Wed Nov 30 23:47:29 2011 UTC ()
Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems.
It is used in conjunction with Cisco routers for authorization, authentication,
and accounting services.  Tac_plus is configured via a single configuration
file.
This particular version is derived from the original Cisco sources and is
maintained by Shrubbery Networks, Inc.

Status:

Vendor Tag:	TNF
Release Tags:	pkgsrc-base


(pettai)
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/DESCR
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/distinfo
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/PLIST
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/options.mk
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/Makefile
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-ag
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-ah
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-ak
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-al
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-am
diff -r0 -r1.1.1.1 pkgsrc/net/tacacs-shrubbery/patches/patch-aj
File Added: pkgsrc/net/tacacs-shrubbery/DESCR
  Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems.
It is used in conjunction with Cisco routers for authorization, authentication,
and accounting services.  Tac_plus is configured via a single configuration
file.
This particular version is derived from the original Cisco sources and is
maintained by Shrubbery Networks, Inc.
File Added: pkgsrc/net/tacacs-shrubbery/distinfo
$NetBSD: distinfo,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

SHA1 (tacacs+-F4.0.4.20.tar.gz) = 233d3762357c8e59ec217102af53f2e7430300d7
RMD160 (tacacs+-F4.0.4.20.tar.gz) = 6fc4f05c1ec963b4a9c6c2881fde12a0258eb359
Size (tacacs+-F4.0.4.20.tar.gz) = 477649 bytes
SHA1 (patch-ag) = f0cad7741f8127668d9c2929dcb74e0ed96d0db2
SHA1 (patch-ah) = 2b09d7e67b865e26b37322ebfd7a76c44a8bce30
SHA1 (patch-aj) = 618c6ff411502bd32af40e9f48c6e2f7ec55e996
SHA1 (patch-ak) = df059f82a38fb394b726ee46fa87aa0ea04681c3
SHA1 (patch-al) = 85e964f23aa228f3d1debf0f407d5d8857ff2bcf
SHA1 (patch-am) = 880e3821a335e2605beb03dc145b3cd9a020fb2f
File Added: pkgsrc/net/tacacs-shrubbery/PLIST
@comment $NetBSD: PLIST,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
lib/libtacacs.la
man/man5/tac_plus.conf.5
man/man8/tac_plus.8
man/man8/tac_pwd.8
sbin/tac_convert
sbin/tac_plus
sbin/tac_pwd
share/doc/tacacs/users_guide
File Added: pkgsrc/net/tacacs-shrubbery/options.mk
# $NetBSD: options.mk,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

PKG_OPTIONS_VAR=	PKG_OPTIONS.tacacs-shrubbery
PKG_SUPPORTED_OPTIONS=	tacacs-shrubbery-acls-support tacacs-shrubbery-drop-root-privileges tcpwrappers skey
PKG_SUGGESTED_OPTIONS=	tacacs-shrubbery-acls-support tcpwrappers skey

.include "../../mk/bsd.options.mk"

.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-acls-support)
CONFIGURE_ARGS+=	--enable-acls
.else
CONFIGURE_ARGS+=	--disable-acls
.endif

.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-drop-root-privileges)
# tac_plus code requires numeric UID, GID
DEFAULT_TACACS_USER!=	${ID} -u nobody
DEFAULT_TACACS_GROUP!=	${ID} -g nobody
TACACS_USER?=		${DEFAULT_TACACS_USER}
TACACS_GROUP?=		${DEFAULT_TACACS_GROUP}
PKG_USERS=		${TACACS_USER}:${TACACS_GROUP}
PKG_GROUPS=		${TACACS_GROUP}
CONFIGURE_ARGS+=	--with-userid=${TACACS_USER:Q}
CONFIGURE_ARGS+=	--with-groupid=${TACACS_GROUP:Q}
.endif

.if !empty(PKG_OPTIONS:Mtcpwrappers)
CONFIGURE_ARGS+=	--with-libwrap=${BUILDLINK_PREFIX.tcp_wrappers}
. include "../../security/tcp_wrappers/buildlink3.mk"
.else
CONFIGURE_ARGS+=	--without-libwrap
.endif

.if !empty(PKG_OPTIONS:Mskey)
CONFIGURE_ARGS+=	--with-skey=${BUILDLINK_PREFIX.skey}
. include "../../security/skey/buildlink3.mk"
. if (defined(IS_BUILTIN.skey) && ${IS_BUILTIN.skey} == no ) || ${OPSYS} == "OpenBSD"
# pkgsrc's version uses three arguments only, as does OpenBSD's
CPPFLAGS+=		-DOLDSKEY
. endif
.else
CONFIGURE_ARGS+=	--without-skey
.endif
File Added: pkgsrc/net/tacacs-shrubbery/Makefile
# $NetBSD: Makefile,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
#

