From 441378074f135b0ebe09bd4ddf68a5fe8259766e Mon Sep 17 00:00:00 2001 From: pettai Date: Wed, 30 Nov 2011 23:47:29 +0000 Subject: Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems. It is used in conjunction with Cisco routers for authorization, authentication, and accounting services. Tac_plus is configured via a single configuration file. This particular version is derived from the original Cisco sources and is maintained by Shrubbery Networks, Inc. --- net/tacacs-shrubbery/DESCR | 6 ++++ net/tacacs-shrubbery/Makefile | 57 ++++++++++++++++++++++++++++++++ net/tacacs-shrubbery/PLIST | 9 ++++++ net/tacacs-shrubbery/distinfo | 11 +++++++ net/tacacs-shrubbery/options.mk | 43 ++++++++++++++++++++++++ net/tacacs-shrubbery/patches/patch-ag | 19 +++++++++++ net/tacacs-shrubbery/patches/patch-ah | 15 +++++++++ net/tacacs-shrubbery/patches/patch-aj | 15 +++++++++ net/tacacs-shrubbery/patches/patch-ak | 37 +++++++++++++++++++++ net/tacacs-shrubbery/patches/patch-al | 26 +++++++++++++++ net/tacacs-shrubbery/patches/patch-am | 61 +++++++++++++++++++++++++++++++++++ 11 files changed, 299 insertions(+) create mode 100644 net/tacacs-shrubbery/DESCR create mode 100644 net/tacacs-shrubbery/Makefile create mode 100644 net/tacacs-shrubbery/PLIST create mode 100644 net/tacacs-shrubbery/distinfo create mode 100644 net/tacacs-shrubbery/options.mk create mode 100644 net/tacacs-shrubbery/patches/patch-ag create mode 100644 net/tacacs-shrubbery/patches/patch-ah create mode 100644 net/tacacs-shrubbery/patches/patch-aj create mode 100644 net/tacacs-shrubbery/patches/patch-ak create mode 100644 net/tacacs-shrubbery/patches/patch-al create mode 100644 net/tacacs-shrubbery/patches/patch-am (limited to 'net/tacacs-shrubbery') diff --git a/net/tacacs-shrubbery/DESCR b/net/tacacs-shrubbery/DESCR new file mode 100644 index 00000000000..66a074074d1 --- /dev/null +++ b/net/tacacs-shrubbery/DESCR @@ -0,0 +1,6 @@ + Tacacs+ (or tac_plus) is a freely distributable daemon from Cisco Systems. +It is used in conjunction with Cisco routers for authorization, authentication, +and accounting services. Tac_plus is configured via a single configuration +file. +This particular version is derived from the original Cisco sources and is +maintained by Shrubbery Networks, Inc. diff --git a/net/tacacs-shrubbery/Makefile b/net/tacacs-shrubbery/Makefile new file mode 100644 index 00000000000..4a4f4e67980 --- /dev/null +++ b/net/tacacs-shrubbery/Makefile @@ -0,0 +1,57 @@ +# $NetBSD: Makefile,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ +# + +DISTNAME= tacacs+-F4.0.4.20 +PKGNAME= ${DISTNAME:S,-F,-,} +CATEGORIES= net security +MASTER_SITES= ftp://ftp.shrubbery.net/pub/tac_plus/ + +MAINTAINER= schwarz@NetBSD.org +HOMEPAGE= http://www.shrubbery.net/tac_plus/ +COMMENT= Cisco AAA protocol (tacacs+) daemon (Shrubbery Networks version) +LICENSE= cisco-license + +CONFLICTS+= tacacs-[0-9]* + +PKG_DESTDIR_SUPPORT= user-destdir + +USE_TOOLS+= id # used in options.mk +MAKE_JOBS_SAFE= no + +.include "../../mk/bsd.prefs.mk" +.include "options.mk" + +GNU_CONFIGURE= yes +USE_TOOLS+= bison perl +USE_LIBTOOL= yes +USE_LANGUAGES= c c++ +USE_FEATURES+= snprintf + +CONFIGURE_ARGS+= --with-acctfile=${VARBASE:Q}/log/tac_plus.acct +CONFIGURE_ARGS+= --with-logfile=${VARBASE:Q}/log/tac_plus.log +CONFIGURE_ARGS+= --with-pidfile=${VARBASE:Q}/run/tac_plus.pid +CONFIGURE_ENV+= PERLV_PATH=${PERL5:Q} +BUILD_DEFS+= VARBASE + +.if !empty(LOWER_OPSYS:Mirix5*) +CPPFLAGS+= -Duint16_t=u_int16_t -Duint32_t=u_int32_t +.endif + +.if exists(/usr/include/pam/pam_appl.h) # MacOS X prior to 10.6 +CPPFLAGS+= -DPAM-PAM +.endif + +INSTALLATION_DIRS= lib sbin ${PKGMANDIR}/man3 ${PKGMANDIR}/man5 \ + ${PKGMANDIR}/man8 share/doc/tacacs + +do-install: + ${LIBTOOL} --mode=install ${INSTALL_PROGRAM} ${WRKSRC}/tac_plus ${DESTDIR}${PREFIX}/sbin + ${LIBTOOL} --mode=install ${INSTALL_LIB} ${WRKSRC}/libtacacs.la ${DESTDIR}${PREFIX}/lib + ${INSTALL_PROGRAM} ${WRKSRC}/tac_pwd ${DESTDIR}${PREFIX}/sbin + ${INSTALL_SCRIPT} ${WRKSRC}/tac_convert ${DESTDIR}${PREFIX}/sbin + ${INSTALL_MAN} ${WRKSRC}/tac_plus.conf.5 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5 + ${INSTALL_MAN} ${WRKSRC}/tac_plus.8 ${WRKSRC}/tac_pwd.8 \ + ${DESTDIR}${PREFIX}/${PKGMANDIR}/man8 + ${INSTALL_DATA} ${WRKSRC}/users_guide ${DESTDIR}${PREFIX}/share/doc/tacacs + +.include "../../mk/bsd.pkg.mk" diff --git a/net/tacacs-shrubbery/PLIST b/net/tacacs-shrubbery/PLIST new file mode 100644 index 00000000000..99e85240a96 --- /dev/null +++ b/net/tacacs-shrubbery/PLIST @@ -0,0 +1,9 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ +lib/libtacacs.la +man/man5/tac_plus.conf.5 +man/man8/tac_plus.8 +man/man8/tac_pwd.8 +sbin/tac_convert +sbin/tac_plus +sbin/tac_pwd +share/doc/tacacs/users_guide diff --git a/net/tacacs-shrubbery/distinfo b/net/tacacs-shrubbery/distinfo new file mode 100644 index 00000000000..3a9f23c4eb1 --- /dev/null +++ b/net/tacacs-shrubbery/distinfo @@ -0,0 +1,11 @@ +$NetBSD: distinfo,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +SHA1 (tacacs+-F4.0.4.20.tar.gz) = 233d3762357c8e59ec217102af53f2e7430300d7 +RMD160 (tacacs+-F4.0.4.20.tar.gz) = 6fc4f05c1ec963b4a9c6c2881fde12a0258eb359 +Size (tacacs+-F4.0.4.20.tar.gz) = 477649 bytes +SHA1 (patch-ag) = f0cad7741f8127668d9c2929dcb74e0ed96d0db2 +SHA1 (patch-ah) = 2b09d7e67b865e26b37322ebfd7a76c44a8bce30 +SHA1 (patch-aj) = 618c6ff411502bd32af40e9f48c6e2f7ec55e996 +SHA1 (patch-ak) = df059f82a38fb394b726ee46fa87aa0ea04681c3 +SHA1 (patch-al) = 85e964f23aa228f3d1debf0f407d5d8857ff2bcf +SHA1 (patch-am) = 880e3821a335e2605beb03dc145b3cd9a020fb2f diff --git a/net/tacacs-shrubbery/options.mk b/net/tacacs-shrubbery/options.mk new file mode 100644 index 00000000000..bca7df86716 --- /dev/null +++ b/net/tacacs-shrubbery/options.mk @@ -0,0 +1,43 @@ +# $NetBSD: options.mk,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +PKG_OPTIONS_VAR= PKG_OPTIONS.tacacs-shrubbery +PKG_SUPPORTED_OPTIONS= tacacs-shrubbery-acls-support tacacs-shrubbery-drop-root-privileges tcpwrappers skey +PKG_SUGGESTED_OPTIONS= tacacs-shrubbery-acls-support tcpwrappers skey + +.include "../../mk/bsd.options.mk" + +.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-acls-support) +CONFIGURE_ARGS+= --enable-acls +.else +CONFIGURE_ARGS+= --disable-acls +.endif + +.if !empty(PKG_OPTIONS:Mtacacs-shrubbery-drop-root-privileges) +# tac_plus code requires numeric UID, GID +DEFAULT_TACACS_USER!= ${ID} -u nobody +DEFAULT_TACACS_GROUP!= ${ID} -g nobody +TACACS_USER?= ${DEFAULT_TACACS_USER} +TACACS_GROUP?