c6a1a2ed73
appears to be maintained and where contributions are being integrated. Particularly, this fixes a SEGV crash on LP64 (amd64). Upstream changes since 4.0.4a in reverse chronological order: F4.0.4.28 - Fix buffer length argument to ntop() - Muhammad Muquit - Fix two missing free()s - Fix segfault from incorrect pointer returned from value(). Reported here: http://www.shrubbery.net/pipermail/tac_plus/2014-January/001384.html - update autoconf bits for autoconf 2.69 - put tac_plus daemon in sbin, where it ought to be - fix hdr->datalength handling in dump_nas_pak() - add -m option to specify the client listen queue max and increase the default to 64 if the O/S does not define SOMAXCONN - fix config.h include syntax - David M. Syzdek - added -U and -Q flags to allow runtime setuid/setgid change - from from Robert Drake with some alteration - Make implicit time_t conversions explicit in expire.c - from David M. Syzdek - initialize newsockfd in main() - from David M. Syzdek - recent changes in autoconf are causing the + of the package name to become -, so just drop it from the tarball name. F4.0.4.27 - add "port" to clarify log messages of default_fn.c - use program name (filename) instead of hard-coded "tac_plus" for name given to PAM - change socket binding to allow an IPv6 address with the -B argument - bind v4 and v6 sockets if system claims its has addresses for the AFs - fix command authorization debug message logic for match/no match - reported by Dereck Chan F4.0.4.26 - add optional securid support via aceclient library - Matt Addison - use localtime instead of gmtime for log messages so that the timezone is inheritted. - allow file authentication for PAP authorization F4.0.4.25 - add -m (md5) option to tac_pwd. XXX could use better salt generation - use random() in tac_pwd if available and generate 4 bytes of salt for md5. - sprintf -> snprintf - Robert Swiecki - more pkt size checking in acct.c, authen.c, author.c - Robert Swiecki - free(pak) in start_session() not in account(), for consistency F4.0.4.24 - allow PAM for pap authentication - Jeroen Nijhof - replace home-grown vprintf in report() with vsnprintf - Robert Swiecki - dont use report in signal handler, since report uses syslog which uses malloc - Robert Swiecki - use volatile sig_atomic_t 'reinitialize' variable - Robert Swiecki - use snprintf in get_authen_continue() and send_authen_error() and check return - Robert Swiecki - make snprintf buffers of get_authen_continue() and send_authen_error() at least NI_MAXHOST bytes - Robert Swiecki F4.0.4.23 - fix build on netbsd - update PAM includes for OSX - YiJia Zhang F4.0.4.22 - check of regexec() return value inverted - from Ignas Kazlauskas F4.0.4.21 - do_auth.py - better Nexus support, better AV replacement, and only send roles to Nexus - from Daniel Schmidt - fix bug in checking the return value of regexec() for login and enable ACLs. - do_auth.py - better Nexus support, better AV replacement, and only F4.0.4.20 - remove stupid error message about running as root - Drop the private regex library in favor of libc's. A system w/o a regex is one I dont care about. - finally remove config parsing for 'default authorization = permit' - apply ACLs to pap, chap, arap and ms-chap authentication too - change accounting log time format to match syslog - do_auth.py fix from Daniel Schmidt - import fdes from David G. Koontz (1991) for ARAP/MSCHAP_DES - move MSCHAP define to autoconf; --enable-mschap - use the fdes code for ARAP_DES and MSCHAP_DES. NOTE: I have no way to test this. lmk if it does not work. - increase NAC address array size. affects the format of the tacacs wholog file (TACPLUS_WHOLOGFILE); existing file should be removed. - add comments to tac_plus.conf.5 about cipher algorithms in password_spec - do_auth.py - Fixed reression, Support for replacing av pairs - from Daniel Schmidt F4.0.4.19 - offer $ip to before/after authorization scripts - wtmp and accounting files do not need to be mutually exclusive - add authorization script example - from Daniel Schmidt - add partial support for single-connection mode - convert select()s to poll()s F4.0.4.18 - Fix missing printf argument in debug output - Add "enable = nopassword" to users, groups and hosts. F4.0.4.17 - Move REARMSIGNAL definition to autoconf - Move REAPCHILD definition to autoconf and check if SIG_IGN works - Move SIGCHLD handling to apply to all daemon personalities - partly from John Payne F4.0.4.16 - Few innocuous changes from or inspired by FreeBSD ports - Deal with max-session finger format difference in a way that does not require knowing which