-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
461 lines (362 loc) · 16.9 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
Changes from Release 0.0 to release 0.1
---------------------------------------
You must now say "default attribute = permit" instead of
default authorization = permit" when configuring service
defaults
You must now say "default svc = permit" instead of "default
authorization = permit" when configuring service defaults for a user.
When authorizing enable requests, the daemon used to prompt for a
username which it then ignored. It no longer prompts for a username.
Fix recursion issues with service and command lookups. They are now
fully recursive c.f. password lookups.
Add debugging output to password verification to provide information
about expiry processing.
Keep track of longest hash chain we create, for fine tuning. Hash all
keywords into a keyword table instead of doing linear lookup.
Update users_guide to reflect the new configuration syntax.
The convert.pl script now generates the new configuration file syntax.
Accounting code now honours the "more" flag.
Changes from Release 0.1 to release 0.2
---------------------------------------
You can now send a SIGHUP to the daemon to cause it to reinitialize
itself and re-read its CONFIG file. There is a new debugging flag
devoted to this section of the code.
Node types are now pretty-printed in debug output.
The conversion script "convert.pl" now will not print out an expires
field if it doesn't think the syntax of the field is correct. It also
now ignores blank lines in its input files.
When doing authorization, the NAS supplied attribute "cmd=" is now
correctly ignored. This would previously have caused exec
authorization to be denied.
Changes from Release 0.2 to release 0.3
---------------------------------------
Warn when not invoked as uid 0.
Improved Usage message
Add make install target
Changes from Release 0.3 to release 0.4
---------------------------------------
Add TAC_PLUS_PIDFILE to makefile per Andy Linton's suggestion.
Fix bug in authorization code (protocol field needs to be
uppercase) which prevented authorization from working.
Changes from Release 0.4 to release 0.5
---------------------------------------
Add pre and post authorization calls to shell commands.
Minor bugfixes and code cleanup
The "More" bit in accounting records is now honoured.
Fix a bug in convert.pl
Redo accounting output routines. You can now name the accounting file
in the configuration file.
Change "svc" to "service" and "proto" to "protocol".
You can use any string to name a ppp protocol, even one which doesn't yet exist.
Add PPP/LCP special case processing
Revised authorization algorithm (see user's guide)
Add hex debug flag to allow skipping hex in packet dumps.
Update user's guide to reflect changes
Changes from Release 0.4 to release 1.0
---------------------------------------
Changed format of syslog messages to make writing scripts easier
Added ability to use cleartext passwords instead of DES passwords
Updated man page to reflect the fact that we use SIGUSR1 to re-read
the config file. SIGHUP is now ignored.
Updated the users guide.
Changes from Release 1.0 to release 1.1
---------------------------------------
Release 1.1 corresponds to RCS version 1.64 of tac_plus
(see tac_plus -v)
A typo in the Solaris section of the Makefile has been fixed.
The keyword 'des' has been introduced which must be used before all
des encrypted passwords.
The keyword 'password' has been changed to 'login', so
password = f23sac783n
has become
login = des f23sac783n
The convert.pl script knows about these changes.
arap and chap now require the keyword 'cleartext' in front of their
passwords.
A cleartext, per-user, global password can now be configured, which
works for login, arap and chap.
The users_guide has been updated to include a list of all A/V pairs
recognised by IOS 10.3(3) code.
Some solaris binaries have been provided as a courtesy.
Changes from Release 1.1 to release 2.0
---------------------------------------
generate_password.pl has been removed in favour of a C program
generate_passwd.c
The version number reported by tac_plus has been changed to agree with the
release number. This is why the version has jumped to 2.0
skey was broken by changes made in 1.1. These are now fixed.
Documentation has been added for the authorization AV pairs supported
by IOS releases 10.3(3) and 11.0.
Changes from Release 2.0 to release 2.1
---------------------------------------
There are now Makefile definitions for most of the major platforms.
Minor changes to remove some spurious debugging output.
A prematurely closed NAS connection will now call the authentication
function with the abort flag set, so that it can do any clean up it
requires.
syslog messages will contain the string "unknown" for usernames and
ports which are NULL, so that the messages always contain a fixed
number of fields.
The authentication code has been rearranged to better reflect the
structure of the API.
The "default user = permit" directive is still accepted but is now
deprecated in favour of "default authorization = permit".
A bug in the handling of substring AV pairs which caused the attribute
"addr" to erroneously match "addr-pool" has been fixed.
Added new files: enable.c generate_passwd.c skey_fn.c
New #defines have been added to make it easier to port tacacs+ to new
systems.
Many more iterations are allowed before an error is declared.
Changes from Release 2.1 to release 2.2
---------------------------------------
The expiry field in the shadow file on Solaris machines is now
honored, if it exists.
Added TAC_PLUS_AUTHEN_SVC_NASI
Changes from Release 2.2 to release F3.0.13
-------------------------------------------
NEW REVISION OF THE PROTOCOL corresponding to tacacs+.spec.v1.63.ps
(which see) to increase security in the case of compromised keys.
Inbound pap logins and outbound pap password are now configurable as
separate entries for each principal. Inbound pap logins are now
declared by using a "pap = " configuration directive. Outbound PAP is
now configured using "opap =".
Substantial code rearrangement of authentication routines.
Cleartext passwords can be up to 255 characters in length (previously
only the first 8 characters were used).
default service = permit is now fully recursive and now allows you to
say default service = deny in case you belong to a group where the
default is to permit.
Include backward compatibility with old revision of the protocol
(prior to v1.63).
post_authorization scripts are now invoked for command authorization.
Better sanity checking of authorization and accounting packets.
The API has changed slightly. All character string fields in the
identity structure are now allocated from the heap and can be up to
255 bytes long (instead of being character arrays of 32 and 64 bytes,
as specified in the API document revision 1.30 or earlier).
Double quotes can now appear inside strings if they are escaped with a
backslash.
Added code which limits the number of simultaneous sessions a user can
have (see MAXSESS in the user's guide).
The accounting "more" bit is gone (It was deprecated from the spec).
Hooks are now in so that if you have DES code, you can do ARAP more
securely, per the new protocol.
The packet read/write routines now handle exceptions more gracefully.
Lots of stuff added to the user's guide.
If you use a port number other than the default, the pidfile has the
port number appended to it, in case you are running multiple daemons.
We also now remove the pidfile when the daemon terminates via SIGTERM.
user = DEFAULT has been added, deprecating "default authorization =
permit". See the user's guide.
Arbitrary service types can now be configured in the config file.
REARMSIGNAL has been added for those systems which install one-shot
signal handlers which need to be rearmed after use (LINUX, HPUX).
A \n can now be embedded within strings.
Concede defeat. Allow SIGHUP as synonym for SIGUSR1.
Avoid symbol buffer overflow by checking the maximum length of a
string or token.
Make peer DNS lookup on incoming connections optional.
Do not close socket when servicing a SIGHUP
Fix a bad bug where service/cmd declarations which were not contiguous
were parsed but ignored (reported by Gabor Kiss).
Patch maxsessions to not count the current port on a different
NAS. Add various other fixes to maxsession code.
Add timeout to finger read routine.
Changes from release F3.0.13 to F4.0.1
-------------------------------------------
Added MSCHAP routines
CSCdi37706 exposed a bug in command authorization on the daemon.
Change assemble_args so it returns "" if there are no command
arguments.
Changes from release F4.0.1 to F4.0.2
-------------------------------------------
Fix fseek problem in maxsess code
Changes from release F4.0.2 to F4.0.3
-------------------------------------------
Add option for wtmp file logging in accounting
Added -DGLIBC for Linux.
Support PAP with des encrypted passwords
Support a return code of 3 for external authorization scripts
Changes from release F4.0.3 to F4.0.4
-------------------------------------------
merge F4.0.4 changes from disaster.com
F4.0.4.1
- {log,pid}file permissions fixes - partically from ian freislich
- add bind address (-B) option - partically from ian freislich
- fix pidfile removal on exit
F4.0.4.2
- partial autoconf setup - much more to be done
- compile option IGN_HUP (ignore HUP signal) is history
- rename generated_password -> tac_pwd and add manpage
- rename tac_plus.1 -> tac_plus.8
- add tac_plus.confg.5
- add -h option to display usage info
F4.0.4.3
- comment out the unnecessary lex and yacc tests from autoconf
F4.0.4.4
- added more autoconf stuff
- fix-up tac_plus.8 manpage - still need to do autoconf-time option
replacement
- fix-up tac_plus.conf manpage - incomplete
- fix-up tac_plus help message
- whitespace and formatting nits
- port host clause (minus type keyword) from devrim seral's tac_plus v9
(http://www.gazi.edu.tr/tacacs/) at user request
- changed user-specific enable password handling such that it if one
is specified for the user, the daemon does not check the host-specific
or global enable password.
- make TACPLUS_ACCTFILE, TACPLUS_PIDFILE, and TACPLUS_LOGFILE autoconf
knobs filling in pathsl.h and appopriate bits in manpages
- separated the frequently asked questions portion of the user_guide
into the file FAQ
- OR successive -d (debug) options
- fix md5 for LP64
F4.0.4.5
- use C99 stdint.h for int types
- linux's libwrap needs libnsl
- variable index in md5.c conflicts with index()
F4.0.4.6
- fix a few compiler warnings
- add -e and -h options to tac_pwd
- include crypt.h if it exists (solaris)
- make configure options --with-{user,group}id work
F4.0.4.7
- make configure option --with-skey work
- raise a few logs from INFO to NOTICE, to allow syslogd filtering of
some rather noisey logs
- add ACL checking for authorization, for the case where tacacs is only
used for authorization.
F4.0.4.8
- if -B is used, add the bind address in the PID filename - from
Ian Dickinson
- "acl" is an AV pair for service exec. Within service attribute
parsing, do not parse "acl" as the acl (or connection ACL) keyword.
This is a hack; the parser is rather lame - noted by Bryce Kahle
- fix md4 for LP64
- do not accept skey keywords unless compiled with skey support
- fix skey enable password type - bit from Ed Ravin
- skey prompt ("challenge") is "S/Key challenge", not "Password"
- make "daemon" the default syslog facility and add a syslog config
statement
- add support for user authentication via PAM
F4.0.4.9
- clean-up bogus nopasswd_str protoypes that gcc4 did not like
F4.0.4.10
- Fix PAM for linux, which does not offer PAM_AUTHOK for pam_set_item()
and requires a pam_conv function even with PAM_SILENT - reported and
tested by Stefan Oettl
F4.0.4.11
- Fix OS X and build problems and do not prototype errno - from
Georg Schwarz
F4.0.4.12
- Fix typo in usage message - from Georg Schwarz
- Various tac_plus.conf.5 fixes - from Georg Schwarz
- escape the escape backslash of the ACL examples - from Georg Schwarz
- Fix a LP64 bug where VALUE (union v) consisting of pointer was
intialized like an int - reported by brad dreisbach
F4.0.4.13
- Rename convert.pl to tac_convert and install it
- install users_guide
F4.0.4.14
- Add notes about PAM to the user guide and tac_plus.conf(5)
- Log login failures with the username, NAS address and NAS tty -
requested by Andi Bauer
- ACLs were not applied through the default authentication
(ie: user=DEFAULT) path - reported by Robert Lister
F4.0.4.15
- Check data lengths in debugging functions - reported by Antonin
Vitecek
- Fix syslog facility selection - from Timo Vanoni & Josef Voggesser
- Add -G/foreground option
- Deal with missing socklen_t
F4.0.4.16
- Few innocuous changes from or inspired by FreeBSD ports
- Deal with max-session finger format difference in a way that does not
require knowing which IOS is being fingered.
- The header encryption field is really a flags field which includes
a single-session option (which we'd like to support)
- Check return of write() for interrupts when writing arguments to
external scripts.
- -G was not remaining in foreground - From Nathan Schrenk
- Do not attempt to remove the pidfile if the pidfilebuf was truncated
or we could not open the file.
- Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey
Thomas
- Notes about PAM - from Aaron Scarisbrick
- Allow PAM debug message with tac_plus password debugging option - from
Aaron Scarisbrick
- Allow \'s within quoted words in tac_plus.conf - from Jesse Zbikowski
- Allow 'file' <password_spec> for host and user enable - part from
Jeff Gehlbach via Daniel Schmidt
- Fix possible buffer overflow for arap - noted by Oren Nechushtan
F4.0.4.17
- Move REARMSIGNAL definition to autoconf
- Move REAPCHILD definition to autoconf and check if SIG_IGN works
- Move SIGCHLD handling to apply to all daemon personalities - partly
from John Payne
F4.0.4.18
- Fix missing printf argument in debug output
- Add "enable = nopassword" to users, groups and hosts.
F4.0.4.19
- offer $ip to before/after authorization scripts
- wtmp and accounting files do not need to be mutually exclusive
- add authorization script example - from Daniel Schmidt
- add partial support for single-connection mode
- convert select()s to poll()s
F4.0.4.20
- remove stupid error message about running as root
- Drop the private regex library in favor of libc's. A system w/o a
regex is one I dont care about.
- finally remove config parsing for 'default authorization = permit'
- apply ACLs to pap, chap, arap and ms-chap authentication too
- change accounting log time format to match syslog
- do_auth.py fix from Daniel Schmidt
- import fdes from David G. Koontz (1991) for ARAP/MSCHAP_DES
- move MSCHAP define to autoconf; --enable-mschap
- use the fdes code for ARAP_DES and MSCHAP_DES. NOTE: I have no way to
test this. lmk if it does not work.
- increase NAC address array size. affects the format of the tacacs
wholog file (TACPLUS_WHOLOGFILE); existing file should be removed.
- add comments to tac_plus.conf.5 about cipher algorithms in
password_spec
- do_auth.py - Fixed reression, Support for replacing av pairs - from
Daniel Schmidt
F4.0.4.21
- do_auth.py - better Nexus support, better AV replacement, and only
send roles to Nexus - from Daniel Schmidt
- fix bug in checking the return value of regexec() for login and enable
ACLs.
- do_auth.py - better Nexus support, better AV replacement, and only
F4.0.4.22
- check of regexec() return value inverted - from Ignas Kazlauskas
F4.0.4.23
- fix build on netbsd
- update PAM includes for OSX - YiJia Zhang
F4.0.4.24
- allow PAM for pap authentication - Jeroen Nijhof
- replace home-grown vprintf in report() with vsnprintf - Robert Swiecki
- dont use report in signal handler, since report uses syslog which uses
malloc - Robert Swiecki
- use volatile sig_atomic_t 'reinitialize' variable - Robert Swiecki
- use snprintf in get_authen_continue() and send_authen_error() and
check return - Robert Swiecki
- make snprintf buffers of get_authen_continue() and send_authen_error()
at least NI_MAXHOST bytes - Robert Swiecki
F4.0.4.25
- add -m (md5) option to tac_pwd. XXX could use better salt generation
- use random() in tac_pwd if available and generate 4 bytes of salt for
md5.
- sprintf -> snprintf - Robert Swiecki
- more pkt size checking in acct.c, authen.c, author.c - Robert Swiecki
- free(pak) in start_session() not in account(), for consistency
F4.0.4.26
- add optional securid support via aceclient library - Matt Addison
- use localtime instead of gmtime for log messages so that the timezone
is inheritted.
- allow file authentication for PAP authorization
F4.0.4.27a
- add "port" to clarify log messages of default_fn.c
- use program name (filename) instead of hard-coded "tac_plus" for
name given to PAM
- change socket binding to allow an IPv6 address with the -B argument
- bind v4 and v6 sockets if system claims its has addresses for the AFs