From 0bc3540c4df1afb3470d73b1e5cb6d0926dc98d3 Mon Sep 17 00:00:00 2001
From: Sergey Mironov <grrwlf@gmail.com>
Date: Tue, 16 Sep 2014 13:07:49 +0400
Subject: allow authorization without protocol defined

Protocol is only required for certain subset of services, mainly for ppp. We
allow authorization with empty protocol if user wants to use other service
names, like 'ssh'

From the http://tools.ietf.org/html/draft-grant-tacacs-02 page 30:

    The protocol attribute is intended for use with PPP. When service equals
    "ppp" and protocol equals "lcp", the message describes the PPP link
    layer service. For other values of protocol, this describes a PPP NCP
    (network layer service). A single PPP session can support multiple NCPs
---
 libtac/lib/author_r.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'libtac/lib')

diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c
index bed9525..99998cb 100644
--- a/libtac/lib/author_r.c
+++ b/libtac/lib/author_r.c
@@ -160,6 +160,9 @@ int tac_author_read(int fd, struct areply *re) {
         free(smsg);
     }
 
+    TACDEBUG((LOG_DEBUG, "%s: authorization reply status=%d",\
+        __FUNCTION__, tb->status));
+
     /* prepare status */
     switch(tb->status) {
         /* success conditions */
@@ -179,6 +182,7 @@ int tac_author_read(int fd, struct areply *re) {
                 pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
                 argp = pktp + (tb->arg_cnt * sizeof(u_char)) + tb->msg_len +
                     tb->data_len;
+                TACSYSLOG((LOG_WARNING, "Args cnt %d", tb->arg_cnt));
                 /* argp points to current argument string
                    pktp points to current argument length */
                 for(r=0; r < tb->arg_cnt; r++) {
@@ -207,6 +211,7 @@ int tac_author_read(int fd, struct areply *re) {
                     /* now buff points to attribute name,
                        value to the attribute value */
                 }
+                TACSYSLOG((LOG_WARNING, "Adding buf/value pair (%s,%s)", buff, value));
                 tac_add_attrib_pair(&re->attr, buff, sepchar, value);
                 argp += *pktp;
                 pktp++; 
@@ -217,8 +222,6 @@ int tac_author_read(int fd, struct areply *re) {
         break;
     }
 
-    TACDEBUG((LOG_DEBUG, "%s: authorization failed, server reply status=%d",\
-        __FUNCTION__, tb->status))
     switch (tb->status) {
         /* authorization failure conditions */
         /* failing to follow is allowed by RFC, page 23  */
-- 
cgit v1.2.3