IOS is being fingered. - The header encryption field is really a flags field which includes a single-session option (which we'd like to support) - Check return of write() for interrupts when writing arguments to external scripts. - -G was not remaining in foreground - From Nathan Schrenk - Do not attempt to remove the pidfile if the pidfilebuf was truncated or we could not open the file. - Add 'accounting syslog;' configuration knob - mostly from Mark Ellzey Thomas - Notes about PAM - from Aaron Scarisbrick - Allow PAM debug message with tac_plus password debugging option - from Aaron Scarisbrick - Allow \'s within quoted words in tac_plus.conf - from Jesse Zbikowski - Allow 'file' <password_spec> for host and user enable - part from Jeff Gehlbach via Daniel Schmidt - Fix possible buffer overflow for arap - noted by Oren Nechushtan F4.0.4.15 - Check data lengths in debugging functions - reported by Antonin Vitecek - Fix syslog facility selection - from Timo Vanoni & Josef Voggesser - Add -G/foreground option - Deal with missing socklen_t F4.0.4.14 - Add notes about PAM to the user guide and tac_plus.conf(5) - Log login failures with the username, NAS address and NAS tty - requested by Andi Bauer - ACLs were not applied through the default authentication (ie: user=DEFAULT) path - reported by Robert Lister F4.0.4.13 - Rename convert.pl to tac_convert and install it - install users_guide F4.0.4.12 - Fix typo in usage message - from Georg Schwarz - Various tac_plus.conf.5 fixes - from Georg Schwarz - escape the escape backslash of the ACL examples - from Georg Schwarz - Fix a LP64 bug where VALUE (union v) consisting of pointer was intialized like an int - reported by brad dreisbach F4.0.4.11 - Fix OS X and build problems and do not prototype errno - from Georg Schwarz F4.0.4.10 - Fix PAM for linux, which does not offer PAM_AUTHOK for pam_set_item() and requires a pam_conv function even with PAM_SILENT - reported and tested by Stefan Oettl F4.0.4.9 - clean-up bogus nopasswd_str protoypes that gcc4 did not like F4.0.4.8 - if -B is used, add the bind address in the PID filename - from Ian Dickinson - "acl" is an AV pair for service exec. Within service attribute parsing, do not parse "acl" as the acl (or connection ACL) keyword. This is a hack; the parser is rather lame - noted by Bryce Kahle - fix md4 for LP64 - do not accept skey keywords unless compiled with skey support - fix skey enable password type - bit from Ed Ravin - skey prompt ("challenge") is "S/Key challenge", not "Password" - make "daemon" the default syslog facility and add a syslog config statement - add support for user authentication via PAM F4.0.4.7 - make configure option --with-skey work - raise a few logs from INFO to NOTICE, to allow syslogd filtering of some rather noisey logs - add ACL checking for authorization, for the case where tacacs is only used for authorization. F4.0.4.6 - fix a few compiler warnings - add -e and -h options to tac_pwd - include crypt.h if it exists (solaris) - make configure options --with-{user,group}id work F4.0.4.5 - use C99 stdint.h for int types - linux's libwrap needs libnsl - variable index in md5.c conflicts with index() F4.0.4.4 - added more autoconf stuff - fix-up tac_plus.8 manpage - still need to do autoconf-time option replacement - fix-up tac_plus.conf manpage - incomplete - fix-up tac_plus help message - whitespace and formatting nits - port host clause (minus type keyword) from devrim seral's tac_plus v9 (http://www.gazi.edu.tr/tacacs/) at user request - changed user-specific enable password handling such that it if one is specified for the user, the daemon does not check the host-specific or global enable password. - make TACPLUS_ACCTFILE, TACPLUS_PIDFILE, and TACPLUS_LOGFILE autoconf knobs filling in pathsl.h and appopriate bits in manpages - separated the frequently asked questions portion of the user_guide into the file FAQ - OR successive -d (debug) options - fix md5 for LP64 F4.0.4.3 - comment out the unnecessary lex and yacc tests from autoconf F4.0.4.2 - partial autoconf setup - much more to be done - compile option IGN_HUP (ignore HUP signal) is history - rename generated_password -> tac_pwd and add manpage - rename tac_plus.1 -> tac_plus.8 - add tac_plus.confg.5 - add -h option to display usage info F4.0.4.1 - {log,pid}file permissions fixes - partically from ian freislich - add bind address (-B) option - partically from ian freislich - fix pidfile removal on exit Changes from release F4.0.3 to F4.0.4 - merge F4.0.4 changes from disaster.com |
||
---|---|---|
.. | ||
DESCR | ||
distinfo | ||
Makefile | ||
PLIST |