Wed Nov 30 23:47:29 2011 UTC ()
Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems.
It is used in conjunction with Cisco routers for authorization, authentication,
and accounting services. Tac_plus is configured via a single configuration
file.
This particular version is derived from the original Cisco sources and is
maintained by Shrubbery Networks, Inc.
Status:
Vendor Tag: TNF
Release Tags: pkgsrc-base
(pettai)
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/DESCR
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/distinfo
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/PLIST
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/options.mk
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/Makefile
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-ag
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-ah
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-ak
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-al
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-am
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-aj
Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems.
It is used in conjunction with Cisco routers for authorization, authentication,
and accounting services. Tac_plus is configured via a single configuration
file.
This particular version is derived from the original Cisco sources and is
maintained by Shrubbery Networks, Inc.
$NetBSD: distinfo,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
SHA1 (tacacs+-F4.0.4.20.tar.gz) = 233d3762357c8e59ec217102af53f2e7430300d7
RMD160 (tacacs+-F4.0.4.20.tar.gz) = 6fc4f05c1ec963b4a9c6c2881fde12a0258eb359
Size (tacacs+-F4.0.4.20.tar.gz) = 477649 bytes
SHA1 (patch-ag) = f0cad7741f8127668d9c2929dcb74e0ed96d0db2
SHA1 (patch-ah) = 2b09d7e67b865e26b37322ebfd7a76c44a8bce30
SHA1 (patch-aj) = 618c6ff411502bd32af40e9f48c6e2f7ec55e996
SHA1 (patch-ak) = df059f82a38fb394b726ee46fa87aa0ea04681c3
SHA1 (patch-al) = 85e964f23aa228f3d1debf0f407d5d8857ff2bcf
SHA1 (patch-am) = 880e3821a335e2605beb03dc145b3cd9a020fb2f
@comment $NetBSD: PLIST,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
lib/libtacacs.la
man/man5/tac_plus.conf.5
man/man8/tac_plus.8
man/man8/tac_pwd.8
sbin/tac_convert
sbin/tac_plus
sbin/tac_pwd
share/doc/tacacs/users_guide
# $NetBSD: options.mk,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.tacacs-shrubbery
PKG_SUPPORTED_OPTIONS= tacacs-shrubbery-acls-support tacacs-shrubbery-drop-root-privileges tcpwrappers skey
PKG_SUGGESTED_OPTIONS= tacacs-shrubbery-acls-support tcpwrappers skey
.include "../../mk/bsd.options.mk"
.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-acls-support)
CONFIGURE_ARGS+= --enable-acls
.else
CONFIGURE_ARGS+= --disable-acls
.endif
.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-drop-root-privileges)
# tac_plus code requires numeric UID, GID
DEFAULT_TACACS_USER!= ${ID} -u nobody
DEFAULT_TACACS_GROUP!= ${ID} -g nobody
TACACS_USER?= ${DEFAULT_TACACS_USER}
TACACS_GROUP?= ${DEFAULT_TACACS_GROUP}
PKG_USERS= ${TACACS_USER}:${TACACS_GROUP}
PKG_GROUPS= ${TACACS_GROUP}
CONFIGURE_ARGS+= --with-userid=${TACACS_USER:Q}
CONFIGURE_ARGS+= --with-groupid=${TACACS_GROUP:Q}
.endif
.if !empty(PKG_OPTIONS:Mtcpwrappers)
CONFIGURE_ARGS+= --with-libwrap=${BUILDLINK_PREFIX.tcp_wrappers}
