summaryrefslogtreecommitdiff
path: root/net/tacacs-shrubbery
diff options
context:
space:
mode:
Diffstat (limited to 'net/tacacs-shrubbery')
-rw-r--r--net/tacacs-shrubbery/DESCR6
-rw-r--r--net/tacacs-shrubbery/Makefile57
-rw-r--r--net/tacacs-shrubbery/PLIST9
-rw-r--r--net/tacacs-shrubbery/distinfo11
-rw-r--r--net/tacacs-shrubbery/options.mk43
-rw-r--r--net/tacacs-shrubbery/patches/patch-ag19
-rw-r--r--net/tacacs-shrubbery/patches/patch-ah15
-rw-r--r--net/tacacs-shrubbery/patches/patch-aj15
-rw-r--r--net/tacacs-shrubbery/patches/patch-ak37
-rw-r--r--net/tacacs-shrubbery/patches/patch-al26
-rw-r--r--net/tacacs-shrubbery/patches/patch-am61
11 files changed, 299 insertions, 0 deletions
diff --git a/net/tacacs-shrubbery/DESCR b/net/tacacs-shrubbery/DESCR
new file mode 100644
index 00000000000..66a074074d1
--- /dev/null
+++ b/net/tacacs-shrubbery/DESCR
@@ -0,0 +1,6 @@
+ Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems.
+It is used in conjunction with Cisco routers for authorization, authentication,
+and accounting services. Tac_plus is configured via a single configuration
+file.
+This particular version is derived from the original Cisco sources and is
+maintained by Shrubbery Networks, Inc.
diff --git a/net/tacacs-shrubbery/Makefile b/net/tacacs-shrubbery/Makefile
new file mode 100644
index 00000000000..4a4f4e67980
--- /dev/null
+++ b/net/tacacs-shrubbery/Makefile
@@ -0,0 +1,57 @@
+# $NetBSD: Makefile,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+#
+
+DISTNAME= tacacs+-F4.0.4.20
+PKGNAME= ${DISTNAME:S,-F,-,}
+CATEGORIES= net security
+MASTER_SITES= ftp://ftp.shrubbery.net/pub/tac_plus/
+
+MAINTAINER= schwarz@NetBSD.org
+HOMEPAGE= http://www.shrubbery.net/tac_plus/
+COMMENT= Cisco AAA protocol (tacacs+) daemon (Shrubbery Networks version)
+LICENSE= cisco-license
+
+CONFLICTS+= tacacs-[0-9]*
+
+PKG_DESTDIR_SUPPORT= user-destdir
+
+USE_TOOLS+= id # used in options.mk
+MAKE_JOBS_SAFE= no
+
+.include "../../mk/bsd.prefs.mk"
+.include "options.mk"
+
+GNU_CONFIGURE= yes
+USE_TOOLS+= bison perl
+USE_LIBTOOL= yes
+USE_LANGUAGES= c c++
+USE_FEATURES+= snprintf
+
+CONFIGURE_ARGS+= --with-acctfile=${VARBASE:Q}/log/tac_plus.acct
+CONFIGURE_ARGS+= --with-logfile=${VARBASE:Q}/log/tac_plus.log
+CONFIGURE_ARGS+= --with-pidfile=${VARBASE:Q}/run/tac_plus.pid
+CONFIGURE_ENV+= PERLV_PATH=${PERL5:Q}
+BUILD_DEFS+= VARBASE
+
+.if !empty(LOWER_OPSYS:Mirix5*)
+CPPFLAGS+= -Duint16_t=u_int16_t -Duint32_t=u_int32_t
+.endif
+
+.if exists(/usr/include/pam/pam_appl.h) # MacOS X prior to 10.6
+CPPFLAGS+= -DPAM-PAM
+.endif
+
+INSTALLATION_DIRS= lib sbin ${PKGMANDIR}/man3 ${PKGMANDIR}/man5 \
+ ${PKGMANDIR}/man8 share/doc/tacacs
+
+do-install:
+ ${LIBTOOL} --mode=install ${INSTALL_PROGRAM} ${WRKSRC}/tac_plus ${DESTDIR}${PREFIX}/sbin
+ ${LIBTOOL} --mode=install ${INSTALL_LIB} ${WRKSRC}/libtacacs.la ${DESTDIR}${PREFIX}/lib
+ ${INSTALL_PROGRAM} ${WRKSRC}/tac_pwd ${DESTDIR}${PREFIX}/sbin
+ ${INSTALL_SCRIPT} ${WRKSRC}/tac_convert ${DESTDIR}${PREFIX}/sbin
+ ${INSTALL_MAN} ${WRKSRC}/tac_plus.conf.5 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5
+ ${INSTALL_MAN} ${WRKSRC}/tac_plus.8 ${WRKSRC}/tac_pwd.8 \
+ ${DESTDIR}${PREFIX}/${PKGMANDIR}/man8
+ ${INSTALL_DATA} ${WRKSRC}/users_guide ${DESTDIR}${PREFIX}/share/doc/tacacs
