| Age | Commit message (Collapse) | Author |
|---|
|
For ASCII login, data field is not used ([1] Section 9.0.2 Inbound ASCII Login).
So do not add the user password for the login authentication with type ASCII.
[1] https://tools.ietf.org/html/draft-grant-tacacs-02
|
|
Various cryptography improvements
|
|
Also, correct the -DTACDEBUG_AT_RUNTIME scenario so that TACDEBUG()
binds correct when used in an if-body with an else following it, e.g.:
if (test)
TACDEBUG(LOG_DEBUG, "test is true");
else
return;
would previously have ended up as expanding to:
if (test)
if (tac_debug_enable) logmsg(LOG_DEBUG, "test is true");
else
return;
with the indent redone to reflect the nesting correctly. This now
expands (correctly) to:
if (test)
do { if (tac_debug_enable) logmsg(LOG_DEBUG, "test is true"); } while (0);
else
return;
|
|
It's easier to read, debug, and maintain that way.
Also, avoid unnecessary marshalling while we're at it, since
MD5Update() can be called iteratively, which obviates having to
gather the data to be digested into a contiguous buffer.
|
|
Why make copies of the payload length to pass as parameters when
it's already present in the header?
|
|
Fix the prototyping in lib/md5.h.
Accommodate the function name differences between lib/md5.h and
the equivalent functions in openssl/md5.h.
Accommodate replacement of MD5_LEN with MD5_LBLOCK (note that
MD5_CBLOCK and MD5_DIGEST_LEN aren't referenced) and use this
consistently.
|
|
|
|
Fix various declaration inconsistencies that were throwing compiler
warnings
|
|
|
|
Allow pam_tacplus to do challenge/response authentication for TAC
backends that force password change during authentication flow. Also add
support for password change via 'passwd' by implementing
pam_sm_chauthtok. Amongst other things, this requires explicitly
managing the sequence number for compatability with some versions of
Cisco ACS.
|
|
|
|
buffers; added safe xstrcpy()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