DISTNAME=	tacacs+-F4.0.4.20
PKGNAME=	${DISTNAME:S,-F,-,}
CATEGORIES=	net security
MASTER_SITES=	ftp://ftp.shrubbery.net/pub/tac_plus/

MAINTAINER=	schwarz@NetBSD.org
HOMEPAGE=	http://www.shrubbery.net/tac_plus/
COMMENT=	Cisco AAA protocol (tacacs+) daemon (Shrubbery Networks version)
LICENSE=	cisco-license

CONFLICTS+=	tacacs-[0-9]*

PKG_DESTDIR_SUPPORT=	user-destdir

USE_TOOLS+=	id # used in options.mk
MAKE_JOBS_SAFE=	no

.include "../../mk/bsd.prefs.mk"
.include "options.mk"

GNU_CONFIGURE=	yes
USE_TOOLS+=	bison perl
USE_LIBTOOL=    yes
USE_LANGUAGES=	c c++
USE_FEATURES+=	snprintf

CONFIGURE_ARGS+=	--with-acctfile=${VARBASE:Q}/log/tac_plus.acct
CONFIGURE_ARGS+=	--with-logfile=${VARBASE:Q}/log/tac_plus.log
CONFIGURE_ARGS+=	--with-pidfile=${VARBASE:Q}/run/tac_plus.pid
CONFIGURE_ENV+=		PERLV_PATH=${PERL5:Q}
BUILD_DEFS+=		VARBASE

.if !empty(LOWER_OPSYS:Mirix5*)
CPPFLAGS+=		-Duint16_t=u_int16_t -Duint32_t=u_int32_t
.endif

.if exists(/usr/include/pam/pam_appl.h) # MacOS X prior to 10.6
CPPFLAGS+=		-DPAM-PAM
.endif

INSTALLATION_DIRS=	lib sbin ${PKGMANDIR}/man3 ${PKGMANDIR}/man5 \
			${PKGMANDIR}/man8 share/doc/tacacs

do-install:
	${LIBTOOL} --mode=install ${INSTALL_PROGRAM} ${WRKSRC}/tac_plus ${DESTDIR}${PREFIX}/sbin
	${LIBTOOL} --mode=install ${INSTALL_LIB} ${WRKSRC}/libtacacs.la ${DESTDIR}${PREFIX}/lib
	${INSTALL_PROGRAM} ${WRKSRC}/tac_pwd ${DESTDIR}${PREFIX}/sbin
	${INSTALL_SCRIPT} ${WRKSRC}/tac_convert ${DESTDIR}${PREFIX}/sbin
	${INSTALL_MAN} ${WRKSRC}/tac_plus.conf.5 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5
	${INSTALL_MAN} ${WRKSRC}/tac_plus.8 ${WRKSRC}/tac_pwd.8 \
	${DESTDIR}${PREFIX}/${PKGMANDIR}/man8
	${INSTALL_DATA} ${WRKSRC}/users_guide ${DESTDIR}${PREFIX}/share/doc/tacacs

.include "../../mk/bsd.pkg.mk"
File Added: pkgsrc/net/tacacs-shrubbery/patches/patch-ag
$NetBSD: patch-ag,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

Older implementations of skeychallenge() only have three arguments.

--- skey_fn.c.orig	2009-03-17 19:40:29.000000000 +0100
+++ skey_fn.c	2009-04-19 12:33:05.000000000 +0200
@@ -164,7 +164,11 @@
 		return(1);
 	    }
 
-	    if (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) {
+	    if (skeychallenge(&p->skey, name, skeyprompt
+#ifndef OLDSKEY
+                                                        , 80
+#endif
+                                                            ) == 0) {
 		char buf[256];
 		sprintf(buf, "%s\nS/Key challenge: ", skeyprompt);
 		data->server_msg = tac_strdup(buf);
File Added: pkgsrc/net/tacacs-shrubbery/patches/patch-ah
$NetBSD: patch-ah,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

Handle IRIX the same way as Solaris

--- do_acct.c.orig	2011-11-30 17:58:18.000000000 +0100
+++ do_acct.c	2011-11-30 17:58:28.000000000 +0100
@@ -223,7 +223,7 @@
     else
 	memcpy(entry.ut_name, name, sizeof(entry.ut_name));
 
-#ifndef SOLARIS
+#if !defined(SOLARIS) && !defined(__sgi)
     if (strlen(host) < sizeof entry.ut_host)
 	strcpy(entry.ut_host, host);
     else
File Added: pkgsrc/net/tacacs-shrubbery/patches/patch-ak
$NetBSD: patch-ak,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

