pkgsrc/net/tacacs
he c6a1a2ed73 Update to version 4.0.4.28, and switch to shrubbery.net version which
appears to be maintained and where contributions are being integrated.

Particularly, this fixes a SEGV crash on LP64 (amd64).

Upstream changes since 4.0.4a in reverse chronological order:

F4.0.4.28
  - Fix buffer length argument to ntop() - Muhammad Muquit
  - Fix two missing free()s
  - Fix segfault from incorrect pointer returned from value().  Reported
    here:
    http://www.shrubbery.net/pipermail/tac_plus/2014-January/001384.html
  - update autoconf bits for autoconf 2.69
  - put tac_plus daemon in sbin, where it ought to be
  - fix hdr->datalength handling in dump_nas_pak()
  - add -m option to specify the client listen queue max and increase
    the default to 64 if the O/S does not define SOMAXCONN
  - fix config.h include syntax - David M. Syzdek
  - added -U and -Q flags to allow runtime setuid/setgid change - from
    from Robert Drake with some alteration
  - Make implicit time_t conversions explicit in expire.c - from David M.
    Syzdek
  - initialize newsockfd in main() - from David M. Syzdek
  - recent changes in autoconf are causing the + of the package name to
    become -, so just drop it from the tarball name.

F4.0.4.27
  - add "port" to clarify log messages of default_fn.c
  - use program name (filename) instead of hard-coded "tac_plus" for
    name given to PAM
  - change socket binding to allow an IPv6 address with the -B argument
  - bind v4 and v6 sockets if system claims its has addresses for the AFs
  - fix command authorization debug message logic for match/no match -
    reported by Dereck Chan

F4.0.4.26
  - add optional securid support via aceclient library - Matt Addison
  - use localtime instead of gmtime for log messages so that the timezone
    is inheritted.
  - allow file authentication for PAP authorization

F4.0.4.25
  - add -m (md5) option to tac_pwd.  XXX could use better salt generation
  - use random() in tac_pwd if available and generate 4 bytes of salt for
    md5.
  - sprintf -> snprintf - Robert Swiecki
  - more pkt size checking in acct.c, authen.c, author.c - Robert Swiecki
  - free(pak) in start_session() not in account(), for consistency

F4.0.4.24
  - allow PAM for pap authentication - Jeroen Nijhof
  - replace home-grown vprintf in report() with vsnprintf - Robert Swiecki
  - dont use report in signal handler, since report uses syslog which uses
    malloc - Robert Swiecki
  - use volatile sig_atomic_t 'reinitialize' variable - Robert Swiecki
  - use snprintf in get_authen_continue() and send_authen_error() and
    check return - Robert Swiecki
  - make snprintf buffers of get_authen_continue() and send_authen_error()
    at least NI_MAXHOST bytes - Robert Swiecki

F4.0.4.23
  - fix build on netbsd
  - update PAM includes for OSX - YiJia Zhang

F4.0.4.22
  - check of regexec() return value inverted - from Ignas Kazlauskas

F4.0.4.21
  - do_auth.py - better Nexus support, better AV replacement, and only
    send roles to Nexus - from Daniel Schmidt
  - fix bug in checking the return value of regexec() for login and enable
    ACLs.
  - do_auth.py - better Nexus support, better AV replacement, and only

F4.0.4.20
  - remove stupid error message about running as root
  - Drop the private regex library in favor of libc's.  A system w/o a
    regex is one I dont care about.
  - finally remove config parsing for 'default authorization = permit'
  - apply ACLs to pap, chap, arap and ms-chap authentication too
  - change accounting log time format to match syslog
  - do_auth.py fix from Daniel Schmidt
  - import fdes from David G. Koontz (1991) for ARAP/MSCHAP_DES
  - move MSCHAP define to autoconf; --enable-mschap
  - use the fdes code for ARAP_DES and MSCHAP_DES.  NOTE: I have no way to
    test this.  lmk if it does not work.
  - increase NAC address array size.  affects the format of the tacacs
    wholog file (TACPLUS_WHOLOGFILE); existing file should be removed.
  - add comments to tac_plus.conf.5 about cipher algorithms in
    password_spec
  - do_auth.py - Fixed reression, Support for replacing av pairs - from
    Daniel Schmidt

F4.0.4.19
  - offer $ip to before/after authorization scripts
  - wtmp and accounting files do not need to be mutually exclusive
  - add authorization script example - from Daniel Schmidt
  - add partial support for single-connection mode
  - convert select()s to poll()s

F4.0.4.18
  - Fix missing printf argument in debug output
  - Add "enable = nopassword" to users, groups and hosts.

F4.0.4.17
  - Move REARMSIGNAL definition to autoconf
  - Move REAPCHILD definition to autoconf and check if SIG_IGN works
  - Move SIGCHLD handling to apply to all daemon personalities - partly
    from John Payne

F4.0.4.16
  - Few innocuous changes from or inspired by FreeBSD ports
  - Deal with max-session finger format difference in a way that does not
    require knowing which IOS is being fingered.
  - The header encryption field is really a flags field which includes
    a single-session option (which we'd like to support)
  - Check return of write() for interrupts when writing arguments to
    external scripts.
  - -G was not remaining in foreground - From Nathan Schrenk
  - Do not attempt to remove the pidfile if the pidfilebuf was truncated
    or we could not open the file.
  - Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey
    Thomas
  - Notes about PAM - from Aaron Scarisbrick
  - Allow PAM debug message with tac_plus password debugging option - from
    Aaron Scarisbrick
  - Allow \'s within quoted words in tac_plus.conf - from Jesse Zbikowski
  - Allow 'file' <password_spec> for host and user enable - part from
    Jeff Gehlbach via Daniel Schmidt
  - Fix possible buffer overflow for arap - noted by Oren Nechushtan

F4.0.4.15
  - Check data lengths in debugging functions - reported by Antonin
    Vitecek
  - Fix syslog facility selection - from Timo Vanoni & Josef Voggesser
  - Add -G/foreground option
  - Deal with missing socklen_t

F4.0.4.14
  - Add notes about PAM to the user guide and tac_plus.conf(5)
  - Log login failures with the username, NAS address and NAS tty -
    requested by Andi Bauer
  - ACLs were not applied through the default authentication
    (ie: user=DEFAULT) path - reported by Robert Lister

F4.0.4.13
  - Rename convert.pl to tac_convert and install it
  - install users_guide

F4.0.4.12
  - Fix typo in usage message - from Georg Schwarz
  - Various tac_plus.conf.5 fixes - from Georg Schwarz
  - escape the escape backslash of the ACL examples - from Georg Schwarz
  - Fix a LP64 bug where VALUE (union v) consisting of pointer was
    intialized like an int - reported by brad dreisbach

F4.0.4.11
  - Fix OS X and build problems and do not prototype errno - from
    Georg Schwarz

F4.0.4.10
  - Fix PAM for linux, which does not offer PAM_AUTHOK for pam_set_item()
    and requires a pam_conv function even with PAM_SILENT - reported and
    tested by Stefan Oettl

F4.0.4.9
  - clean-up bogus nopasswd_str protoypes that gcc4 did not like

F4.0.4.8
  - if -B is used, add the bind address in the PID filename - from
    Ian Dickinson
  - "acl" is an AV pair for service exec.  Within service attribute
    parsing, do not parse "acl" as the acl (or connection ACL) keyword.
    This is a hack; the parser is rather lame - noted by Bryce Kahle
  - fix md4 for LP64
  - do not accept skey keywords unless compiled with skey support
  - fix skey enable password type - bit from Ed Ravin
  - skey prompt ("challenge") is "S/Key challenge", not "Password"
  - make "daemon" the default syslog facility and add a syslog config
    statement
  - add support for user authentication via PAM

F4.0.4.7
  - make configure option --with-skey work
  - raise a few logs from INFO to NOTICE, to allow syslogd filtering of
    some rather noisey logs
  - add ACL checking for authorization, for the case where tacacs is only
    used for authorization.

F4.0.4.6
  - fix a few compiler warnings
  - add -e and -h options to tac_pwd
  - include crypt.h if it exists (solaris)
  - make configure options --with-{user,group}id work

F4.0.4.5
  - use C99 stdint.h for int types
  - linux's libwrap needs libnsl
  - variable index in md5.c conflicts with index()

F4.0.4.4
  - added more autoconf stuff
  - fix-up tac_plus.8 manpage - still need to do autoconf-time option
    replacement
  - fix-up tac_plus.conf manpage - incomplete
  - fix-up tac_plus help message
  - whitespace and formatting nits
  - port host clause (minus type keyword) from devrim seral's tac_plus v9
    (http://www.gazi.edu.tr/tacacs/) at user request
  - changed user-specific enable password handling such that it if one
    is specified for the user, the daemon does not check the host-specific
    or global enable password.
  - make TACPLUS_ACCTFILE, TACPLUS_PIDFILE, and TACPLUS_LOGFILE autoconf
    knobs filling in pathsl.h and appopriate bits in manpages
  - separated the frequently asked questions portion of the user_guide
    into the file FAQ
  - OR successive -d (debug) options
  - fix md5 for LP64

F4.0.4.3
  - comment out the unnecessary lex and yacc tests from autoconf

F4.0.4.2
  - partial autoconf setup - much more to be done
  - compile option IGN_HUP (ignore HUP signal) is history
  - rename generated_password -> tac_pwd and add manpage
  - rename tac_plus.1 -> tac_plus.8
  - add tac_plus.confg.5
  - add -h option to display usage info

F4.0.4.1
  - {log,pid}file permissions fixes       - partically from ian freislich
  - add bind address (-B) option - partically from ian freislich
  - fix pidfile removal on exit

Changes from release F4.0.3 to F4.0.4
  - merge F4.0.4 changes from disaster.com
2015-02-13 22:36:00 +00:00
..
DESCR
distinfo Update to version 4.0.4.28, and switch to shrubbery.net version which 2015-02-13 22:36:00 +00:00
Makefile Update to version 4.0.4.28, and switch to shrubbery.net version which 2015-02-13 22:36:00 +00:00
PLIST