Comments (5)
MarcJHuber
commented on August 16, 2024
1
Hi,
perfect, thank you very much for finding, reporting and testing this issue!
Cheers,
Marc
from event-driven-servers.
MarcJHuber
commented on August 16, 2024
Hi,
I tried to reproduce your test results, based on your configuration, but failed:
This one worked just fine:
# tactrace.pl --conf ./mboehm.cfg --user healthcheck "service=shell" "cmd=healthcheck" "cmd-arg=1234"
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 75
127.0.0.1 AUTHOR, priv_lvl=0
127.0.0.1 authen_type=ascii (1)
127.0.0.1 authen_method=tacacs+ (6)
127.0.0.1 service=login (1)
127.0.0.1 user_len=11 port_len=4 rem_addr_len=9 arg_cnt=3
127.0.0.1 user (len: 11): healthcheck
127.0.0.1 0000 68 65 61 6c 74 68 63 68 65 63 6b healthch eck
127.0.0.1 port (len: 4): vty0
127.0.0.1 0000 76 74 79 30 vty0
127.0.0.1 rem_addr (len: 9): 127.0.0.1
127.0.0.1 0000 31 32 37 2e 30 2e 30 2e 31 127.0.0. 1
127.0.0.1 arg[0] (len: 13): service=shell
127.0.0.1 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
127.0.0.1 arg[1] (len: 15): cmd=healthcheck
127.0.0.1 0000 63 6d 64 3d 68 65 61 6c 74 68 63 68 65 63 6b cmd=heal thcheck
127.0.0.1 arg[2] (len: 12): cmd-arg=1234
127.0.0.1 0000 63 6d 64 2d 61 72 67 3d 31 32 33 34 cmd-arg= 1234
127.0.0.1 ---<end packet>---
127.0.0.1 Start authorization request
127.0.0.1 user 'healthcheck' found
127.0.0.1 evaluating ACL healthcheck
127.0.0.1 line 32: [member] member 'healthcheck' => true
127.0.0.1 line 33: [profile] 'healthcheck'
127.0.0.1 line 34: [permit]
127.0.0.1 ACL healthcheck: match
127.0.0.1 [email protected]: ACL healthcheck: permit (profile: healthcheck)
127.0.0.1 line 19: [service] = 'shell' => true
127.0.0.1 line 20: [set] 'priv-lvl=15'
127.0.0.1 pcre2: '^healthcheck.*' <=> 'healthcheck 1234' = 1
127.0.0.1 line 21: [cmd] <pcre-regex> '^healthcheck.*' => true
127.0.0.1 line 22: [permit]
127.0.0.1 Writing AUTHOR/PASS_ADD size=18
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 6
127.0.0.1 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
127.0.0.1 msg_len=0, data_len=0, arg_cnt=0
127.0.0.1 msg (len: 0):
127.0.0.1 data (len: 0):
127.0.0.1 ---<end packet>---
In comparision, a non-working result:
# tactrace.pl --conf ./mboehm.cfg --user healthcheck "service=shell" "cmd=XhealthcheckXXXXXXXXXX" "cmd-arg=1234"
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 86
127.0.0.1 AUTHOR, priv_lvl=0
127.0.0.1 authen_type=ascii (1)
127.0.0.1 authen_method=tacacs+ (6)
127.0.0.1 service=login (1)
127.0.0.1 user_len=11 port_len=4 rem_addr_len=9 arg_cnt=3
127.0.0.1 user (len: 11): healthcheck
127.0.0.1 0000 68 65 61 6c 74 68 63 68 65 63 6b healthch eck
127.0.0.1 port (len: 4): vty0
127.0.0.1 0000 76 74 79 30 vty0
127.0.0.1 rem_addr (len: 9): 127.0.0.1
127.0.0.1 0000 31 32 37 2e 30 2e 30 2e 31 127.0.0. 1
127.0.0.1 arg[0] (len: 13): service=shell
127.0.0.1 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
127.0.0.1 arg[1] (len: 26): cmd=XhealthcheckXXXXXXXXXX
127.0.0.1 0000 63 6d 64 3d 58 68 65 61 6c 74 68 63 68 65 63 6b cmd=Xhea lthcheck
127.0.0.1 0010 58 58 58 58 58 58 58 58 58 58 XXXXXXXX XX
127.0.0.1 arg[2] (len: 12): cmd-arg=1234
127.0.0.1 0000 63 6d 64 2d 61 72 67 3d 31 32 33 34 cmd-arg= 1234
127.0.0.1 ---<end packet>---
127.0.0.1 Start authorization request
127.0.0.1 user 'healthcheck' found
127.0.0.1 evaluating ACL healthcheck
127.0.0.1 line 32: [member] member 'healthcheck' => true
127.0.0.1 line 33: [profile] 'healthcheck'
127.0.0.1 line 34: [permit]
127.0.0.1 ACL healthcheck: match
127.0.0.1 [email protected]: ACL healthcheck: permit (profile: healthcheck)
127.0.0.1 line 19: [service] = 'shell' => true
127.0.0.1 line 20: [set] 'priv-lvl=15'
127.0.0.1 pcre2: '^healthcheck.*' <=> 'XhealthcheckXXXXXXXXXX 1234' = 0
127.0.0.1 line 21: [cmd] <pcre-regex> '^healthcheck.*' => false
127.0.0.1 [email protected]: svcname=shell protocol= not found
127.0.0.1 Writing AUTHOR/FAIL size=18
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 6
127.0.0.1 AUTHOR/REPLY, status=16 (AUTHOR/FAIL)
127.0.0.1 msg_len=0, data_len=0, arg_cnt=0
127.0.0.1 msg (len: 0):
127.0.0.1 data (len: 0):
127.0.0.1 ---<end packet>---
Could you please make clean, reinstall and test again? Perhaps even with tactrace.pl?
