appears to be maintained and where contributions are being integrated.
Particularly, this fixes a SEGV crash on LP64 (amd64).
Upstream changes since 4.0.4a in reverse chronological order:
F4.0.4.28
- Fix buffer length argument to ntop() - Muhammad Muquit
- Fix two missing free()s
- Fix segfault from incorrect pointer returned from value(). Reported
here:
http://www.shrubbery.net/pipermail/tac_plus/2014-January/001384.html
- update autoconf bits for autoconf 2.69
- put tac_plus daemon in sbin, where it ought to be
- fix hdr->datalength handling in dump_nas_pak()
- add -m option to specify the client listen queue max and increase
the default to 64 if the O/S does not define SOMAXCONN
- fix config.h include syntax - David M. Syzdek
- added -U and -Q flags to allow runtime setuid/setgid change - from
from Robert Drake with some alteration
- Make implicit time_t conversions explicit in expire.c - from David M.
Syzdek
- initialize newsockfd in main() - from David M. Syzdek
- recent changes in autoconf are causing the + of the package name to
become -, so just drop it from the tarball name.
F4.0.4.27
- add "port" to clarify log messages of default_fn.c
- use program name (filename) instead of hard-coded "tac_plus" for
name given to PAM
- change socket binding to allow an IPv6 address with the -B argument
- bind v4 and v6 sockets if system claims its has addresses for the AFs
- fix command authorization debug message logic for match/no match -
reported by Dereck Chan
F4.0.4.26
- add optional securid support via aceclient library - Matt Addison
- use localtime instead of gmtime for log messages so that the timezone
is inheritted.
- allow file authentication for PAP authorization
F4.0.4.25
- add -m (md5) option to tac_pwd. XXX could use better salt generation
- use random() in tac_pwd if available and generate 4 bytes of salt for
md5.
- sprintf -> snprintf - Robert Swiecki
- more pkt size checking in acct.c, authen.c, author.c - Robert Swiecki
- free(pak) in start_session() not in account(), for consistency
F4.0.4.24
- allow PAM for pap authentication - Jeroen Nijhof
- replace home-grown vprintf in report() with vsnprintf - Robert Swiecki
- dont use report in signal handler, since report uses syslog which uses
malloc - Robert Swiecki
- use volatile sig_atomic_t 'reinitialize' variable - Robert Swiecki
- use snprintf in get_authen_continue() and send_authen_error() and
check return - Robert Swiecki
- make snprintf buffers of get_authen_continue() and send_authen_error()
at least NI_MAXHOST bytes - Robert Swiecki
F4.0.4.23
- fix build on netbsd
- update PAM includes for OSX - YiJia Zhang
F4.0.4.22
- check of regexec() return value inverted - from Ignas Kazlauskas
F4.0.4.21
- do_auth.py - better Nexus support, better AV replacement, and only
send roles to Nexus - from Daniel Schmidt
- fix bug in checking the return value of regexec() for login and enable
ACLs.
- do_auth.py - better Nexus support, better AV replacement, and only
F4.0.4.20
- remove stupid error message about running as root
- Drop the private regex library in favor of libc's. A system w/o a
regex is one I dont care about.
- finally remove config parsing for 'default authorization = permit'
- apply ACLs to pap, chap, arap and ms-chap authentication too
- change accounting log time format to match syslog
- do_auth.py fix from Daniel Schmidt
- import fdes from David G. Koontz (1991) for ARAP/MSCHAP_DES
- move MSCHAP define to autoconf; --enable-mschap
- use the fdes code for ARAP_DES and MSCHAP_DES. NOTE: I have no way to
test this. lmk if it does not work.
- increase NAC address array size. affects the format of the tacacs
wholog file (TACPLUS_WHOLOGFILE); existing file should be removed.
- add comments to tac_plus.conf.5 about cipher algorithms in
password_spec
- do_auth.py - Fixed reression, Support for replacing av pairs - from
Daniel Schmidt
F4.0.4.19
- offer $ip to before/after authorization scripts
- wtmp and accounting files do not need to be mutually exclusive
- add authorization script example - from Daniel Schmidt
- add partial support for single-connection mode
- convert select()s to poll()s
F4.0.4.18
- Fix missing printf argument in debug output
- Add "enable = nopassword" to users, groups and hosts.
F4.0.4.17
- Move REARMSIGNAL definition to autoconf
- Move REAPCHILD definition to autoconf and check if SIG_IGN works
- Move SIGCHLD handling to apply to all daemon personalities - partly
from John Payne
F4.0.4.16
- Few innocuous changes from or inspired by FreeBSD ports
- Deal with max-session finger format difference in a way that does not
require knowing which IOS is being fingered.
- The header encryption field is really a flags field which includes
a single-session option (which we'd like to support)
- Check return of write() for interrupts when writing arguments to
external scripts.
- -G was not remaining in foreground - From Nathan Schrenk
- Do not attempt to remove the pidfile if the pidfilebuf was truncated
or we could not open the file.
- Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey
Thomas
- Notes about PAM - from Aaron Scarisbrick
- Allow PAM debug message with tac_plus password debugging option - from
Aaron Scarisbrick
- Allow \'s within quoted words in tac_plus.conf - from Jesse Zbikowski
- Allow 'file' <password_spec> for host and user enable - part from
Jeff Gehlbach via Daniel Schmidt
- Fix possible buffer overflow for arap - noted by Oren Nechushtan
F4.0.4.15
- Check data lengths in debugging functions - reported by Antonin
Vitecek
- Fix syslog facility selection - from Timo Vanoni & Josef Voggesser
- Add -G/foreground option
- Deal with missing socklen_t
F4.0.4.14
- Add notes about PAM to the user guide and tac_plus.conf(5)
- Log login failures with the username, NAS address and NAS tty -
requested by Andi Bauer
- ACLs were not applied through the default authentication
(ie: user=DEFAULT) path - reported by Robert Lister
F4.0.4.13
- Rename convert.pl to tac_convert and install it
- install users_guide
F4.0.4.12
- Fix typo in usage message - from Georg Schwarz
- Various tac_plus.conf.5 fixes - from Georg Schwarz
- escape the escape backslash of the ACL examples - from Georg Schwarz
- Fix a LP64 bug where VALUE (union v) consisting of pointer was
intialized like an int - reported by brad dreisbach
F4.0.4.11
- Fix OS X and build problems and do not prototype errno - from
Georg Schwarz
F4.0.4.10
- Fix PAM for linux, which does not offer PAM_AUTHOK for pam_set_item()
and requires a pam_conv function even with PAM_SILENT - reported and
tested by Stefan Oettl
F4.0.4.9
- clean-up bogus nopasswd_str protoypes that gcc4 did not like
F4.0.4.8
- if -B is used, add the bind address in the PID filename - from
Ian Dickinson
- "acl" is an AV pair for service exec. Within service attribute
parsing, do not parse "acl" as the acl (or connection ACL) keyword.
This is a hack; the parser is rather lame - noted by Bryce Kahle
- fix md4 for LP64
- do not accept skey keywords unless compiled with skey support
- fix skey enable password type - bit from Ed Ravin
- skey prompt ("challenge") is "S/Key challenge", not "Password"
- make "daemon" the default syslog facility and add a syslog config
statement
- add support for user authentication via PAM
F4.0.4.7
- make configure option --with-skey work
- raise a few logs from INFO to NOTICE, to allow syslogd filtering of
some rather noisey logs
- add ACL checking for authorization, for the case where tacacs is only
used for authorization.
F4.0.4.6
- fix a few compiler warnings
- add -e and -h options to tac_pwd
- include crypt.h if it exists (solaris)
- make configure options --with-{user,group}id work
F4.0.4.5
- use C99 stdint.h for int types
- linux's libwrap needs libnsl
- variable index in md5.c conflicts with index()
F4.0.4.4
- added more autoconf stuff
- fix-up tac_plus.8 manpage - still need to do autoconf-time option
replacement
- fix-up tac_plus.conf manpage - incomplete
- fix-up tac_plus help message
- whitespace and formatting nits
- port host clause (minus type keyword) from devrim seral's tac_plus v9
(http://www.gazi.edu.tr/tacacs/) at user request
- changed user-specific enable password handling such that it if one
is specified for the user, the daemon does not check the host-specific
or global enable password.
- make TACPLUS_ACCTFILE, TACPLUS_PIDFILE, and TACPLUS_LOGFILE autoconf
knobs filling in pathsl.h and appopriate bits in manpages
- separated the frequently asked questions portion of the user_guide
into the file FAQ
- OR successive -d (debug) options
- fix md5 for LP64
F4.0.4.3
- comment out the unnecessary lex and yacc tests from autoconf
F4.0.4.2
- partial autoconf setup - much more to be done
- compile option IGN_HUP (ignore HUP signal) is history
- rename generated_password -> tac_pwd and add manpage
- rename tac_plus.1 -> tac_plus.8
- add tac_plus.confg.5
- add -h option to display usage info
F4.0.4.1
- {log,pid}file permissions fixes - partically from ian freislich
- add bind address (-B) option - partically from ian freislich
- fix pidfile removal on exit
Changes from release F4.0.3 to F4.0.4
- merge F4.0.4 changes from disaster.com
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.