemented in PLIST) * - provided simplified tac_plus.conf.sample of stuff I have tested - logging in as full admins with level 15 and limited show users that I use for scripting/metrics. I can't really vouch for the functionality of dialup users etc. The full-blown config file example is still in the manpage - fixed typo in manpage for accounting to syslog - using `accounting syslog;` (including semicolon) does not work, but parser does not complain. If I remove the semicolon, accounting info gets logged to syslog as daemon.info (this was nasty :) ) - fixed paths for tac.acct, tac.log and tac.who - all of them go to /var/log/tac_plus directory that's owned by _tacacs:_tacacs - ^ This fixes the case where you don't want to log into accounting file and want syslog accounting only (disabling accounting file directive leads to tacacs complaining of permission denied with with default path of /var/log/tac.acct) Changing the default path to /var/log/tac_plus/tac.acct and removing `accounting file = ...' directive properly disables logging to this file. Go figure :) - Updated paths in manpage (tac_plus.conf.5.in) as one is automatically substituted from configure variables, while the other is hardcoded. - Added README file to remind administrator to rotate his/her files. * I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm not sure it works: On package deletion pkg_delete complains that directory is not empty: [20:07][root@samsara:/var/log]# pkg_delete tacacs+ tacacs+-4.0.4.28v0: ok Read shared items: ok --- -tacacs+-4.0.4.28v0 --- You should also remove /etc/tac_plus.conf (which was modified) You should also run rm -f /var/log/tac_plus/* Error deleting directory /var/log/tac_plus: Directory not empty You should also run /usr/sbin/userdel _tacacs You should also run /usr/sbin/groupdel _tacacs I'm sorry, I've wrestled, but I don't understand how the doc/examples directories work - what needs to be done in pkg configure phase and what is done in PLIST? Cluestick please? I've tested the accounting part with py-tacacs_plus on -current, don't have a real network box around at this time. (Gonna dogfood this tomorrow or next week) Could you please have a look if this is okay? jvl On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote: > > Can you use the standard locations for doc/examples please rather > > than /usr/local/share/tacacs? > > Yep. > > > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c. > > Done. > Thanks for the feedback, i'm pushing it to openbsd-wip. > > PS.: I'm running it and works just fine It has a dozen of Cisco Nexus > switches already connected. > privdrop (_tacacs) fine. > > I will add some changes to example files provided by Jan Vlach, for pointing > out how to use tac_plus on the fly on OpenBSD.(like features available with > and without privdrop / etc). > > Also should be nice sent patches upstream. Jan Vlach, what do you think about? > > Cheers, > tacacs+-20190523-2.tar.gz Description: application/tar-gz
Re: NEW: Tacacs+ port - shrubbery.net version
> Can you use the standard locations for doc/examples please rather > than /usr/local/share/tacacs? Yep. > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c. Done. Thanks for the feedback, i'm pushing it to openbsd-wip. PS.: I'm running it and works just fine It has a dozen of Cisco Nexus switches already connected. privdrop (_tacacs) fine. I will add some changes to example files provided by Jan Vlach, for pointing out how to use tac_plus on the fly on OpenBSD.(like features available with and without privdrop / etc). Also should be nice sent patches upstream. Jan Vlach, what do you think about? Cheers,
Re: NEW: Tacacs+ port - shrubbery.net version
On 2019/05/20 16:55, Gleydson Soares wrote: > Hi Jan, > > thank you for your effort on this port. > i've pushed it to openbsd-wip at > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B > it addresses the joint work of you and sthen@ > > are you still ok regarding of taking maintanership? > > i will give some extra tests and double review next days. > > Thank you, > Gleydson. > Can you use the standard locations for doc/examples please rather than /usr/local/share/tacacs? Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c.
Re: NEW: Tacacs+ port - shrubbery.net version
Hi Gleydson, thank you for getting in touch! I'm running it in production, so yes, taking maintainer is ok. I haven't tried to rebuild with 6.5 yet, that's on my TODO list though. Could do that in next few days for both 6.5 and -current. Thank you, Jan On Mon, May 20, 2019 at 04:55:33PM -0300, Gleydson Soares wrote: > Hi Jan, > > thank you for your effort on this port. > i've pushed it to openbsd-wip at > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B > it addresses the joint work of you and sthen@ > > are you still ok regarding of taking maintanership? > > i will give some extra tests and double review next days. > > Thank you, > Gleydson. >
Re: NEW: Tacacs+ port - shrubbery.net version
Hi Jan, thank you for your effort on this port. i've pushed it to openbsd-wip at https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B it addresses the joint work of you and sthen@ are you still ok regarding of taking maintanership? i will give some extra tests and double review next days. Thank you, Gleydson.
