Created
April 25, 2014 17:55
-
-
Save ragzilla/11297928 to your computer and use it in GitHub Desktop.
Enables PAM for enable passwords in tac_plus, allows fallthrough to DEFAULT user for all(?) attributes, importantly login/enable (obviating the need for the PAM default authentication patch), and fixes a minor bug in aceclnt_fn which broke password authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff -rup tacacs+-F4.0.4.27a/aceclnt_fn.c tacacs+-F4.0.4.27a-pamenable/aceclnt_fn.c | |
--- tacacs+-F4.0.4.27a/aceclnt_fn.c 2012-06-28 18:37:06.000000000 -0400 | |
+++ tacacs+-F4.0.4.27a-pamenable/aceclnt_fn.c 2014-04-25 13:30:03.272400618 -0400 | |
@@ -193,6 +193,7 @@ aceclnt_fn(struct authen_data *data) | |
return(1); | |
} | |
+ data->flags = TAC_PLUS_AUTHEN_FLAG_NOECHO; | |
snprintf(buf, ACEBUFSZ, "Enter PASSCODE: "); | |
data->server_msg = tac_strdup(buf); | |
data->status = TAC_PLUS_AUTHEN_STATUS_GETPASS; | |
diff -rup tacacs+-F4.0.4.27a/config.c tacacs+-F4.0.4.27a-pamenable/config.c | |
--- tacacs+-F4.0.4.27a/config.c 2012-06-28 18:37:06.000000000 -0400 | |
+++ tacacs+-F4.0.4.27a-pamenable/config.c 2014-04-25 12:58:39.132949232 -0400 | |
@@ -1220,9 +1220,17 @@ parse_user(void) | |
user->enable = tac_strdup(sym_buf); | |
break; | |
#endif | |
+#ifdef HAVE_PAM | |
+ case S_pam: | |
+ user->enable = tac_strdup(sym_buf); | |
+ break; | |
+#endif | |
default: | |
parse_error("expecting 'file', 'cleartext', 'nopassword', " | |
+#ifdef HAVE_PAM | |
+ "'PAM', " | |
+#endif | |
#ifdef SKEY | |
"'skey', " | |
#endif | |
@@ -1900,9 +1908,15 @@ cfg_get_value(char *name, int isuser, in | |
user = (USER *)hash_lookup(isuser ? usertable : grouptable, name); | |
if (!user) { | |
+ /* look up default user */ | |
+ user = (USER *)hash_lookup(isuser ? usertable : grouptable, "DEFAULT"); | |
+ if (!user) { | |
+ if (debug & DEBUG_CONFIG_FLAG) | |
+ report(LOG_DEBUG, "cfg_get_value: no user/group named %s", name); | |
+ return(value); | |
+ } | |
if (debug & DEBUG_CONFIG_FLAG) | |
- report(LOG_DEBUG, "cfg_get_value: no user/group named %s", name); | |
- return(value); | |
+ report(LOG_DEBUG, "cfg_get_value: falling back to DEFAULT for user/group named %s", name); | |
} | |
/* found the entry. Lookup value from attr=value */ | |
diff -rup tacacs+-F4.0.4.27a/enable.c tacacs+-F4.0.4.27a-pamenable/enable.c | |
--- tacacs+-F4.0.4.27a/enable.c 2012-03-27 14:40:57.000000000 -0400 | |
+++ tacacs+-F4.0.4.27a-pamenable/enable.c 2014-04-25 12:00:31.374560811 -0400 | |
@@ -53,6 +53,16 @@ enable(char *passwd, struct authen_data | |
/* if the user has a user-specific enable password, check it */ | |
cfg_passwd = cfg_get_enable_secret(username, TAC_PLUS_RECURSE); | |
if (cfg_passwd != NULL) { | |
+# ifdef HAVE_PAM | |
+ if (strcmp(cfg_passwd, "PAM") == 0) { | |
+ if (!pam_verify(username, passwd)) | |
+ goto FAIL; | |
+ data->status = TAC_PLUS_AUTHEN_STATUS_PASS; | |
+ exp_date = cfg_get_expires(username, TAC_PLUS_RECURSE); | |
+ set_expiration_status(exp_date, data); | |
+ goto SUCCESS; | |
+ } | |
+# endif | |
if ((verify_pwd(username, passwd, data, cfg_passwd))) { | |
exp_date = cfg_get_expires(username, TAC_PLUS_RECURSE); | |
set_expiration_status(exp_date, data); | |
diff -rup tacacs+-F4.0.4.27a/pwlib.c tacacs+-F4.0.4.27a-pamenable/pwlib.c | |
--- tacacs+-F4.0.4.27a/pwlib.c 2013-08-04 11:56:50.000000000 -0400 | |
+++ tacacs+-F4.0.4.27a-pamenable/pwlib.c 2014-04-25 12:58:39.134949201 -0400 | |
@@ -49,9 +49,6 @@ static int pam_tacacs(int, const struct | |
*/ | |
static int etc_passwd_file_verify(char *, char *, struct authen_data *); | |
static int des_verify(char *, char *); | |
-#if HAVE_PAM | |
-static int pam_verify(char *, char *); | |
-#endif | |
static int passwd_file_verify(char *, char *, struct authen_data *, char *); | |
extern char *progname; | |
@@ -595,7 +592,7 @@ fail: | |
* verify a provided user/password via PAM. | |
* return 1 if verified, 0 otherwise. | |
*/ | |
-static int | |
+int | |
pam_verify(char *user, char *passwd) | |
{ | |
int err; | |
diff -rup tacacs+-F4.0.4.27a/tacacs.h tacacs+-F4.0.4.27a-pamenable/tacacs.h | |
--- tacacs+-F4.0.4.27a/tacacs.h 2013-08-04 11:56:50.000000000 -0400 | |
+++ tacacs+-F4.0.4.27a-pamenable/tacacs.h 2014-04-25 10:39:11.218500002 -0400 | |
@@ -482,6 +482,9 @@ extern struct passwd *tac_passwd_lookup( | |
void set_expiration_status(char *, struct authen_data *); | |
int verify(char *, char *, struct authen_data *, int); | |
int verify_pwd(char *, char *, struct authen_data *, char *); | |
+#if HAVE_PAM | |
+int pam_verify(char *, char *); | |
+#endif | |
int aceclnt_fn(struct authen_data *data); | |
int default_v0_fn(struct authen_data *data); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment