diff options
| author | Sergey Mironov <grrwlf@gmail.com> | 2014-09-16 13:07:49 +0400 |
|---|---|---|
| committer | Sergey Mironov <grrwlf@gmail.com> | 2014-09-18 13:25:20 +0400 |
| commit | 0bc3540c4df1afb3470d73b1e5cb6d0926dc98d3 (patch) | |
| tree | 705e6ec57229ec216a4e455c6d787339d4dcc187 /libtac | |
| parent | aae45a3089686ac7adeabb77ba04350430e3ae8c (diff) | |
| download | pam_tacplus-0bc3540c4df1afb3470d73b1e5cb6d0926dc98d3.tar.gz pam_tacplus-0bc3540c4df1afb3470d73b1e5cb6d0926dc98d3.zip | |
allow authorization without protocol defined
Protocol is only required for certain subset of services, mainly for ppp. We
allow authorization with empty protocol if user wants to use other service
names, like 'ssh'
From the http://tools.ietf.org/html/draft-grant-tacacs-02 page 30:
The protocol attribute is intended for use with PPP. When service equals
"ppp" and protocol equals "lcp", the message describes the PPP link
layer service. For other values of protocol, this describes a PPP NCP
(network layer service). A single PPP session can support multiple NCPs
Diffstat (limited to 'libtac')
| -rw-r--r-- | libtac/lib/author_r.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c index bed9525..99998cb 100644 --- a/libtac/lib/author_r.c +++ b/libtac/lib/author_r.c @@ -160,6 +160,9 @@ int tac_author_read(int fd, struct areply *re) { free(smsg); } + TACDEBUG((LOG_DEBUG, "%s: authorization reply status=%d",\ + __FUNCTION__, tb->status)); + /* prepare status */ switch(tb->status) { /* success conditions */ @@ -179,6 +182,7 @@ int tac_author_read(int fd, struct areply *re) { pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE; argp = pktp + (tb->arg_cnt * sizeof(u_char)) + tb->msg_len + tb->data_len; + TACSYSLOG((LOG_WARNING, "Args cnt %d", tb->arg_cnt)); /* argp points to current argument string pktp points to current argument length */ for(r=0; r < tb->arg_cnt; r++) { @@ -207,6 +211,7 @@ int tac_author_read(int fd, struct areply *re) { /* now buff points to attribute name, value to the attribute value */ } + TACSYSLOG((LOG_WARNING, "Adding buf/value pair (%s,%s)", buff, value)); tac_add_attrib_pair(&re->attr, buff, sepchar, value); argp += *pktp; pktp++; @@ -217,8 +222,6 @@ int tac_author_read(int fd, struct areply *re) { break; } - TACDEBUG((LOG_DEBUG, "%s: authorization failed, server reply status=%d",\ - __FUNCTION__, tb->status)) switch (tb->status) { /* authorization failure conditions */ /* failing to follow is allowed by RFC, page 23 */ |