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/net/tacacs-shrubbery/PLIST b/net/tacacs-shrubbery/PLIST
new file mode 100644
index 00000000000..99e85240a96
--- /dev/null
+++ b/net/tacacs-shrubbery/PLIST
@@ -0,0 +1,9 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+lib/libtacacs.la
+man/man5/tac_plus.conf.5
+man/man8/tac_plus.8
+man/man8/tac_pwd.8
+sbin/tac_convert
+sbin/tac_plus
+sbin/tac_pwd
+share/doc/tacacs/users_guide
diff --git a/net/tacacs-shrubbery/distinfo b/net/tacacs-shrubbery/distinfo
new file mode 100644
index 00000000000..3a9f23c4eb1
--- /dev/null
+++ b/net/tacacs-shrubbery/distinfo
@@ -0,0 +1,11 @@
+$NetBSD: distinfo,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+SHA1 (tacacs+-F4.0.4.20.tar.gz) = 233d3762357c8e59ec217102af53f2e7430300d7
+RMD160 (tacacs+-F4.0.4.20.tar.gz) = 6fc4f05c1ec963b4a9c6c2881fde12a0258eb359
+Size (tacacs+-F4.0.4.20.tar.gz) = 477649 bytes
+SHA1 (patch-ag) = f0cad7741f8127668d9c2929dcb74e0ed96d0db2
+SHA1 (patch-ah) = 2b09d7e67b865e26b37322ebfd7a76c44a8bce30
+SHA1 (patch-aj) = 618c6ff411502bd32af40e9f48c6e2f7ec55e996
+SHA1 (patch-ak) = df059f82a38fb394b726ee46fa87aa0ea04681c3
+SHA1 (patch-al) = 85e964f23aa228f3d1debf0f407d5d8857ff2bcf
+SHA1 (patch-am) = 880e3821a335e2605beb03dc145b3cd9a020fb2f
diff --git a/net/tacacs-shrubbery/options.mk b/net/tacacs-shrubbery/options.mk
new file mode 100644
index 00000000000..bca7df86716
--- /dev/null
+++ b/net/tacacs-shrubbery/options.mk
@@ -0,0 +1,43 @@
+# $NetBSD: options.mk,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+PKG_OPTIONS_VAR= PKG_OPTIONS.tacacs-shrubbery
+PKG_SUPPORTED_OPTIONS= tacacs-shrubbery-acls-support tacacs-shrubbery-drop-root-privileges tcpwrappers skey
+PKG_SUGGESTED_OPTIONS= tacacs-shrubbery-acls-support tcpwrappers skey
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-acls-support)
+CONFIGURE_ARGS+= --enable-acls
+.else
+CONFIGURE_ARGS+= --disable-acls
+.endif
+
+.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-drop-root-privileges)
+# tac_plus code requires numeric UID, GID
+DEFAULT_TACACS_USER!= ${ID} -u nobody
+DEFAULT_TACACS_GROUP!= ${ID} -g nobody
+TACACS_USER?= ${DEFAULT_TACACS_USER}
+TACACS_GROUP?= ${DEFAULT_TACACS_GROUP}
+PKG_USERS= ${TACACS_USER}:${TACACS_GROUP}
+PKG_GROUPS= ${TACACS_GROUP}
+CONFIGURE_ARGS+= --with-userid=${TACACS_USER:Q}
+CONFIGURE_ARGS+= --with-groupid=${TACACS_GROUP:Q}
+.endif
+
+.if !empty(PKG_OPTIONS:Mtcpwrappers)
+CONFIGURE_ARGS+= --with-libwrap=${BUILDLINK_PREFIX.tcp_wrappers}
+. include "../../security/tcp_wrappers/buildlink3.mk"
+.else
+CONFIGURE_ARGS+= --without-libwrap
+.endif
+
+.if !empty(PKG_OPTIONS:Mskey)
+CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
+. include "../../security/skey/buildlink3.mk"
+. if (defined(IS_BUILTIN.skey) && ${IS_BUILTIN.skey} == no ) || ${OPSYS} == "OpenBSD"
+# pkgsrc's version uses three arguments only, as does OpenBSD's
+CPPFLAGS+= -DOLDSKEY
+. endif
+.else
+CONFIGURE_ARGS+= --without-skey
+.endif
diff --git a/net/tacacs-shrubbery/patches/patch-ag b/net/tacacs-shrubbery/patches/patch-ag
new file mode 100644
index 00000000000..4582c4ba501
--- /dev/null
+++ b/net/tacacs-shrubbery/patches/patch-ag
@@ -0,0 +1,19 @@
+$NetBSD: patch-ag,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+Older implementations of skeychallenge() only have three arguments.