. include "../../security/tcp_wrappers/buildlink3.mk"
.else
CONFIGURE_ARGS+= --without-libwrap
.endif
.if !empty(PKG_OPTIONS:Mskey)
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
. include "../../security/skey/buildlink3.mk"
. if (defined(IS_BUILTIN.skey) && ${IS_BUILTIN.skey} == no ) || ${OPSYS} == "OpenBSD"
# pkgsrc's version uses three arguments only, as does OpenBSD's
CPPFLAGS+= -DOLDSKEY
. endif
.else
CONFIGURE_ARGS+= --without-skey
.endif
# $NetBSD: Makefile,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
#
DISTNAME= tacacs+-F4.0.4.20
PKGNAME= ${DISTNAME:S,-F,-,}
CATEGORIES= net security
MASTER_SITES= ftp://ftp.shrubbery.net/pub/tac_plus/
MAINTAINER= schwarz@NetBSD.org
HOMEPAGE= http://www.shrubbery.net/tac_plus/
COMMENT= Cisco AAA protocol (tacacs+) daemon (Shrubbery Networks version)
LICENSE= cisco-license
CONFLICTS+= tacacs-[0-9]*
PKG_DESTDIR_SUPPORT= user-destdir
USE_TOOLS+= id # used in options.mk
MAKE_JOBS_SAFE= no
.include "../../mk/bsd.prefs.mk"
.include "options.mk"
GNU_CONFIGURE= yes
USE_TOOLS+= bison perl
USE_LIBTOOL= yes
USE_LANGUAGES= c c++
USE_FEATURES+= snprintf
CONFIGURE_ARGS+= --with-acctfile=${VARBASE:Q}/log/tac_plus.acct
CONFIGURE_ARGS+= --with-logfile=${VARBASE:Q}/log/tac_plus.log
CONFIGURE_ARGS+= --with-pidfile=${VARBASE:Q}/run/tac_plus.pid
CONFIGURE_ENV+= PERLV_PATH=${PERL5:Q}
BUILD_DEFS+= VARBASE
.if !empty(LOWER_OPSYS:Mirix5*)
CPPFLAGS+= -Duint16_t=u_int16_t -Duint32_t=u_int32_t
.endif
.if exists(/usr/include/pam/pam_appl.h) # MacOS X prior to 10.6
CPPFLAGS+= -DPAM-PAM
.endif
INSTALLATION_DIRS= lib sbin ${PKGMANDIR}/man3 ${PKGMANDIR}/man5 \
${PKGMANDIR}/man8 share/doc/tacacs
do-install:
${LIBTOOL} --mode=install ${INSTALL_PROGRAM} ${WRKSRC}/tac_plus ${DESTDIR}${PREFIX}/sbin
${LIBTOOL} --mode=install ${INSTALL_LIB} ${WRKSRC}/libtacacs.la ${DESTDIR}${PREFIX}/lib
${INSTALL_PROGRAM} ${WRKSRC}/tac_pwd ${DESTDIR}${PREFIX}/sbin
${INSTALL_SCRIPT} ${WRKSRC}/tac_convert ${DESTDIR}${PREFIX}/sbin
${INSTALL_MAN} ${WRKSRC}/tac_plus.conf.5 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5
${INSTALL_MAN} ${WRKSRC}/tac_plus.8 ${WRKSRC}/tac_pwd.8 \
${DESTDIR}${PREFIX}/${PKGMANDIR}/man8
${INSTALL_DATA} ${WRKSRC}/users_guide ${DESTDIR}${PREFIX}/share/doc/tacacs
.include "../../mk/bsd.pkg.mk"
$NetBSD: patch-ag,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
Older implementations of skeychallenge() only have three arguments.
--- skey_fn.c.orig 2009-03-17 19:40:29.000000000 +0100
+++ skey_fn.c 2009-04-19 12:33:05.000000000 +0200
@@ -164,7 +164,11 @@
return(1);
}
- if (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) {
+ if (skeychallenge(&p->skey, name, skeyprompt
+#ifndef OLDSKEY
+ , 80
+#endif
+ ) == 0) {
char buf[256];
sprintf(buf, "%s\nS/Key challenge: ", skeyprompt);
data->server_msg = tac_strdup(buf);
$NetBSD: patch-ah,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
Handle IRIX the same way as Solaris
--- do_acct.c.orig 2011-11-30 17:58:18.000000000 +0100
+++ do_acct.c 2011-11-30 17:58:28.000000000 +0100
@@ -223,7 +223,7 @@
else
memcpy(entry.ut_name, name, sizeof(entry.ut_name));
-#ifndef SOLARIS
+#if !defined(SOLARIS) && !defined(__sgi)
if (strlen(host) < sizeof entry.ut_host)
strcpy(entry.ut_host, host);
