| Age | Commit message (Collapse) | Author |
|---|
|
Add --enable-runtime-debugging option to ./configure.
Add example logmsg() to tacc.c so it can be built with debugging.
Fix logmsg() prototype (it's supposed to match the prototype of
syslog() which returns void).
Export build-time value of --enable-runtime-debugging into libtac.pc.
|
|
authenticate() doesn't handle the case of an ASCII login which
results in a continue request being required to complete the
transaction.
|
|
Various cryptography improvements
|
|
Also, correct the -DTACDEBUG_AT_RUNTIME scenario so that TACDEBUG()
binds correct when used in an if-body with an else following it, e.g.:
if (test)
TACDEBUG(LOG_DEBUG, "test is true");
else
return;
would previously have ended up as expanding to:
if (test)
if (tac_debug_enable) logmsg(LOG_DEBUG, "test is true");
else
return;
with the indent redone to reflect the nesting correctly. This now
expands (correctly) to:
if (test)
do { if (tac_debug_enable) logmsg(LOG_DEBUG, "test is true"); } while (0);
else
return;
|
|
This saves us having to marshall data and allocate a buffer for
the entire pad (bitstream cipher). We only need it in blocks of
16 bytes (the size of the MD5 digest), so let's compute it piecemeal
as we need it.
This has the added benefit of avoiding any calls to malloc() which
might be result in system calls (i.e. sbrk() to extend the heap).
|
|
Why make copies of the payload length to pass as parameters when
it's already present in the header?
|
|
|
|
|
|
Fix various declaration inconsistencies that were throwing compiler
warnings
|
|
|
|
|
|
Allow pam_tacplus to do challenge/response authentication for TAC
backends that force password change during authentication flow. Also add
support for password change via 'passwd' by implementing
pam_sm_chauthtok. Amongst other things, this requires explicitly
managing the sequence number for compatability with some versions of
Cisco ACS.
|
|
Allow to configure an individual timeout per TACACS+ server.
Bumped SO-version due to API change.
|
|
This allows to specify from which source address/interface the TACACS+
client connection gets initiated.
Bump SO-versioning due to API change.
|
|
|
|
buffers; added safe xstrcpy()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Removed first_hit option because you can get the same behaviour by using only one server.
Added multiple secret support, you can now specify different secrets (keys) for different servers.
connect.c: improved connection error handling by using getpeername() to check if connection is still valid. This was needed since we are using non-blocking sockets.
Properly handle multiple servers when authenticating, patch from Gregg Nemas, thanks!
|
|
|
