Re: NEW: Tacacs+ port - shrubbery.net version

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Gleydson Soares-2
Hi Jan,

thank you for your effort on this port.
i've pushed it to openbsd-wip at
https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
it addresses the joint work of you and sthen@

are you still ok regarding of taking maintanership?

i will give some extra tests and double review next days.

Thank you,
Gleydson.

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

janus

Hi Gleydson,

thank you for getting in touch! I'm running it in production, so yes,
taking maintainer is ok.

I haven't tried to rebuild with 6.5 yet, that's on my TODO list though.

Could do that in next few days for both 6.5 and -current.

Thank you,
Jan

On Mon, May 20, 2019 at 04:55:33PM -0300, Gleydson Soares wrote:

> Hi Jan,
>
> thank you for your effort on this port.
> i've pushed it to openbsd-wip at
> https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> it addresses the joint work of you and sthen@
>
> are you still ok regarding of taking maintanership?
>
> i will give some extra tests and double review next days.
>
> Thank you,
> Gleydson.
>

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Stuart Henderson-6
In reply to this post by Gleydson Soares-2
On 2019/05/20 16:55, Gleydson Soares wrote:

> Hi Jan,
>
> thank you for your effort on this port.
> i've pushed it to openbsd-wip at
> https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> it addresses the joint work of you and sthen@
>
> are you still ok regarding of taking maintanership?
>
> i will give some extra tests and double review next days.
>
> Thank you,
> Gleydson.
>

Can you use the standard locations for doc/examples please rather
than /usr/local/share/tacacs?

Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c.

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Gleydson Soares-2
> Can you use the standard locations for doc/examples please rather
> than /usr/local/share/tacacs?

Yep.

> Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c.

Done.
Thanks for the feedback, i'm pushing it to openbsd-wip.

PS.: I'm running it and works just fine  It has a dozen of Cisco Nexus switches already connected.
privdrop (_tacacs) fine.

I will add some changes to example files provided by  Jan Vlach, for pointing out how to use tac_plus on the fly on OpenBSD.(like features available with and without privdrop / etc).

Also should be nice sent patches upstream. Jan Vlach, what do you think about?

Cheers,

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

janus
Hi Gleydson, Stuart, ports,

I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR.

please see attached tgz for updated port.

- I've taken Gleydson's latest work from openbsd-wip (I don't see the
  unexec and/or doc/shared implemented in PLIST) *
- provided simplified tac_plus.conf.sample of stuff I have tested -
  logging in as full admins with level 15 and limited show users that I
use for scripting/metrics. I can't really vouch for the functionality of
dialup users etc. The full-blown config file example is still in the
manpage
- fixed typo in manpage for accounting to syslog - using `accounting
  syslog;` (including semicolon) does not work, but parser does not
complain. If I remove the semicolon, accounting info gets logged to
syslog as daemon.info (this was nasty :) )
- fixed paths for tac.acct, tac.log and tac.who - all of them go to
  /var/log/tac_plus directory that's owned by _tacacs:_tacacs
- ^ This fixes the case where you don't want to log into accounting file
  and want syslog accounting only (disabling accounting file directive
leads to tacacs complaining of permission denied with with default path
of /var/log/tac.acct) Changing the default path to
/var/log/tac_plus/tac.acct and removing `accounting file = ...'
directive properly disables logging to this file. Go figure :)
- Updated paths in manpage (tac_plus.conf.5.in) as one is automatically
  substituted from configure variables, while the other is hardcoded.
- Added README file to remind administrator to rotate his/her files.

* I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm
not sure it works:

On package deletion pkg_delete complains that directory is not empty:
[20:07][root@samsara:/var/log]# pkg_delete tacacs+
tacacs+-4.0.4.28v0: ok
Read shared items: ok
--- -tacacs+-4.0.4.28v0 -------------------
You should also remove /etc/tac_plus.conf (which was modified)
You should also run rm -f /var/log/tac_plus/*
Error deleting directory /var/log/tac_plus: Directory not empty
You should also run /usr/sbin/userdel _tacacs
You should also run /usr/sbin/groupdel _tacacs

I'm sorry, I've wrestled, but I don't understand how the doc/examples directories work -
what needs to be done in pkg configure phase and what is done in PLIST?

Cluestick please?

I've tested the accounting part with py-tacacs_plus on -current, don't have a real
network box around at this time. (Gonna dogfood this tomorrow or next
week)

Could you please have a look if this is okay?

jvl

On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote:

> > Can you use the standard locations for doc/examples please rather
> > than /usr/local/share/tacacs?
>
> Yep.
>
> > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c.
>
> Done.
> Thanks for the feedback, i'm pushing it to openbsd-wip.
>
> PS.: I'm running it and works just fine  It has a dozen of Cisco Nexus switches already connected.
> privdrop (_tacacs) fine.
>
> I will add some changes to example files provided by  Jan Vlach, for pointing out how to use tac_plus on the fly on OpenBSD.(like features available with and without privdrop / etc).
>
> Also should be nice sent patches upstream. Jan Vlach, what do you think about?
>
> Cheers,
>

tacacs+-20190523-2.tar.gz (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

janus
In reply to this post by Gleydson Soares-2
Gleydson,

> Done.
> Thanks for the feedback, i'm pushing it to openbsd-wip.

is this the correct openbsd-wip?
https://github.com/jasperla/openbsd-wip 

I don't see the changes sthen@ pointed out there ...

> PS.: I'm running it and works just fine  It has a dozen of Cisco Nexus switches already connected.
> privdrop (_tacacs) fine.
>
> I will add some changes to example files provided by  Jan Vlach, for pointing out how to use tac_plus on the fly on OpenBSD.(like features available with and without privdrop / etc).


>
> Also should be nice sent patches upstream. Jan Vlach, what do you think about?

not sure there's an upstream at all:

lftp ftp.shrubbery.net:/pub/tac_plus> ls -l *28*
-r--r--r--  1 7053  wheel  530049 Jan  6  2015 tacacs-F4.0.4.28.tar.gz
-r--r--r--  1 7053  wheel     287 Apr  9  2018
tacacs-F4.0.4.28.tar.gz.sig

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Pierre Emeriaud
> > Also should be nice sent patches upstream. Jan Vlach, what do you think about?
>
> not sure there's an upstream at all:

fwiw, there is some faint activity at [hidden email], with
mostly John Heasley helping poor souls. Patches should be welcomed
here I guess.

many thanks for bringing tac_plus back :)

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Ampie Niemand
In reply to this post by Gleydson Soares-2
Hi, all.

Thanks for reviving this awesome service.

I'm failing at the last hurdle with both macppc and amd64:

......
......
===>  Building package for tacacs+-4.0.4.28v0
Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
Creating package tacacs+-4.0.4.28v0
Error: newgroup _tacacs: not registered in
/usr/ports/infrastructure/db/user.list
Error: newuser _tacacs: not registered in
/usr/ports/infrastructure/db/user.list
Fatal error: can't continue
 at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
'/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
'_internal-package')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
'package')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
'/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
*** Error 1 in /usr/ports/mystuff/net/tacacs+
(/usr/ports/infrastructure/mk/bsd.port.mk:2466
'install')
....
.....

On Mon, 20 May 2019 at 21:56, Gleydson Soares <[hidden email]> wrote:

>
> Hi Jan,
>
> thank you for your effort on this port.
> i've pushed it to openbsd-wip at
> https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> it addresses the joint work of you and sthen@
>
> are you still ok regarding of taking maintanership?
>
> i will give some extra tests and double review next days.
>
> Thank you,
> Gleydson.
>

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Gleydson Soares-2
it requires _tacacs user due to privdrop, so you need to uncomment the folllwing line:
{x250} /usr/ports $ grep -rn tacacs /usr/ports/infrastructure/*
/usr/ports/infrastructure/db/user.list:22:#511 _tacacs          _tacacs         net/tacacs+

i'm with limited internet access till tomorrow morning, i will take look at this port and diffs tomorrow



On Fri, May 24, 2019, at 7:37 AM, Ampie Niemand wrote:

> Hi, all.
>
> Thanks for reviving this awesome service.
>
> I'm failing at the last hurdle with both macppc and amd64:
>
> ......
> ......
> ===>  Building package for tacacs+-4.0.4.28v0
> Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
> Creating package tacacs+-4.0.4.28v0
> Error: newgroup _tacacs: not registered in
> /usr/ports/infrastructure/db/user.list
> Error: newuser _tacacs: not registered in
> /usr/ports/infrastructure/db/user.list
> Fatal error: can't continue
>  at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
> '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
> '_internal-package')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> 'package')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
> '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
> *** Error 1 in /usr/ports/mystuff/net/tacacs+
> (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> 'install')
> ....
> .....
>
> On Mon, 20 May 2019 at 21:56, Gleydson Soares <[hidden email]> wrote:
> >
> > Hi Jan,
> >
> > thank you for your effort on this port.
> > i've pushed it to openbsd-wip at
> > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> > it addresses the joint work of you and sthen@
> >
> > are you still ok regarding of taking maintanership?
> >
> > i will give some extra tests and double review next days.
> >
> > Thank you,
> > Gleydson.
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Gleydson Soares-2
Try with the change below and Let us know if it works for you,

Thank you

sent from my mobile device

On Fri, May 24, 2019, at 7:43 AM, Gleydson Soares wrote:

> it requires _tacacs user due to privdrop, so you need to uncomment the folllwing line:
> {x250} /usr/ports $ grep -rn tacacs /usr/ports/infrastructure/*
> /usr/ports/infrastructure/db/user.list:22:#511 _tacacs _tacacs net/tacacs+
>
> i'm with limited internet access till tomorrow morning, i will take look at this port and diffs tomorrow
>
>
>
> On Fri, May 24, 2019, at 7:37 AM, Ampie Niemand wrote:
> > Hi, all.
> >
> > Thanks for reviving this awesome service.
> >
> > I'm failing at the last hurdle with both macppc and amd64:
> >
> > ......
> > ......
> > ===> Building package for tacacs+-4.0.4.28v0
> > Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
> > Creating package tacacs+-4.0.4.28v0
> > Error: newgroup _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Error: newuser _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Fatal error: can't continue
> > at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
> > '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
> > '_internal-package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
> > '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
> > *** Error 1 in /usr/ports/mystuff/net/tacacs+
> > (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'install')
> > ....
> > .....
> >
> > On Mon, 20 May 2019 at 21:56, Gleydson Soares <[hidden email]> wrote:
> > >
> > > Hi Jan,
> > >
> > > thank you for your effort on this port.
> > > i've pushed it to openbsd-wip at
> > > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> > > it addresses the joint work of you and sthen@
> > >
> > > are you still ok regarding of taking maintanership?
> > >
> > > i will give some extra tests and double review next days.
> > >
> > > Thank you,
> > > Gleydson.
> > >
> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Ampie Niemand
This does the trick and installs perfectly on macppc, will test i386
and amd64 when I get home.

My thoughts are that because all the TACACS+ ports were obsolete after
6.2, the _tacacs user was sort of "deauthorized" in the infrastructure
userlist.
Reading the error message properly this time it confirms 100% what you
said so that even I can understand it. :-D

Thanks, this is amazing.

Regards
Ampie


On Fri, 24 May 2019 at 13:37, Gleydson Soares <[hidden email]> wrote:

>
> Try with the change below and Let us know if it works for you,
>
> Thank you
>
> sent from my mobile device
>
> On Fri, May 24, 2019, at 7:43 AM, Gleydson Soares wrote:
>
> it requires _tacacs user due to privdrop, so you need to uncomment the folllwing line:
> {x250} /usr/ports $ grep -rn tacacs /usr/ports/infrastructure/*
> /usr/ports/infrastructure/db/user.list:22:#511 _tacacs          _tacacs         net/tacacs+
>
> i'm with limited internet access till tomorrow morning, i will take look at this port and diffs tomorrow
>
>
>
> On Fri, May 24, 2019, at 7:37 AM, Ampie Niemand wrote:
> > Hi, all.
> >
> > Thanks for reviving this awesome service.
> >
> > I'm failing at the last hurdle with both macppc and amd64:
> >
> > ......
> > ......
> > ===>  Building package for tacacs+-4.0.4.28v0
> > Create /usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz
> > Creating package tacacs+-4.0.4.28v0
> > Error: newgroup _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Error: newuser _tacacs: not registered in
> > /usr/ports/infrastructure/db/user.list
> > Fatal error: can't continue
> >  at /usr/libdata/perl5/OpenBSD/PkgCreate.pm line 1675.
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2026
> > '/usr/ports/packages/powerpc/all/tacacs+-4.0.4.28v0.tgz')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2487
> > '_internal-package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'package')
> > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2039
> > '/var/db/pkg/tacacs+-4.0.4.28v0/+CONTENTS')
> > *** Error 1 in /usr/ports/mystuff/net/tacacs+
> > (/usr/ports/infrastructure/mk/bsd.port.mk:2466
> > 'install')
> > ....
> > .....
> >
> > On Mon, 20 May 2019 at 21:56, Gleydson Soares <[hidden email]> wrote:
> > >
> > > Hi Jan,
> > >
> > > thank you for your effort on this port.
> > > i've pushed it to openbsd-wip at
> > > https://github.com/jasperla/openbsd-wip/tree/master/net/tacacs%2B
> > > it addresses the joint work of you and sthen@
> > >
> > > are you still ok regarding of taking maintanership?
> > >
> > > i will give some extra tests and double review next days.
> > >
> > > Thank you,
> > > Gleydson.
> > >
> >
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

janus
Hi,

tac_plus compiles and runs fine on octeon too. (Edge Router Lite,
-current)

Tested slightly with py_tacacs_plus.
Encrypted and cleartext logins work, and authentication both to syslog
and dedicated file.

jvl


On Fri, May 24, 2019 at 01:49:29PM +0200, Ampie Niemand wrote:

> This does the trick and installs perfectly on macppc, will test i386
> and amd64 when I get home.
>
> My thoughts are that because all the TACACS+ ports were obsolete after
> 6.2, the _tacacs user was sort of "deauthorized" in the infrastructure
> userlist.
> Reading the error message properly this time it confirms 100% what you
> said so that even I can understand it. :-D
>
> Thanks, this is amazing.
>
> Regards
> Ampie
>
>

Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Stuart Henderson
In reply to this post by janus
On 2019/05/23 20:09, Jan Vlach wrote:

> Hi Gleydson, Stuart, ports,
>
> I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR.
>
> please see attached tgz for updated port.
>
> - I've taken Gleydson's latest work from openbsd-wip (I don't see the
>   unexec and/or doc/shared implemented in PLIST) *
> - provided simplified tac_plus.conf.sample of stuff I have tested -
>   logging in as full admins with level 15 and limited show users that I
> use for scripting/metrics. I can't really vouch for the functionality of
> dialup users etc. The full-blown config file example is still in the
> manpage
> - fixed typo in manpage for accounting to syslog - using `accounting
>   syslog;` (including semicolon) does not work, but parser does not
> complain. If I remove the semicolon, accounting info gets logged to
> syslog as daemon.info (this was nasty :) )
> - fixed paths for tac.acct, tac.log and tac.who - all of them go to
>   /var/log/tac_plus directory that's owned by _tacacs:_tacacs
> - ^ This fixes the case where you don't want to log into accounting file
>   and want syslog accounting only (disabling accounting file directive
> leads to tacacs complaining of permission denied with with default path
> of /var/log/tac.acct) Changing the default path to
> /var/log/tac_plus/tac.acct and removing `accounting file = ...'
> directive properly disables logging to this file. Go figure :)
> - Updated paths in manpage (tac_plus.conf.5.in) as one is automatically
>   substituted from configure variables, while the other is hardcoded.
> - Added README file to remind administrator to rotate his/her files.
>
> * I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm
> not sure it works:
>
> On package deletion pkg_delete complains that directory is not empty:
> [20:07][root@samsara:/var/log]# pkg_delete tacacs+
> tacacs+-4.0.4.28v0: ok
> Read shared items: ok
> --- -tacacs+-4.0.4.28v0 -------------------
> You should also remove /etc/tac_plus.conf (which was modified)
> You should also run rm -f /var/log/tac_plus/*
> Error deleting directory /var/log/tac_plus: Directory not empty
> You should also run /usr/sbin/userdel _tacacs
> You should also run /usr/sbin/groupdel _tacacs
>
> I'm sorry, I've wrestled, but I don't understand how the doc/examples directories work -
> what needs to be done in pkg configure phase and what is done in PLIST?
>
> Cluestick please?
>
> I've tested the accounting part with py-tacacs_plus on -current, don't have a real
> network box around at this time. (Gonna dogfood this tomorrow or next
> week)
>
> Could you please have a look if this is okay?
>
> jvl
>
> On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote:
> > > Can you use the standard locations for doc/examples please rather
> > > than /usr/local/share/tacacs?
> >
> > Yep.
> >
> > > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c.
> >
> > Done.
> > Thanks for the feedback, i'm pushing it to openbsd-wip.
> >
> > PS.: I'm running it and works just fine  It has a dozen of Cisco Nexus switches already connected.
> > privdrop (_tacacs) fine.
> >
> > I will add some changes to example files provided by  Jan Vlach, for pointing out how to use tac_plus on the fly on OpenBSD.(like features available with and without privdrop / etc).
> >
> > Also should be nice sent patches upstream. Jan Vlach, what do you think about?
> >
> > Cheers,
> >


Slightly tweaked version attached, this one's ok with me:

- https homepage
- PERMIT_*_CDROM is not used for new ports
- whitespace nit in Makefile
- tweak comment in patch
- place @extraunexec above the @sample line, that way pkg_delete -c doesn't
complain about a missing dir. (pkg_delete without -c will complain about
not being able to remove the dir, that is no problem).
- regen plist to include pkg-readme
- adjust pkg-readme to set uid/gid on the files
- change group ownership of log dir to wheel, easier for admins


tacacs+,3.tgz (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NEW: Tacacs+ port - shrubbery.net version

Gleydson Soares-2
Hi sthen,

> Slightly tweaked version attached, this one's ok with me:
>
> - https homepage
> - PERMIT_*_CDROM is not used for new ports
> - whitespace nit in Makefile
> - tweak comment in patch
> - place @extraunexec above the @sample line, that way pkg_delete -c doesn't
> complain about a missing dir. (pkg_delete without -c will complain about
> not being able to remove the dir, that is no problem).
> - regen plist to include pkg-readme
> - adjust pkg-readme to set uid/gid on the files
> - change group ownership of log dir to wheel, easier for admins

thanks for the review, gonna commit this one.