= ${DEFAULT_TACACS_GROUP} +PKG_USERS= ${TACACS_USER}:${TACACS_GROUP} +PKG_GROUPS= ${TACACS_GROUP} +CONFIGURE_ARGS+= --with-userid=${TACACS_USER:Q} +CONFIGURE_ARGS+= --with-groupid=${TACACS_GROUP:Q} +.endif + +.if !empty(PKG_OPTIONS:Mtcpwrappers) +CONFIGURE_ARGS+= --with-libwrap=${BUILDLINK_PREFIX.tcp_wrappers} +. include "../../security/tcp_wrappers/buildlink3.mk" +.else +CONFIGURE_ARGS+= --without-libwrap +.endif + +.if !empty(PKG_OPTIONS:Mskey) +CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey} +. include "../../security/skey/buildlink3.mk" +. if (defined(IS_BUILTIN.skey) && ${IS_BUILTIN.skey} == no ) || ${OPSYS} == "OpenBSD" +# pkgsrc's version uses three arguments only, as does OpenBSD's +CPPFLAGS+= -DOLDSKEY +. endif +.else +CONFIGURE_ARGS+= --without-skey +.endif diff --git a/net/tacacs-shrubbery/patches/patch-ag b/net/tacacs-shrubbery/patches/patch-ag new file mode 100644 index 00000000000..4582c4ba501 --- /dev/null +++ b/net/tacacs-shrubbery/patches/patch-ag @@ -0,0 +1,19 @@ +$NetBSD: patch-ag,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +Older implementations of skeychallenge() only have three arguments. + +--- skey_fn.c.orig 2009-03-17 19:40:29.000000000 +0100 ++++ skey_fn.c 2009-04-19 12:33:05.000000000 +0200 +@@ -164,7 +164,11 @@ + return(1); + } + +- if (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) { ++ if (skeychallenge(&p->skey, name, skeyprompt ++#ifndef OLDSKEY ++ , 80 ++#endif ++ ) == 0) { + char buf[256]; + sprintf(buf, "%s\nS/Key challenge: ", skeyprompt); + data->server_msg = tac_strdup(buf); diff --git a/net/tacacs-shrubbery/patches/patch-ah b/net/tacacs-shrubbery/patches/patch-ah new file mode 100644 index 00000000000..0d85e593140 --- /dev/null +++ b/net/tacacs-shrubbery/patches/patch-ah @@ -0,0 +1,15 @@ +$NetBSD: patch-ah,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +Handle IRIX the same way as Solaris + +--- do_acct.c.orig 2011-11-30 17:58:18.000000000 +0100 ++++ do_acct.c 2011-11-30 17:58:28.000000000 +0100 +@@ -223,7 +223,7 @@ + else + memcpy(entry.ut_name, name, sizeof(entry.ut_name)); + +-#ifndef SOLARIS ++#if !defined(SOLARIS) && !defined(__sgi) + if (strlen(host) < sizeof entry.ut_host) + strcpy(entry.ut_host, host); + else diff --git a/net/tacacs-shrubbery/patches/patch-aj b/net/tacacs-shrubbery/patches/patch-aj new file mode 100644 index 00000000000..61df64e5c50 --- /dev/null +++ b/net/tacacs-shrubbery/patches/patch-aj @@ -0,0 +1,15 @@ +$NetBSD: patch-aj,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +Fix a typo in the comments :-) + +--- aclocal.m4.orig 2011-11-30 18:00:22.000000000 +0100 ++++ aclocal.m4 2011-11-30 18:00:28.000000000 +0100 +@@ -8101,7 +8101,7 @@ + + # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be + # written in clear, in which case automake, when reading aclocal.m4, +-# will think it sees a *use*, and therefore will trigger all it's ++# will think it sees a *use*, and therefore will trigger all its + # C support machinery. Also note that it means that autoscan, seeing + # CC etc. in the Makefile, will ask for an AC_PROG_CC use... + diff --git a/net/tacacs-shrubbery/patches/patch-ak b/net/tacacs-shrubbery/patches/patch-ak new file mode 100644 index 00000000000..db7d0044039 --- /dev/null +++ b/net/tacacs-shrubbery/patches/patch-ak @@ -0,0 +1,37 @@ +$NetBSD: patch-ak,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +Don't mess with CPPFLAGS and LDFLAGS as pkgsrc handle them + +--- configure.orig 2011-11-30 18:01:46.000000000 +0100 ++++ configure 2011-11-30 18:01:54.000000000 +0100 +@@ -3262,8 +3262,8 @@ + # XXX: not sure if /usr/local is necessary. + # XXX: linux libwrap needs -lnsl. configure should check for + # existence of libnsl instead of hard-coding +- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS +- LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS ++ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS ++ # LDFLAGS="$LDFLAGS -L/usr/local/lib -L/lib"; export LDFLAGS + LIBS="-lnsl -lcrypt $LIBS"; export LIBS + $as_echo "#define