Create a gist now

Instantly share code, notes, and snippets.

@ragzilla /pamenable.patch
Created Apr 25, 2014

Download ZIP
Enables PAM for enable passwords in tac_plus, allows fallthrough to DEFAULT user for all(?) attributes, importantly login/enable (obviating the need for the PAM default authentication patch), and fixes a minor bug in aceclnt_fn which broke password authentication
Raw
pamenable.patch
diff -rup tacacs+-F4.0.4.27a/aceclnt_fn.c tacacs+-F4.0.4.27a-pamenable/aceclnt_fn.c
--- tacacs+-F4.0.4.27a/aceclnt_fn.c 2012-06-28 18:37:06.000000000 -0400
+++ tacacs+-F4.0.4.27a-pamenable/aceclnt_fn.c 2014-04-25 13:30:03.272400618 -0400
@@ -193,6 +193,7 @@ aceclnt_fn(struct authen_data *data)
return(1);
}
+ data->flags = TAC_PLUS_AUTHEN_FLAG_NOECHO;
snprintf(buf, ACEBUFSZ, "Enter PASSCODE: ");
data->server_msg = tac_strdup(buf);
data->status = TAC_PLUS_AUTHEN_STATUS_GETPASS;
diff -rup tacacs+-F4.0.4.27a/config.c tacacs+-F4.0.4.27a-pamenable/config.c
--- tacacs+-F4.0.4.27a/config.c 2012-06-28 18:37:06.000000000 -0400
+++ tacacs+-F4.0.4.27a-pamenable/config.c 2014-04-25 12:58:39.132949232 -0400
@@ -1220,9 +1220,17 @@ parse_user(void)
user->enable = tac_strdup(sym_buf);
break;
#endif
+#ifdef HAVE_PAM
+ case S_pam:
+ user->enable = tac_strdup(sym_buf);
+ break;
+#endif
default:
parse_error("expecting 'file', 'cleartext', 'nopassword', "
+#ifdef HAVE_PAM
+ "'PAM', "
+#endif
#ifdef SKEY
"'skey', "
#endif
@@ -1900,9 +1908,15 @@ cfg_get_value(char *name, int isuser, in
user = (USER *)hash_lookup(isuser ? usertable : grouptable, name);
if (!user) {
+ /* look up default user */
+ user = (USER *)hash_lookup(isuser ? usertable : grouptable, "DEFAULT");
+ if (!user) {
+ if (debug & DEBUG_CONFIG_FLAG)
+ report(LOG_DEBUG, "cfg_get_value: no user/group named %s", name);
+ return(value);
+ }
if (debug & DEBUG_CONFIG_FLAG)
- report(LOG_DEBUG, "cfg_get_value: no user/group named %s", name);
- return(value);
+ report(LOG_DEBUG, "cfg_get_value: falling back to DEFAULT for user/group named %s", name);
}
/* found the entry. Lookup value from attr=value */
diff -rup tacacs+-F4.0.4.27a/enable.c tacacs+-F4.0.4.27a-pamenable/enable.c
--- tacacs+-F4.0.4.27a/enable.c 2012-03-27 14:40:57.000000000 -0400
+++ tacacs+-F4.0.4.27a-pamenable/enable.c 2014-04-25 12:00:31.374560811 -0400
@@ -53,6 +53,16 @@ enable(char *passwd, struct authen_data
/* if the user has a user-specific enable password, check it */
cfg_passwd = cfg_get_enable_secret(username, TAC_PLUS_RECURSE);
if (cfg_passwd != NULL) {
+# ifdef HAVE_PAM
+ if (strcmp(cfg_passwd, "PAM") == 0) {
+ if (!pam_verify(username, passwd))
+ goto FAIL;
+ data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
+ exp_date = cfg_get_expires(username, TAC_PLUS_RECURSE);
+ set_expiration_status(exp_date, data);
+ goto SUCCESS;
+ }
+# endif
if ((verify_pwd(username, passwd, data, cfg_passwd))) {
exp_date = cfg_get_expires(username, TAC_PLUS_RECURSE);
set_expiration_status(exp_date, data);
diff -rup tacacs+-F4.0.4.27a/pwlib.c tacacs+-F4.0.4.27a-pamenable/pwlib.c
--- tacacs+-F4.0.4.27a/pwlib.c 2013-08-04 11:56:50.000000000 -0400
+++ tacacs+-F4.0.4.27a-pamenable/pwlib.c 2014-04-25 12:58:39.134949201 -0400
@@ -49,9 +49,6 @@ static int pam_tacacs(int, const struct
*/
static int etc_passwd_file_verify(char *, char *, struct authen_data *);
static int des_verify(char *, char *);
-#if HAVE_PAM
-static int pam_verify(char *, char *);
-#endif
static int passwd_file_verify(char *, char *, struct authen_data *, char *);
extern char *progname;
@@ -595,7 +592,7 @@ fail:
* verify a provided user/password via PAM.
* return 1 if verified, 0 otherwise.
*/
-static int
+int
pam_verify(char *user, char *passwd)
{
int err;
diff -rup tacacs+-F4.0.4.27a/tacacs.h tacacs+-F4.0.4.27a-pamenable/tacacs.h
--- tacacs+-F4.0.4.27a/tacacs.h 2013-08-04 11:56:50.000000000 -0400
+++ tacacs+-F4.0.4.27a-pamenable/tacacs.h 2014-04-25 10:39:11.218500002 -0400
@@ -482,6 +482,9 @@ extern struct passwd *tac_passwd_lookup(
void set_expiration_status(char *, struct authen_data *);
int verify(char *, char *, struct authen_data *, int);
int verify_pwd(char *, char *, struct authen_data *, char *);
+#if HAVE_PAM
+int pam_verify(char *, char *);
+#endif
int aceclnt_fn(struct authen_data *data);
int default_v0_fn(struct authen_data *data);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment