Hello Stuart,
thank you for fixing and feedback on the tacacs+ port. I've learned a lot here.
Sorry for late response, I was missing some commmands in accounting log
and command denies were not enforced properly and I needed to find out
why. I was missing part of config on the catalyst side, so the port
works ok.
Re-tested:
- acls
- password backend (running as root)
- cleartext backend
- bcrypt backend
- command permit/deny
I've also tested this with HP5800 Series switch and both logging and
command enforcement work.
There's a minor typo in tac_plus.rc, there's slash missing after
${TRUEPREFIX}
--- tac_plus.rc.orig Thu Oct 25 14:21:34 2018
+++ tac_plus.rc Thu Oct 25 14:21:43 2018
@@ -2,7 +2,7 @@
#
# $OpenBSD$
-daemon="${TRUEPREFIX}sbin/tac_plus"
+daemon="${TRUEPREFIX}/sbin/tac_plus"
daemon_flags="-C ${SYSCONFDIR}/tac_plus.conf -Q _tacacs -U _tacacs"
. /etc/rc.d/rc.subr
###
What is the case with:
${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py ${PREFIX}/share/tacacs/do_auth.py ?
/usr/ports/infrastructure/bin/portcheck complained:
Python module without compiled version, consider using ${MODPY_BIN}
${MODPY_LIBDIR}/compileall.py: share/tacacs/do_auth.py
is this the case where packages don't provide compiled python by
default?
Would a more minimal config as sample make sense? (please see attachment:)
Thank you again,
Jan
> : daemon="/usr/local/sbin/tac_plus"
>
> should use ${TRUEPREFIX}, see all other rc scripts in ports
>
> : daemon_flags="-C /etc/tac_plus.conf -Q _tacacs -U _tacacs"
>
> should use ${SYSCONFDIR}
>
> : Before running tac_plus, a configuration file needs to be created.
> : Copy the provided ${PREFIX}/share/tacacs/tac_plus.conf.sample to
> : /etc/tac_plus.conf and modify as necessary.
>
> should use @sample to copy the file, so it's registered in the package
> database (e.g. used by sysmerge -p, sysclean, pkg_delete -c) and you can
> set permissions/ownership appropriately.
>
> editing the config file is expected, it doesn't really need a MESSAGE
> for this.
>
> : encrypt(1) could be used to generate hashes for login = des $HASH
> : directives.
>
> encrypt(1) doesn't generate des hashes, so by itself this adds confusion.
> I'd modify the sample config to explain it better and get rid of MESSAGE
> completely.
>
> : # use `encrypt -p' to get blowfish hash (see: man encrypt(1))
> : # test123
> : login = des $2b$10$rhfyMY/VeB7Tm1nCy4hDpeJNcfI32EcEZBYZ1sy/qpQf5YhAahVqG
>
> # "login = des" actually uses the OS crypt() function, it is not really
> # using DES encryption. On OpenBSD this uses bcrypt. See encrypt(1) to
> # generate suitable hashes.
>
> : ${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py
> ${PREFIX}/share/tacacs/do_auth.py
>
> that's not needed here, but on the other hand the #! line does need fixing
> (MODPY_ADJ_FILES = do_auth.py) and it's not marked as executable.
>
> : CONFIGURE_ENV = YACC="${LOCALBASE}/bin/bison -y"
> : YACC = bison -y
> :
> : pre-configure:
> : ln -sf ${LOCALBASE}/bin/bison ${WRKDIR}/bin/yacc
>
> I think this whole lot can just be replaced by
>
> CONFIGURE_ENV = YACC=bison
>
> : COMMENT = version of Cisco System's TACACS+ AAA service
>
> "the name of Cisco Systems, Inc. not be used in advertising or publicity
> pertaining to distribution of the program without specific prior
> permission"
>
> Other things, the old tacacs+ package version was tacacs+-4.0.4ap1
> which compares as "newer" than 4.0.4.28, so needs EPOCH.
>
> Picks up libwrap if present at build time.
>
> Some patch parts are no longer needed.
>
> Simpler to just remove the built tac_pwd rather than do a more complex
> patch to an automake-generated Makefile.
>
> Above are addressed in the tar attached, does that still work ok for you?
>
>
# $OpenBSD$
key = "your key here"
accounting file = /var/log/tac_plus/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#
# passwd backend needs tac_plus running a root,
# `cleartext' and `des' backends can run as
# _tacacs:_tacacs
#
acl = management_networks_acl {
permit = ^192\.168\.50\.
deny = .*
}
acl = monitoring_acl {
permit = 192\.168\.10\.
deny = .*
}
# administrators with direct enable mode access
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
acl = management_networks_acl
}
# group for monitoring
group = monitoring {
default service = deny
service = exec {
priv-lvl = 15
}
# COMWARE example
cmd = display {
permit mac-address
deny .*
}
# IOS example
cmd = show {
permit version
deny .*
}
acl = monitoring_acl
}
user = fred {
# "login = des" actually uses the OS crypt() function, it is not really
# using DES encryption. On OpenBSD this uses bcrypt. See encrypt(1) to
# generate suitable hashes. test123
login = des $2b$10$rhfyMY/VeB7Tm1nCy4hDpeJNcfI32EcEZBYZ1sy/qpQf5YhAahVqG
name = "Fred Flintstone"
member = admin
}
user = wilma {
login = cleartext test123
name = "Wilma Flinstone"
member = monitoring
}
# this would need tac_plus to run as root
user = homer {
login = file /etc/passwd
member = monitoring
}
