debian/0000755000000000000000000000000012116460544007171 5ustar debian/control0000644000000000000000000000277512063662121010603 0ustar Source: tacacs+ Section: net Priority: extra Maintainer: Henry-Nicolas Tourneur Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.2), autotools-dev, flex, m4, bison, libwrap0-dev, libpam0g-dev, quilt, hardening-wrapper, chrpath Standards-Version: 3.9.3 Homepage: http://www.shrubbery.net/tac_plus/ Package: tacacs+ Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libwrap0, libpam0g, libtacacs+1 (>= 4.0.4.25-1), python Description: TACACS+ authentication daemon TACACS+ is a protocol (not TACACS or XTACACS) for authentication, authorization and accounting (AAA) services for routers and network devices. Package: libtacacs+1 Architecture: any Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends}, libwrap0 Pre-Depends: ${misc:Pre-Depends} Description: TACACS+ authentication daemon TACACS+ is a protocol (not TACACS or XTACACS) for authentication, authorization and accounting (AAA) services for routers and network devices. This package include the library used by the Daemon. Package: libtacacs+1-dev Architecture: any Multi-Arch: foreign Section: libdevel Depends: ${misc:Depends}, libtacacs+1 (>= ${source:Upstream-Version}), libtacacs+1 (<< ${source:Upstream-Version}+1~) Pre-Depends: ${misc:Pre-Depends} Description: TACACS+ authentication daemon TACACS+ is a protocol (not TACACS or XTACACS) for authentication, authorization and accounting (AAA) services for routers and network devices. This package include the header file used for development purpose. debian/libtacacs+1.lintian-overrides0000644000000000000000000000022312063705620014625 0ustar libtacacs+1: package-name-doesnt-match-sonames libtacacs+1: postinst-has-useless-call-to-ldconfig libtacacs+1: postrm-has-useless-call-to-ldconfig debian/patches/0000755000000000000000000000000011765421726010630 5ustar debian/patches/series0000644000000000000000000000001711765421726012043 0ustar fix_hurd.patch debian/patches/fix_hurd.patch0000644000000000000000000000152311765421726013462 0ustar Index: tacacs+-4.0.4.25/configure =================================================================== --- tacacs+-4.0.4.25.orig/configure 2012-06-02 13:42:04.400049641 +0000 +++ tacacs+-4.0.4.25/configure 2012-06-02 13:43:08.460052710 +0000 @@ -3160,6 +3160,18 @@ $as_echo "#define MIPS 1" >>confdefs.h ;; + *gnu* ) + # XXX: not sure if /usr/local is necessary. + # XXX: linux libwrap needs -lnsl. configure should check for + # existence of libnsl instead of hard-coding + CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS + LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS + LIBS="-lnsl -lcrypt $LIBS"; export LIBS + cat >>confdefs.h <<\_ACEOF +#define LINUX 1 +_ACEOF + + ;; * ) CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS debian/rules0000755000000000000000000000231612063707675010265 0ustar #!/usr/bin/make -f # -*- makefile -*- export DH_OPTIONS export DEB_BUILD_HARDENING=1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all DPKG_EXPORT_BUILDFLAGS = 1 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) include /usr/share/dpkg/buildflags.mk %: dh $@ --with autotools-dev,quilt override_dh_auto_install: dh_installdirs dh_installinit --name=tacacs_plus dh_auto_install install -m 644 debian/tacacs+.default $(CURDIR)/debian/tacacs+/etc/default/tacacs+ install -m 600 debian/tac_plus.conf $(CURDIR)/debian/tacacs+/etc/tacacs+ install -m 755 do_auth.py $(CURDIR)/debian/tacacs+/usr/sbin/do_auth install -m 644 debian/do_auth.8 $(CURDIR)/debian/tacacs+/usr/share/man/man8 chrpath -c $(CURDIR)/debian/tmp/usr/sbin/tac_plus override_dh_auto_configure: dh_auto_configure -- --prefix=/usr --bindir=\$${prefix}/sbin --mandir=\$${prefix}/share/man --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)/tacacs\ --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" $(shell dpkg-buildflags --export=configure)\ --enable-acls --enable-uenable --enable-maxsess --enable-finger override_dh_clean: dh_clean rm -f users_guide config.guess.dh-orig config.sub.dh-orig 2> /dev/null debian/libtacacs+1.dirs0000644000000000000000000000003512063656222012134 0ustar usr/share/lintian/overrides debian/compat0000644000000000000000000000000211765441337010377 0ustar 9 debian/tacacs+.install0000644000000000000000000000005711765421726012104 0ustar usr/sbin usr/share/man/man5 usr/share/man/man8 debian/tacacs+.dirs0000644000000000000000000000015511765421726011376 0ustar usr/sbin usr/share/man/man8 /usr/share/lintian/overrides etc/tacacs+ etc/logrotate.d etc/default etc/init.d debian/tacacs+.default0000644000000000000000000000027711765421726012066 0ustar # This is the configuration file for /etc/init.d/tacacs+ # You can overwrite default arguments passed to the daemon here. # See man(8) tac_plus DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf" debian/do_auth.80000644000000000000000000000437611765421726010727 0ustar .TH do_auth 8 "February 27, 2010" "version 1.2" .SH NAME do_auth \- Program allowing more granular control than tac_plus. .SH SYNOPSIS .B do_auth \-u user [\-i Ip Address] [\-d Device address] [\-f Config filename] [\-l Log file] [-D Debug mode] .SH DESCRIPTION do_auth is a python program written to work as an authorization script for tacacs to allow greater flexability in tacacs authentication. It allows a user to be part of many predefined groups that can allow different access to different devices based on ip, user, and source address. .PP Groups are assigned to users in the [users] section. A user must be assigned to one or more groups, one per line. Groups are defined in brackets, but can be any name. Each group can have up to 6 options as defined below. host_deny Deny any user coming from this host. Optional. host_allow Allow users from this range. Mandatory with -i. device_deny Deny any device with this IP. Optional. device_permit Allow this range. Mandatory if -d is specified. command_deny Deny these commands. Optional. command_permit Allow these commands. Mandatory. .PP The options are parsed in order till a match is found. Obviously, for login, the commands section is not parsed. If a match is not found, or a deny is found, we move on to the next group. At the end, we have an implicit deny if no groups match. All tacacs keys passed on login to do_auth are returned. (except cmd*) It is possible to modify them, but I haven't implemented this yet as I don't need it. Future versions may have an av_pair & append_av_pair option. .PP .SH OPTIONS .TP \-u Username. Mandatory. $user .TP \-i Ip address of user. Optional. If not specified, all host_ entries are ignored and can be omitted. $address .TP \-d Device address. Optional. If not specified, all device_ entries are ignored and can be omitted. $name .TP \-f Config Filename. Default is do_auth.ini. .TP \-l Logfile. Default is log.txt. .TP \-D Activate debug mode. .SH EXAMPLES .B do_auth -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs+/do_auth.ini .PP .SH EXIT STATUS do_auth returns 0 to allow, 1 to deny authorization. .SH AUTHOR Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt. .SH SEE ALSO tac_plus(8), tac_plus.conf(5) debian/tacacs+.tacacs_plus.init0000644000000000000000000001357512063651006013676 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: tacacs+ # Required-Start: $network $local_fs $syslog $remote_fs # Required-Stop: $network $local_fs $remote_fs # Should-Start: $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: TACACS+ authentication daemon ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/sbin/tac_plus NAME="tacacs+" DESC="TACACS+ authentication daemon" LOGDIR=/var/log/ STARTTIME=1 PIDFILE=/var/run/tac_plus.pid test -x $DAEMON || exit 0 . /lib/lsb/init-functions # Default options, these can be overriden by the information # at /etc/default/$NAME DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf" # Additional options given to the server LOGFILE=$LOGDIR/tac_plus.log # Server logfile # Include defaults if available if [ -f /etc/default/$NAME ] ; then . /etc/default/$NAME fi # Check that the user exists (if we set a user) # Does the user exist? if [ -n "$DAEMONUSER" ] ; then if getent passwd | grep -q "^$DAEMONUSER:"; then # Obtain the uid and gid DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'` DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'` else log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist." exit 1 fi fi set -e running_pid() { # Check if a given process pid's cmdline matches a given name pid=$1 name=$2 [ -z "$pid" ] && return 1 [ ! -d /proc/$pid ] && return 1 cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` # Is this the expected server [ "$cmd" != "$name" ] && return 1 return 0 } running() { # Check if the process is running looking at /proc # (works for all users) # No pidfile, probably no daemon present [ ! -f "$PIDFILE" ] && return 1 pid=`cat $PIDFILE` running_pid $pid $DAEMON || return 1 return 0 } start_server() { # Start the process using the wrapper if check_config_quiet ; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ --exec $DAEMON -- $DAEMON_OPTS errcode=$? return $errcode else return $? fi } stop_server() { killproc -p $PIDFILE $DAEMON return $? } reload_server() { if check_config_quiet ; then [ ! -f "$PIDFILE" ] && return 1 pid=`cat $PIDFILE` # This is the daemon's pid # Send a SIGHUP kill -1 $pid return $? else return $? fi } check_config() { $DAEMON -P $DAEMON_OPTS return $? } check_config_quiet() { $DAEMON -P $DAEMON_OPTS >/dev/null 2>&1 return $? } force_stop() { # Force the process to die killing it manually [ ! -e "$PIDFILE" ] && return if running ; then kill -15 $pid # Is it really dead? sleep "$DIETIME"s if running ; then kill -9 $pid sleep "$DIETIME"s if running ; then echo "Cannot kill $NAME (pid=$pid)!" exit 1 fi fi fi rm -f $PIDFILE } case "$1" in start) log_daemon_msg "Starting $DESC " "$NAME" # Check if it's running first if running ; then log_progress_msg "apparently already running" log_end_msg 0 exit 0 fi if start_server ; then # NOTE: Some servers might die some time after they start, # this code will detect this issue if STARTTIME is set # to a reasonable value [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time if running ; then # It's ok, the server started and is running log_end_msg 0 else # It is not running after we did start log_end_msg 1 fi else # Either we could not start it log_end_msg 1 fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if running ; then # Only stop the server if we see it running errcode=0 stop_server || errcode=$? log_end_msg $errcode else # If it's not running don't do anything log_progress_msg "apparently not running" log_end_msg 0 exit 0 fi ;; force-stop) # First try to stop gracefully the program $0 stop if running; then # If it's still running try to kill it more forcefully log_daemon_msg "Stopping (force) $DESC" "$NAME" errcode=0 force_stop || errcode=$? log_end_msg $errcode fi ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" errcode=0 stop_server || errcode=$? # Wait some sensible amount, some server need this [ -n "$DIETIME" ] && sleep $DIETIME start_server || errcode=$? [ -n "$STARTTIME" ] && sleep $STARTTIME running || errcode=$? log_end_msg $errcode ;; status) log_daemon_msg "Checking status of $DESC" "$NAME" if running ; then log_progress_msg "running" log_end_msg 0 else log_progress_msg "apparently not running" log_end_msg 1 exit 1 fi ;; # Use this if the daemon cannot reload reload) log_daemon_msg "Reloading $DESC configuration files" "$NAME" if reload_server ; then if running ; then log_end_msg 0 else log_progress_msg "$NAME not running" log_end_msg 1 fi else log_progress_msg "Reload failled" log_end_msg 1 fi ;; check) check_config if [ X$? = "X0" ] then log_daemon_msg "Checking $DESC configuration files successful" "$NAME" else log_daemon_msg "Checking $DESC configuration files failed" exit 1 fi ;; *) N=/etc/init.d/tacacs_plus echo "Usage: $N {start|stop|force-stop|restart|reload|force-reload|status|check}" >&2 exit 1 ;; esac exit 0 debian/libtacacs+1-dev.install0000644000000000000000000000005512063657530013422 0ustar usr/include/* usr/lib/*/tacacs/libtacacs*.so debian/tac_plus.conf0000644000000000000000000000260511765421726011665 0ustar # Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) # See man(5) tac_plus.conf for more details # Define where to log accounting data, this is the default. accounting file = /var/log/tac_plus.acct # This is the key that clients have to use to access Tacacs+ key = testing123 # Use /etc/passwd file to do authentication #default authentication = file /etc/passwd # You can use feature like per host key with different enable passwords #host = 127.0.0.1 { # key = test # type = cisco # enable = enablepass # prompt = "Welcome XXX ISP Access Router \n\nUsername:" #} # We also can define local users and specify a file where data is stored. # That file may be filled using tac_pwd #user = test1 { # name = "Test User" # member = staff # login = file /etc/tacacs/tacacs_passwords #} # We can also specify rules valid per group of users. #group = group1 { # cmd = conf { # deny # } #} # Another example : forbid configure command for some hosts # for a define range of clients #group = group1 { # login = PAM # service = ppp # protocol = ip { # addr = 10.10.0.0/24 # } # cmd = conf { # deny .* # } #} user = DEFAULT { login = PAM service = ppp protocol = ip {} } # Much more features are availables, like ACL, more service compatibilities, # commands authorization, scripting authorization. # See the man page for those features. debian/tacacs+.lintian-overrides0000644000000000000000000000034212063706743014066 0ustar tacacs+: non-standard-file-perm etc/tacacs+/tac_plus.conf 0600 != 0644 tacacs+: script-in-etc-init.d-not-registered-via-update-rc.d etc/init.d/tacacs_plus tacacs+: postrm-contains-additional-updaterc.d-calls etc/init.d/tacacs debian/tacacs+.logrotate0000644000000000000000000000026011765421726012432 0ustar /var/log/tac_plus.log /var/log/tac_plus.acct { rotate 4 weekly compress missingok notifempty postrotate invoke-rc.d tacacs_plus reload > /dev/null endscript } debian/changelog0000644000000000000000000000666212063652723011060 0ustar tacacs+ (4.0.4.26-3) unstable; urgency=low * Closes: #693089 missing reload action in init.d script usage output. * Closes: #693598 multi-arch misusage. -- Henry-Nicolas Tourneur Mon, 17 Dec 2012 18:10:51 +0100 tacacs+ (4.0.4.26-2) unstable; urgency=low * Fixing an FTBFS due to dh --with option bad usage in rules file. -- Henry-Nicolas Tourneur Tue, 21 Aug 2012 18:21:51 +0100 tacacs+ (4.0.4.26-1) unstable; urgency=low * New upstream version. * Added 2 lintian overrides for errors related to init script (false positive). -- Henry-Nicolas Tourneur Sat, 14 Jul 2012 14:30:51 +0100 tacacs+ (4.0.4.25-1) unstable; urgency=low * New upstream version - Closes: #664395 * Fix Hurd FTBFS (Closes: #675099 thanks to Barry deFreese). -- Henry-Nicolas Tourneur Sat, 2 