+
+--- skey_fn.c.orig 2009-03-17 19:40:29.000000000 +0100
++++ skey_fn.c 2009-04-19 12:33:05.000000000 +0200
+@@ -164,7 +164,11 @@
+ return(1);
+ }
+
+- if (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) {
++ if (skeychallenge(&p->skey, name, skeyprompt
++#ifndef OLDSKEY
++ , 80
++#endif
++ ) == 0) {
+ char buf[256];
+ sprintf(buf, "%s\nS/Key challenge: ", skeyprompt);
+ data->server_msg = tac_strdup(buf);
diff --git a/net/tacacs-shrubbery/patches/patch-ah b/net/tacacs-shrubbery/patches/patch-ah
new file mode 100644
index 00000000000..0d85e593140
--- /dev/null
+++ b/net/tacacs-shrubbery/patches/patch-ah
@@ -0,0 +1,15 @@
+$NetBSD: patch-ah,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+Handle IRIX the same way as Solaris
+
+--- do_acct.c.orig 2011-11-30 17:58:18.000000000 +0100
++++ do_acct.c 2011-11-30 17:58:28.000000000 +0100
+@@ -223,7 +223,7 @@
+ else
+ memcpy(entry.ut_name, name, sizeof(entry.ut_name));
+
+-#ifndef SOLARIS
++#if !defined(SOLARIS) && !defined(__sgi)
+ if (strlen(host) < sizeof entry.ut_host)
+ strcpy(entry.ut_host, host);
+ else
diff --git a/net/tacacs-shrubbery/patches/patch-aj b/net/tacacs-shrubbery/patches/patch-aj
new file mode 100644
index 00000000000..61df64e5c50
--- /dev/null
+++ b/net/tacacs-shrubbery/patches/patch-aj
@@ -0,0 +1,15 @@
+$NetBSD: patch-aj,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+Fix a typo in the comments :-)
+
+--- aclocal.m4.orig 2011-11-30 18:00:22.000000000 +0100
++++ aclocal.m4 2011-11-30 18:00:28.000000000 +0100
+@@ -8101,7 +8101,7 @@
+
+ # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
+ # written in clear, in which case automake, when reading aclocal.m4,
+-# will think it sees a *use*, and therefore will trigger all it's
++# will think it sees a *use*, and therefore will trigger all its
+ # C support machinery. Also note that it means that autoscan, seeing
+ # CC etc. in the Makefile, will ask for an AC_PROG_CC use...
+
diff --git a/net/tacacs-shrubbery/patches/patch-ak b/net/tacacs-shrubbery/patches/patch-ak
new file mode 100644
index 00000000000..db7d0044039
--- /dev/null
+++ b/net/tacacs-shrubbery/patches/patch-ak
@@ -0,0 +1,37 @@
+$NetBSD: patch-ak,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+Don't mess with CPPFLAGS and LDFLAGS as pkgsrc handle them
+
+--- configure.orig 2011-11-30 18:01:46.000000000 +0100
++++ configure 2011-11-30 18:01:54.000000000 +0100
+@@ -3262,8 +3262,8 @@
+ # XXX: not sure if /usr/local is necessary.