Don't mess with CPPFLAGS and LDFLAGS as pkgsrc handle them

--- configure.orig	2011-11-30 18:01:46.000000000 +0100
+++ configure	2011-11-30 18:01:54.000000000 +0100
@@ -3262,8 +3262,8 @@
 	# XXX: not sure if /usr/local is necessary.
 	# XXX: linux libwrap needs -lnsl. configure should check for
 	#      existence of libnsl instead of hard-coding
-	CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
-	LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS
+	# CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+	# LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS
 	LIBS="-lnsl -lcrypt $LIBS"; export LIBS
         $as_echo "#define LINUX 1" >>confdefs.h
 
@@ -3271,15 +3271,15 @@
 	# XXX: does linux need glibc: -DGLIBC
     ;;
     *mips* )
-	CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
-	LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
+	# CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+	# LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
 	LIBS="-lcrypt $LIBS"; export LIBS
         $as_echo "#define MIPS 1" >>confdefs.h
 
     ;;
     * )
-	CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
-	LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
+	# CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+	# LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
     ;;
 esac
File Added: pkgsrc/net/tacacs-shrubbery/patches/Attic/patch-al
$NetBSD: patch-al,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

Also compile on systems that do not have PAM

--- config.c.orig	2009-04-19 12:39:42.000000000 +0200
+++ config.c	2009-04-19 12:41:16.000000000 +0200
@@ -65,7 +65,9 @@
 				skey |
 				cleartext <password> |
 				des <password> |
+#ifdef HAVE_PAM
 				PAM |
+#endif
 				nopassword
 
    <user_attr>		:=	name	= <string> |
@@ -79,6 +81,9 @@
 #endif
 				pap	= cleartext <string> |
 				pap	= des <string> |
+#ifdef HAVE_PAM
+				pap	= PAM |
+#endif
 				opap	= cleartext <string> |
 				global	= cleartext <string> |
 				msg	= <string>
File Added: pkgsrc/net/tacacs-shrubbery/patches/Attic/patch-am
$NetBSD: patch-am,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

Properly handle PAM support header file on MacOS prior to 10.6;
added patch for PAM support for pap.
(http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html)

--- pwlib.c.orig	2011-11-30 18:02:45.000000000 +0100
+++ pwlib.c	2011-11-30 18:02:54.000000000 +0100
@@ -31,7 +31,7 @@
 #endif
 
 #if HAVE_PAM
-# ifdef __APPLE__	/* MacOS X */
+# ifdef PAM-PAM	/* MacOS X prior to 10.6 */
 #  include <pam/pam_appl.h>
 # else
 #  include <security/pam_appl.h>
@@ -50,6 +50,9 @@
 #endif
 static int passwd_file_verify(char *, char *, struct authen_data *, char *);
 
+// Global password variable for pap PAM support
+static char *predef_passwd;
+
 /* Adjust data->status depending on whether a user has expired or not */
 void
 set_expiration_status(char *exp_date, struct authen_data *data)
@@ -490,10 +493,13 @@
 		report(LOG_DEBUG, "%s %s: PAM_PROMPT_ECHO_OFF", session.peer,
 		       session.port);
 
-	    send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
-			      (char *)pmpp[i]->msg,
-			      pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
-			      NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
+	    if (strcmp(predef_passwd, "") != 0) {
+		prpp[i]->resp = predef_passwd;
+	    } else {
+		send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
+		(char *)pmpp[i]->msg,
+		pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
+		NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
 	    reply = get_authen_continue();
 	    if (!reply) {
 		/* Typically due to a premature connection close */
@@ -513,6 +519,7 @@
 	    prpp[i]->resp[acp->user_msg_len] = '\0';
 
 	    free(reply);
+	    }
 	    break;
 	case PAM_PROMPT_ECHO_ON:
 	    if (debug & DEBUG_PASSWD_FLAG)
@@ -588,6 +595,7 @@
     int			pam_flag;
     struct pam_conv	conv = { pam_tacacs, NULL };
     pam_handle_t	*pamh = NULL;
+    predef_passwd = passwd;
 
     if (debug & DEBUG_PASSWD_FLAG)
 	report(LOG_DEBUG, "pam_verify %s %s", user, passwd);
File Added: pkgsrc/net/tacacs-shrubbery/patches/Attic/patch-aj
$NetBSD: patch-aj,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $

Fix a typo in the comments :-)

--- aclocal.m4.orig	2011-11-30 18:00:22.000000000 +0100
+++ aclocal.m4	2011-11-30 18:00:28.000000000 +0100
@@ -8101,7 +8101,7 @@
 
 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
 # written in clear, in which case automake, when reading aclocal.m4,
-# will think it sees a *use*, and therefore will trigger all it's
+# will think it sees a *use*, and therefore will trigger all its
 # C support machinery.  Also note that it means that autoscan, seeing
 # CC etc. in the Makefile, will ask for an AC_PROG_CC use...