Jun 2012 14:18:51 +0100 tacacs+ (4.0.4.19-11) unstable; urgency=low * Correct one lintian error. -- Henry-Nicolas Tourneur Mon, 5 Jun 2011 17:53:51 +0100 tacacs+ (4.0.4.19-10) unstable; urgency=low * Closes: #609755 (ignore $DAEMONUSER in init script stop_server()) -- Henry-Nicolas Tourneur Mon, 12 Jan 2011 21:07:51 +0100 tacacs+ (4.0.4.19-9) unstable; urgency=low * Improve the init script: check the config on start/reload (Thanks to Erik Wenzel) * Use the debian way to restart daemons in logrotate scripts (Erik Wenzel too) -- Henry-Nicolas Tourneur Mon, 18 Oct 2010 21:30:51 +0100 tacacs+ (4.0.4.19-8) unstable; urgency=low * Closes: #582334 (replace gethostbyname() with getaddrinfo()) -- Henry-Nicolas Tourneur Thu, 23 May 2010 11:46:24 +0100 tacacs+ (4.0.4.19-7) unstable; urgency=low * Closes: #580845 (fix logrotate init script reload issue) -- Henry-Nicolas Tourneur Thu, 09 May 2010 13:23:15 +0100 tacacs+ (4.0.4.19-6) unstable; urgency=low * Closes: #573766 (fix FTBFS) -- Henry-Nicolas Tourneur Thu, 14 Mar 2010 11:21:08 +0100 tacacs+ (4.0.4.19-5) unstable; urgency=low * Correct a typo in copyright file * Add the path to the GPL3 license in copyright file -- Henry-Nicolas Tourneur Thu, 13 Mar 2010 12:03:33 +0100 tacacs+ (4.0.4.19-4) unstable; urgency=low * Include do_auth.py in binary and correct copyright issue * Add a man page for do_auth -- Henry-Nicolas Tourneur Thu, 22 Feb 2010 22:55:42 +0100 tacacs+ (4.0.4.19-3) unstable; urgency=low * Remove bad group/owner from the logrotate file -- Henry-Nicolas Tourneur Thu, 14 Feb 2010 20:19:14 +0100 tacacs+ (4.0.4.19-2) unstable; urgency=low * Correct an error in the logrotate file -- Henry-Nicolas Tourneur Thu, 11 Feb 2010 19:06:14 +0100 tacacs+ (4.0.4.19-1) unstable; urgency=low * Patches: - fix_man : Correct a man page error about a date * 2 lintian overwrites: - package-name-doesnt-match-sonames : because the so file is named libtacacs.so but the software name is tacacs+ and not tacacs. - non-standard-file-perm : because the main configuration file holds the tacacs+ key, it shouldn't be world readable. * Initial release (Closes: #568161) -- Henry-Nicolas Tourneur Thu, 04 Feb 2010 15:04:46 +0100 debian/docs0000644000000000000000000000000411765421726010046 0ustar FAQ debian/libtacacs+1-dev.links0000644000000000000000000000013312063657417013075 0ustar #! /usr/bin/dh-exec usr/lib/${DEB_HOST_MULTIARCH}/tacacs/libtacacs.so usr/lib/libtacacs.so debian/copyright0000644000000000000000000000303311765421726011133 0ustar This package was debianized by Henry-Nicolas Tourneur on Wed, 23 Dec 2009 15:04:46 +0100. It was downloaded from http://www.shrubbery.net/tac_plus/ Lol Grant (Cisco System) : up to 4.0.3a not included Contributors are in CHANGES file Copyright: The original cisco code carries the following license/disclaimer/whatever: /* Copyright (c) 1995-1998 by Cisco systems, Inc. Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies of the software and supporting documentation, the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that modification, copying and distribution is by permission of Cisco Systems, Inc. Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ As for the bits I have added or contributions I have received from other folks, they are noted in the CHANGES file post version 4.0.3a. please give credit where due. thanks. The file do_auth located under /usr/sbin is under GPL3+. The GPL3 license can be found under /usr/share/common-licenses/GPL-3. debian/libtacacs+1.install0000644000000000000000000000004112063656213012636 0ustar usr/lib/*/tacacs/libtacacs*.so.* debian/source/0000755000000000000000000000000011765433720010476 5ustar debian/source/format0000644000000000000000000000001411765433720011704 0ustar 3.0 (quilt)