else
$NetBSD: patch-ak,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
Don't mess with CPPFLAGS and LDFLAGS as pkgsrc handle them
--- configure.orig 2011-11-30 18:01:46.000000000 +0100
+++ configure 2011-11-30 18:01:54.000000000 +0100
@@ -3262,8 +3262,8 @@
# XXX: not sure if /usr/local is necessary.
# XXX: linux libwrap needs -lnsl. configure should check for
# existence of libnsl instead of hard-coding
- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
- LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS
+ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+ # LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS
LIBS="-lnsl -lcrypt $LIBS"; export LIBS
$as_echo "#define LINUX 1" >>confdefs.h
@@ -3271,15 +3271,15 @@
# XXX: does linux need glibc: -DGLIBC
;;
*mips* )
- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
- LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
+ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+ # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
LIBS="-lcrypt $LIBS"; export LIBS
$as_echo "#define MIPS 1" >>confdefs.h
;;
* )
- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
- LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
+ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+ # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
;;
esac
$NetBSD: patch-al,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
Also compile on systems that do not have PAM
--- config.c.orig 2009-04-19 12:39:42.000000000 +0200
+++ config.c 2009-04-19 12:41:16.000000000 +0200
@@ -65,7 +65,9 @@
skey |
cleartext <password> |
des <password> |
+#ifdef HAVE_PAM
PAM |
+#endif
nopassword
<user_attr> := name = <string> |
@@ -79,6 +81,9 @@
#endif
pap = cleartext <string> |
pap = des <string> |
+#ifdef HAVE_PAM
+ pap = PAM |
+#endif
opap = cleartext <string> |
global = cleartext <string> |
msg = <string>
$NetBSD: patch-am,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
Properly handle PAM support header file on MacOS prior to 10.6;
added patch for PAM support for pap.
(http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html)
--- pwlib.c.orig 2011-11-30 18:02:45.000000000 +0100
+++ pwlib.c 2011-11-30 18:02:54.000000000 +0100
@@ -31,7 +31,7 @@
#endif
#if HAVE_PAM
-# ifdef __APPLE__ /* MacOS X */
+# ifdef PAM-PAM /* MacOS X prior to 10.6 */
# include <pam/pam_appl.h>
# else
# include <security/pam_appl.h>
@@ -50,6 +50,9 @@
#endif
static int passwd_file_verify(char *, char *, struct authen_data *, char *);
+// Global password variable for pap PAM support
+static char *predef_passwd;
+
/* Adjust data->status depending on whether a user has expired or not */
void
set_expiration_status(char *exp_date, struct authen_data *data)
@@ -490,10 +493,13 @@
report(LOG_DEBUG, "%s %s: PAM_PROMPT_ECHO_OFF", session.peer,
session.port);
- send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
- (char *)pmpp[i]->msg,
- pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
- NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
+ if (strcmp(predef_passwd, "") != 0) {
+ prpp[i]->resp = predef_passwd;
+ } else {
+ send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
+ (char *)pmpp[i]->msg,
+ pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
+ NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
reply = get_authen_continue();
if (!reply) {
/* Typically due to a premature connection close */
@@ -513,6 +519,7 @@
prpp[i]->resp[acp->user_msg_len] = '\0';
free(reply);
+ }
break;
case PAM_PROMPT_ECHO_ON:
if (debug & DEBUG_PASSWD_FLAG)
@@ -588,6 +595,7 @@
int pam_flag;
struct pam_conv conv = { pam_tacacs, NULL };
pam_handle_t *pamh = NULL;
+ predef_passwd = passwd;
if (debug & DEBUG_PASSWD_FLAG)
report(LOG_DEBUG, "pam_verify %s %s", user, passwd);
$NetBSD: patch-aj,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
Fix a typo in the comments :-)
--- aclocal.m4.orig 2011-11-30 18:00:22.000000000 +0100
+++ aclocal.m4 2011-11-30 18:00:28.000000000 +0100
@@ -8101,7 +8101,7 @@
# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
# written in clear, in which case automake, when reading aclocal.m4,
-# will think it sees a *use*, and therefore will trigger all it's
+# will think it sees a *use*, and therefore will trigger all its
# C support machinery. Also note that it means that autoscan, seeing
# CC etc. in the Makefile, will ask for an AC_PROG_CC use...