LINUX 1" >>confdefs.h + +@@ -3271,15 +3271,15 @@ + # XXX: does linux need glibc: -DGLIBC + ;; + *mips* ) +- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS +- LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS ++ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS ++ # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + LIBS="-lcrypt $LIBS"; export LIBS + $as_echo "#define MIPS 1" >>confdefs.h + + ;; + * ) +- CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS +- LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS ++ # CPPFLAGS="$CFLAGS -I/usr/local/include"; export CPPFLAGS ++ # LDFLAGS="$LDFLAGS -L/usr/local/lib"; export LDFLAGS + ;; + esac + diff --git a/net/tacacs-shrubbery/patches/patch-al b/net/tacacs-shrubbery/patches/patch-al new file mode 100644 index 00000000000..01b00455ba8 --- /dev/null +++ b/net/tacacs-shrubbery/patches/patch-al @@ -0,0 +1,26 @@ +$NetBSD: patch-al,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +Also compile on systems that do not have PAM + +--- config.c.orig 2009-04-19 12:39:42.000000000 +0200 ++++ config.c 2009-04-19 12:41:16.000000000 +0200 +@@ -65,7 +65,9 @@ + skey | + cleartext | + des | ++#ifdef HAVE_PAM + PAM | ++#endif + nopassword + + := name = | +@@ -79,6 +81,9 @@ + #endif + pap = cleartext | + pap = des | ++#ifdef HAVE_PAM ++ pap = PAM | ++#endif + opap = cleartext | + global = cleartext | + msg = diff --git a/net/tacacs-shrubbery/patches/patch-am b/net/tacacs-shrubbery/patches/patch-am new file mode 100644 index 00000000000..78e4cd34866 --- /dev/null +++ b/net/tacacs-shrubbery/patches/patch-am @@ -0,0 +1,61 @@ +$NetBSD: patch-am,v 1.1.1.1 2011/11/30 23:47:29 pettai Exp $ + +Properly handle PAM support header file on MacOS prior to 10.6; +added patch for PAM support for pap. +(http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html) + +--- pwlib.c.orig 2011-11-30 18:02:45.000000000 +0100 ++++ pwlib.c 2011-11-30 18:02:54.000000000 +0100 +@@ -31,7 +31,7 @@ + #endif + + #if HAVE_PAM +-# ifdef __APPLE__ /* MacOS X */ ++# ifdef PAM-PAM /* MacOS X prior to 10.6 */ + # include + # else + # include +@@ -50,6 +50,9 @@ + #endif + static int passwd_file_verify(char *, char *, struct authen_data *, char *); + ++// Global password variable for pap PAM support ++static char *predef_passwd; ++ + /* Adjust data->status depending on whether a user has expired or not */ + void + set_expiration_status(char *exp_date, struct authen_data *data) +@@ -490,10 +493,13 @@ + report(LOG_DEBUG, "%s %s: PAM_PROMPT_ECHO_OFF", session.peer, + session.port); + +- send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS, +- (char *)pmpp[i]->msg, +- pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0, +- NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO); ++ if (strcmp(predef_passwd, "") != 0) { ++ prpp[i]->resp = predef_passwd; ++ } else { ++ send_authen_reply(TAC_PLUS_AUTHEN_STATUS_GETPASS, ++ (char *)pmpp[i]->msg, ++ pmpp[i]->msg ? strlen(pmpp[i]->msg) : 0, ++ NULL, 0, TAC_PLUS_AUTHEN_FLAG_NOECHO); + reply = get_authen_continue(); + if (!reply) { + /* Typically due to a premature connection close */ +@@ -513,6 +519,7 @@ + prpp[i]->resp[acp->user_msg_len] = '\0'; + + free(reply); ++ } + break; + case PAM_PROMPT_ECHO_ON: + if (debug & DEBUG_PASSWD_FLAG) +@@ -588,6 +595,7 @@ + int pam_flag; + struct pam_conv conv = { pam_tacacs, NULL }; + pam_handle_t *pamh = NULL; ++ predef_passwd = passwd; + + if (debug & DEBUG_PASSWD_FLAG) + report(LOG_DEBUG, "pam_verify %s %s", user, passwd); -- cgit v1.2.3