+ # XXX: linux libwrap needs -lnsl. configure should check for
+ # existence of libnsl instead of hard-coding
+- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+- LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS
++ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
++ # LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS
+ LIBS="-lnsl -lcrypt $LIBS"; export LIBS
+ $as_echo "#define LINUX 1" >>confdefs.h
+
+@@ -3271,15 +3271,15 @@
+ # XXX: does linux need glibc: -DGLIBC
+ ;;
+ *mips* )
+- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+- LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
++ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
++ # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
+ LIBS="-lcrypt $LIBS"; export LIBS
+ $as_echo "#define MIPS 1" >>confdefs.h
+
+ ;;
+ * )
+- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
+- LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
++ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS
++ # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS
+ ;;
+ esac
+
diff --git a/net/tacacs-shrubbery/patches/patch-al b/net/tacacs-shrubbery/patches/patch-al
new file mode 100644
index 00000000000..01b00455ba8
--- /dev/null
+++ b/net/tacacs-shrubbery/patches/patch-al
@@ -0,0 +1,26 @@
+$NetBSD: patch-al,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+Also compile on systems that do not have PAM
+
+--- config.c.orig 2009-04-19 12:39:42.000000000 +0200
++++ config.c 2009-04-19 12:41:16.000000000 +0200
+@@ -65,7 +65,9 @@
+ skey |
+ cleartext <password> |
+ des <password> |
++#ifdef HAVE_PAM
+ PAM |
++#endif
+ nopassword
+
+ <user_attr> := name = <string> |
+@@ -79,6 +81,9 @@
+ #endif
+ pap = cleartext <string> |
+ pap = des <string> |
++#ifdef HAVE_PAM
++ pap = PAM |
++#endif
+ opap = cleartext <string> |
+ global = cleartext <string> |
+ msg = <string>
diff --git a/net/tacacs-shrubbery/patches/patch-am b/net/tacacs-shrubbery/patches/patch-am
new file mode 100644
index 00000000000..78e4cd34866
--- /dev/null
+++ b/net/tacacs-shrubbery/patches/patch-am
@@ -0,0 +1,61 @@
+$NetBSD: patch-am,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $
+
+Properly handle PAM support header file on MacOS prior to 10.6;
+added patch for PAM support for pap.
+(http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html)
+
+--- pwlib.c.orig 2011-11-30 18:02:45.000000000 +0100
++++ pwlib.c 2011-11-30 18:02:54.000000000 +0100
+@@ -31,7 +31,7 @@
+ #endif
+
+ #if HAVE_PAM
+-# ifdef __APPLE__ /* MacOS X */
++# ifdef PAM-PAM /* MacOS X prior to 10.6 */
+ # include <pam/pam_appl.h>
+ # else
+ # include <security/pam_appl.h>
+@@ -50,6 +50,9 @@
+ #endif
+ static int passwd_file_verify(char *, char *, struct authen_data *, char *);
+
++// Global password variable for pap PAM support
++static char *predef_passwd;
++
+ /* Adjust data->status depending on whether a user has expired or not */
+ void
+ set_expiration_status(char *exp_date, struct authen_data *data)
+@@ -490,10 +493,13 @@
+ report(LOG_DEBUG, "%s %s: PAM_PROMPT_ECHO_OFF", session.peer,
+ session.port);
+
+- send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
+- (char *)pmpp[i]->msg,
+- pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
+- NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
++ if (strcmp(predef_passwd, "") != 0) {
++ prpp[i]->resp = predef_passwd;
++ } else {
++ send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS,
++ (char *)pmpp[i]->msg,
++ pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0,
++ NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO);
+ reply = get_authen_continue();
+ if (!reply) {
+ /* Typically due to a premature connection close */
+@@ -513,6 +519,7 @@
+ prpp[i]->resp[acp->user_msg_len] = '\0';
+
+ free(reply);
++ }
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ if (debug & DEBUG_PASSWD_FLAG)
+@@ -588,6 +595,7 @@
+ int pam_flag;
+ struct pam_conv conv = { pam_tacacs, NULL };
+ pam_handle_t *pamh = NULL;
++ predef_passwd = passwd;
+
+ if (debug & DEBUG_PASSWD_FLAG)
+ report(LOG_DEBUG, "pam_verify %s %s", user, passwd);