Re: NEW: Tacacs+ port - shrubbery.net version
Hello Stuart,
thank you for fixing and feedback on the tacacs+ port. I've learned a lot here.
Sorry for late response, I was missing some commmands in accounting log
and command denies were not enforced properly and I needed to find out
why. I was missing part of config on the catalyst side, so the port
works ok.
Re-tested:
- acls
- password backend (running as root)
- cleartext backend
- bcrypt backend
- command permit/deny
I've also tested this with HP5800 Series switch and both logging and
command enforcement work.
There's a minor typo in tac_plus.rc, there's slash missing after
${TRUEPREFIX}
--- tac_plus.rc.origThu Oct 25 14:21:34 2018
+++ tac_plus.rc Thu Oct 25 14:21:43 2018
@@ -2,7 +2,7 @@
#
# $OpenBSD$
-daemon="${TRUEPREFIX}sbin/tac_plus"
+daemon="${TRUEPREFIX}/sbin/tac_plus"
daemon_flags="-C ${SYSCONFDIR}/tac_plus.conf -Q _tacacs -U _tacacs"
. /etc/rc.d/rc.subr
###
What is the case with:
${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py ${PREFIX}/share/tacacs/do_auth.py ?
/usr/ports/infrastructure/bin/portcheck complained:
Python module without compiled version, consider using ${MODPY_BIN}
${MODPY_LIBDIR}/compileall.py: share/tacacs/do_auth.py
is this the case where packages don't provide compiled python by
default?
Would a more minimal config as sample make sense? (please see attachment:)
Thank you again,
Jan
> : daemon="/usr/local/sbin/tac_plus"
>
> should use ${TRUEPREFIX}, see all other rc scripts in ports
>
> : daemon_flags="-C /etc/tac_plus.conf -Q _tacacs -U _tacacs"
>
> should use ${SYSCONFDIR}
>
> : Before running tac_plus, a configuration file needs to be created.
> : Copy the provided ${PREFIX}/share/tacacs/tac_plus.conf.sample to
> : /etc/tac_plus.conf and modify as necessary.
>
> should use @sample to copy the file, so it's registered in the package
> database (e.g. used by sysmerge -p, sysclean, pkg_delete -c) and you can
> set permissions/ownership appropriately.
>
> editing the config file is expected, it doesn't really need a MESSAGE
> for this.
>
> : encrypt(1) could be used to generate hashes for login = des $HASH
> : directives.
>
> encrypt(1) doesn't generate des hashes, so by itself this adds confusion.
> I'd modify the sample config to explain it better and get rid of MESSAGE
> completely.
>
> :# use `encrypt -p' to get blowfish hash (see: man encrypt(1))
> :# test123
> :login = des $2b$10$rhfyMY/VeB7Tm1nCy4hDpeJNcfI32EcEZBYZ1sy/qpQf5YhAahVqG
>
> # "login = des" actually uses the OS crypt() function, it is not really
> # using DES encryption. On OpenBSD this uses bcrypt. See encrypt(1) to
> # generate suitable hashes.
>
> : ${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py
> ${PREFIX}/share/tacacs/do_auth.py
>
> that's not needed here, but on the other hand the #! line does need fixing
> (MODPY_ADJ_FILES = do_auth.py) and it's not marked as executable.
>
> : CONFIGURE_ENV = YACC="${LOCALBASE}/bin/bison -y"
> : YACC = bison -y
> :
> : pre-configure:
> : ln -sf ${LOCALBASE}/bin/bison ${WRKDIR}/bin/yacc
>
> I think this whole lot can just be replaced by
>
> CONFIGURE_ENV = YACC=bison
>
> : COMMENT = version of Cisco System's TACACS+ AAA service
>
> "the name of Cisco Systems, Inc. not be used in advertising or publicity
> pertaining to distribution of the program without specific prior
> permission"
>
> Other things, the old tacacs+ package version was tacacs+-4.0.4ap1
> which compares as "newer" than 4.0.4.28, so needs EPOCH.
>
> Picks up libwrap if present at build time.
>
> Some patch parts are no longer needed.
>
> Simpler to just remove the built tac_pwd rather than do a more complex
> patch to an automake-generated Makefile.
>
> Above are addressed in the tar attached, does that still work ok for you?
