* if -B is used, add the bind address in the PID filename - from Ian Dickinson
* "acl" is an AV pair for service exec. Within service attribute
parsing, do not parse "acl" as the acl (or connection ACL) keyword.
This is a hack; the parser is rather lame - noted by Bryce Kahle
* fix md4 for LP64
* do not accept skey keywords unless compiled with skey support
* fix skey enable password type - bit from Ed Ravin
* skey prompt ("challenge") is "S/Key challenge", not "Password"
* make "daemon" the default syslog facility and add a syslog config
statement
* add support for user authentication via PAM
* Conversion to autofoo
* Man pahe improvements
* MD5 fixes for 64-bit platforms
* generated_password has been renamed to tac_pwd
* A tac_plus.config.5 man page has been added
* User-specific enable password support
Port changes in this release include:
* Default IOS version has been changed from 11.x to 12.x
* tac_plus.sh script has been converted to rcNG
* PORTDOCS is properly respected
* Portlint fixes
"Using tacacs I found that ckfinger() function from maxsess.c module
returns wrong count of current sessions for users with "maxsess"
parameter established in tac_plus.conf. It happens if Cisco access
server works with IOS v 12.x.
On the other hand ckfinger() works well with IOS v 11.x
Here are patches for both maxsess.c and port's Makefile to fix
this problem (but it is just workaround, ckfinger() should be
fully rewritten)."
From me:
changed variable name by prepending string "TAC_", so that tacacs+
ports variables follow an unique scheme.
Please note: this doesn't compile with the new TAC_IOS_VERSION variable
if you have CFLAGS redefined in /etc/make.conf as:
CFLAGS=-pipe -O (or whatever)
You have to use
CFLAGS+=-pipe -O (or whatever)
Mailed to -developers. Am really not sure, what's the culprit here.
Fact is, that a part of CFLAGS get lost when compiling the port,
if you redefine CFLAGS in /etc/make.conf without the "+" sign ...
I personally removed my CFLAGS define in /etc/make.conf as it
defaults to -pipe -O, which is fine for me.
Submitted by: Sergey E. Levov (serg@informika.ru)
"The tac_plus user guide says that when passwd(5) file is used for user
authentication, the expiry date checks against shell field of password file.
Maybe it is OK for custom passwd files, but not for system password file.
Here is a little patch below which allow the tacacs daemon check
the expiration dates against 'expire' field of FreeBSD's master.passwd file.
It is very useful for me, and may be useful for other FreeBSD&tacacs users."
Submitted by: Sergey Levov <serg@informika.ru>
- contains security fix
Damir Rajnovic <gaus@CISCO.COM> on bugtraq:
"We updated our unsupported version of TACACS+ server so it is no longer
vulnerable to oversized T+ packets."
- took again maintainership of port, actually I never wanted to quit
was a committ failure when using port submission from PR
options `start' and `stop' now (unless I have forgotten any). This allows
us to call the scripts from /etc/rc.shutdown with the correct option.
The (42 or so) ports that already DTRT before are unchanged.
Taken from tasic@planka.carrier.kiev.ua
+ some modifications by me
(style, patch additions to compile cleanly, pkg/*)
added convert utility to port/package to enable people
to do migrations, if needed, see the docu for details.
PR: 13716
Submitted by: tasic@planka.carrier.kiev.ua
Port was o.k. to get tacacs up and running using a Cisco router and
I really missed it.
- Added me as maintainer of the port
- Moved sources to my homepage download area
- Compressed sources using bzip2
- Removed some not needed variables in Makefile
- Committed with new nd5 checksum
FWIW, checkout of these things took 5+hrs, staying on the local
.freebsd.org net w/o hitting the 'net at all.
As promised,
$ time cvs ci
real 67m51.701s
user 0m1.250s
sys 0m5.345s
bsd.port.mk rev. 1.304 for details on the change.
The fix here is one of the following.
(1) Define USE_BZIP2 instead of BUILD_DEPENDS on bzip2 and redefining
EXTRACT_* commands.
(2) Change ${EXTRACT_CMD} to ${TAR} when the command is obviously
calling the "tar" command (i.e., arguments like "-xzf" are spelled
out).
(3) If ${EXTRACT_CMD} is called directly with ${EXTRACT_BEFORE_ARGS},
add ${EXTRACT_AFTER_ARGS} to the command line as well.
(4) If any of EXTRACT_CMD, EXTRACT_BEFORE_ARGS or EXTRACT_AFTER_ARGS
is set, define the other two too.
tac_plus provides Cisco systems routers and access servers
with authentication, authorisation and accounting services.
A configuration file controls the details of authentication,
authorisation and accounting.
PR: 2869
Submitted by: Igor Vinokurov<igor@zynaps.ru>
Note: Although there is no terms and conditions on redistribution found,
the author says there is no restriction. (This is stated in more
recent alpha version.) The only concern is the U.S. Export restriction,
but Cisco has been granted with the right to export their software,
according to the author. And also I haven't been able to find any
implementation that may violate the export control in the source code,
either. So, I import this without any RESTRICTED or NO_CDROM defined.