On 2018/10/25 11:33, Jan Vlach wrote: > Hi, > > this is NEW port of tacacs+ based on the version from people at > shrubbery.net (as hinted in net/tacacs+ in attic) > > * I've patched out tac_pwd, so it is not being built. It just > segfaults, can generate md5 and des passwords. encrypt(1) is better > choice to get supported hash. > > * Verified against real Catalyst 2960 > * Verified with py-tacacs+ client (might send port later, if this one is > okay) > * _tacacs:_tacacs needs to get re-enabled in user.list > * init script runs it by default as _tacacs:tacacs > - that enables: cleartext, empty and crypt authenticators > (blowfish passwords as generated by encrypt(1) > - system users could get verified too, but tac_plus needs to run > as root then. > * build and run tested on i386 and amd64 > * sample tac_plus.conf is provided, copied out from the manpage for now > > Can you please look and provide feedback? > > Thank you, > Jan
: daemon="/usr/local/sbin/tac_plus"
should use ${TRUEPREFIX}, see all other rc scripts in ports
: daemon_flags="-C /etc/tac_plus.conf -Q _tacacs -U _tacacs"
should use ${SYSCONFDIR}
: Before running tac_plus, a configuration file needs to be created.
: Copy the provided ${PREFIX}/share/tacacs/tac_plus.conf.sample to
: /etc/tac_plus.conf and modify as necessary.
should use @sample to copy the file, so it's registered in the package
database (e.g. used by sysmerge -p, sysclean, pkg_delete -c) and you can
set permissions/ownership appropriately.
editing the config file is expected, it doesn't really need a MESSAGE
for this.
: encrypt(1) could be used to generate hashes for login = des $HASH
: directives.
encrypt(1) doesn't generate des hashes, so by itself this adds confusion.
I'd modify the sample config to explain it better and get rid of MESSAGE
completely.
: # use `encrypt -p' to get blowfish hash (see: man encrypt(1))
: # test123
: login = des $2b$10$rhfyMY/VeB7Tm1nCy4hDpeJNcfI32EcEZBYZ1sy/qpQf5YhAahVqG
# "login = des" actually uses the OS crypt() function, it is not really
# using DES encryption. On OpenBSD this uses bcrypt. See encrypt(1) to
# generate suitable hashes.
: ${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py
${PREFIX}/share/tacacs/do_auth.py
that's not needed here, but on the other hand the #! line does need fixing
(MODPY_ADJ_FILES = do_auth.py) and it's not marked as executable.
: CONFIGURE_ENV = YACC="${LOCALBASE}/bin/bison -y"
: YACC = bison -y
:
: pre-configure:
: ln -sf ${LOCALBASE}/bin/bison ${WRKDIR}/bin/yacc
I think this whole lot can just be replaced by
CONFIGURE_ENV = YACC=bison
: COMMENT = version of Cisco System's TACACS+ AAA service
"the name of Cisco Systems, Inc. not be used in advertising or publicity
pertaining to distribution of the program without specific prior
permission"
Other things, the old tacacs+ package version was tacacs+-4.0.4ap1
which compares as "newer" than 4.0.4.28, so needs EPOCH.
Picks up libwrap if present at build time.
Some patch parts are no longer needed.
Simpler to just remove the built tac_pwd rather than do a more complex
patch to an automake-generated Makefile.
Above are addressed in the tar attached, does that still work ok for you?
tacacs+.tgz,2
Description: Binary data