>
>
# $OpenBSD$
key = "your key here"
accounting file = /var/log/tac_plus/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#
# passwd backend needs tac_plus running a root,
# `cleartext' and `des' backends can run as
# _tacacs:_tacacs
#
acl = management_networks_acl {
permit = ^192\.168\.50\.
deny = .*
}
acl = monitoring_acl {
permit = 192\.168\.10\.
deny = .*
}
# administrators with direct enable mode access
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
acl = management_networks_acl
}
# group for monitoring
group = monitoring {
default service = deny
service = exec {
priv-lvl = 15
}
# COMWARE example
cmd = display {
permit mac-address
deny .*
}
# IOS example
cmd = show {
permit version
deny .*
}
acl = monitoring_acl
}
user = fred {
# "login = des" actually uses the OS crypt() function, it is not really
# using DES encryption. On
Re: NEW: Tacacs+ port - shrubbery.net version
On 2018/10/25 11:33, Jan Vlach wrote:
> Hi,
>
> this is NEW port of tacacs+ based on the version from people at
> shrubbery.net (as hinted in net/tacacs+ in attic)
>
> * I've patched out tac_pwd, so it is not being built. It just
> segfaults, can generate md5 and des passwords. encrypt(1) is better
> choice to get supported hash.
>
> * Verified against real Catalyst 2960
> * Verified with py-tacacs+ client (might send port later, if this one is
> okay)
> * _tacacs:_tacacs needs to get re-enabled in user.list
> * init script runs it by default as _tacacs:tacacs
> - that enables: cleartext, empty and crypt authenticators
> (blowfish passwords as generated by encrypt(1)
> - system users could get verified too, but tac_plus needs to run
> as root then.
> * build and run tested on i386 and amd64
> * sample tac_plus.conf is provided, copied out from the manpage for now
>
> Can you please look and provide feedback?
>
> Thank you,
> Jan
: daemon="/usr/local/sbin/tac_plus"
should use ${TRUEPREFIX}, see all other rc scripts in ports
: daemon_flags="-C /etc/tac_plus.conf -Q _tacacs -U _tacacs"
should use ${SYSCONFDIR}
: Before running tac_plus, a configuration file needs to be created.
: Copy the provided ${PREFIX}/share/tacacs/tac_plus.conf.sample to
: /etc/tac_plus.conf and modify as necessary.
should use @sample to copy the file, so it's registered in the package
database (e.g. used by sysmerge -p, sysclean, pkg_delete -c) and you can
set permissions/ownership appropriately.
editing the config file is expected, it doesn't really need a MESSAGE
for this.
: encrypt(1) could be used to generate hashes for login = des $HASH
: directives.
encrypt(1) doesn't generate des hashes, so by itself this adds confusion.
I'd modify the sample config to explain it better and get rid of MESSAGE
completely.
:# use `encrypt -p' to get blowfish hash (see: man encrypt(1))
:# test123
:login = des $2b$10$rhfyMY/VeB7Tm1nCy4hDpeJNcfI32EcEZBYZ1sy/qpQf5YhAahVqG
# "login = des" actually uses the OS crypt() function, it is not really
# using DES encryption. On OpenBSD this uses bcrypt. See encrypt(1) to
# generate suitable hashes.
: ${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py
${PREFIX}/share/tacacs/do_auth.py
that's not needed here, but on the other hand the #! line does need fixing
(MODPY_ADJ_FILES = do_auth.py) and it's not marked as executable.
: CONFIGURE_ENV = YACC="${LOCALBASE}/bin/bison -y"
: YACC = bison -y
:
: pre-configure:
: ln -sf ${LOCALBASE}/bin/bison ${WRKDIR}/bin/yacc
I think this whole lot can just be replaced by
CONFIGURE_ENV = YACC=bison
: COMMENT = version of Cisco System's TACACS+ AAA service
"the name of Cisco Systems, Inc. not be used in advertising or publicity
pertaining to distribution of the program without specific prior
permission"
Other things, the old tacacs+ package version was tacacs+-4.0.4ap1
which compares as "newer" than 4.0.4.28, so needs EPOCH.
Picks up libwrap if present at build time.
Some patch parts are no longer needed.
Simpler to just remove the built tac_pwd rather than do a more complex
patch to an automake-generated Makefile.
Above are addressed in the tar attached, does that still work ok for you?
tacacs+.tgz,2
Description: Binary data
NEW: Tacacs+ port - shrubbery.net version
Hi, this is NEW port of tacacs+ based on the version from people at shrubbery.net (as hinted in net/tacacs+ in attic) * I've patched out tac_pwd, so it is not being built. It just segfaults, can generate md5 and des passwords. encrypt(1) is better choice to get supported hash. * Verified against real Catalyst 2960 * Verified with py-tacacs+ client (might send port later, if this one is okay) * _tacacs:_tacacs needs to get re-enabled in user.list * init script runs it by default as _tacacs:tacacs - that enables: cleartext, empty and crypt authenticators (blowfish passwords as generated by encrypt(1) - system users could get verified too, but tac_plus needs to run as root then. * build and run tested on i386 and amd64 * sample tac_plus.conf is provided, copied out from the manpage for now Can you please look and provide feedback? Thank you, Jan tacacs+.tar.gz Description: application/tar-gz