Thanks,
Marc
from event-driven-servers.
mboehm21
commented on August 16, 2024
Hi Marc,
I rebuilt the Ubuntu 22.04 image from scratch, same behavior. I also could not get tactrace.pl to run:
root@tac_plus:/event-driven-servers/tac_plus-ng/perl# /usr/local/bin/tactrace.pl -c /usr/local/etc/mavis/tac_plus-ng.cfg
/usr/bin/perl: symbol lookup error: /usr/local/lib/x86_64-linux-gnu/perl/5.34.0/auto/Scm/Scm.so: undefined symbol: scm_send_msg
I turned on all the debugging in tac_plus-ng.cfg:
tac_plus | Tue Oct 4 19:18:05 CEST 2022 - Sending test authorization request...
tac_plus | 13: 19:18:05.210 5/00000000: - connection request from 127.0.0.1 (realm: default)
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 New session
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 ---<start packet>---
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 key used: changeme
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 version: 192, type: 2, seq no: 1, flags: unencrypted
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 session id: 16c75987, data length: 73
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 packet body (len: 73): \006\000\001\001\v\v\r\002\r\017healthcheckpython_tty0python_deviceservice=shellcmd=healthcheck
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 06 00 01 01 0b 0b 0d 02 0d 0f 68 65 61 6c 74 68 ........ ..health
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0010 63 68 65 63 6b 70 79 74 68 6f 6e 5f 74 74 79 30 checkpyt hon_tty0
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0020 70 79 74 68 6f 6e 5f 64 65 76 69 63 65 73 65 72 python_d eviceser
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0030 76 69 63 65 3d 73 68 65 6c 6c 63 6d 64 3d 68 65 vice=she llcmd=he
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0040 61 6c 74 68 63 68 65 63 6b althchec k
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 AUTHOR, priv_lvl=0
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 authen_type=ascii (1)
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 authen_method=tacacs+ (6)
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 service=login (1)
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 user_len=11 port_len=11 rem_addr_len=13 arg_cnt=2
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 user (len: 11): healthcheck
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 68 65 61 6c 74 68 63 68 65 63 6b healthch eck
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 port (len: 11): python_tty0
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 70 79 74 68 6f 6e 5f 74 74 79 30 python_t ty0
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 rem_addr (len: 13): python_device
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 70 79 74 68 6f 6e 5f 64 65 76 69 63 65 python_d evice
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 arg[0] (len: 13): service=shell
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 arg[1] (len: 15): cmd=healthcheck
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 63 6d 64 3d 68 65 61 6c 74 68 63 68 65 63 6b cmd=heal thcheck
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 ---<end packet>---
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 Start authorization request
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 user 'healthcheck' found
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 evaluating ACL healthcheck
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 line 58: [member] member 'healthcheck' => true
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 line 59: [profile] 'healthcheck'
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 line 60: [permit]
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 ACL healthcheck: match
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 healthcheck@python_device: ACL healthcheck: permit (profile: healthcheck)
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 line 45: [service] = 'shell' => true
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 line 46: [set] 'priv-lvl=15'
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 pcre: '^healthcheck.*' <=> 'healthcheck' = 0
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 line 47: [cmd] <pcre-regex> '^healthcheck.*' => false
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 [email protected]: svcname=shell protocol= not found
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 Writing AUTHOR/FAIL size=18
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 ---<start packet>---
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 key used: changeme
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 version: 192, type: 2, seq no: 2, flags: unencrypted
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 session id: 16c75987, data length: 6
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 packet body (len: 6): \020\000\000\000\000\000
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 0000 10 00 00 00 00 00 ......
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 AUTHOR/REPLY, status=16 (AUTHOR/FAIL)
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 msg_len=0, data_len=0, arg_cnt=0
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 msg (len: 0):
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 data (len: 0):
tac_plus | 13: 19:18:05.210 5/8759c716: 127.0.0.1 ---<end packet>---
tac_plus | 2022-10-04 19:18:05 +0200 127.0.0.1 healthcheck python_tty0 python_device healthcheck deny shell healthcheck
tac_plus | status: FAIL
from event-driven-servers.
MarcJHuber
commented on August 16, 2024
Hi,
I think I've messed up the PCRE vs. PCRE2 code.
Please git pull and try again.
Thanks,
Marc
diff --git a/tac_plus-ng/config.c b/tac_plus-ng/config.c
index a41ea71..c7de4e0 100644
--- a/tac_plus-ng/config.c
+++ b/tac_plus-ng/config.c
@@ -3432,8 +3432,8 @@ static int tac_script_cond_eval(tac_session * session, struct tac_script_cond *m
pcre2_match_data *match_data = pcre2_match_data_create_from_pattern((pcre2_code *) m->u.s.rhs, NULL);
res = pcre2_match((pcre2_code *) m->u.s.rhs, (PCRE2_SPTR) v, PCRE2_ZERO_TERMINATED, 0, 0, match_data, NULL);
pcre2_match_data_free(match_data);
-
res = -1 < res;
#endif
-
res = -1 < res; } else res = !regexec((regex_t *) m->u.s.rhs, v, 0, NULL, 0);
from event-driven-servers.
mboehm21
commented on August 16, 2024
Hey Marc,
thanks a lot for your quick help, now the healthcheck with the minimal configuration is working again:
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Running healthcheck...
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Checking configuration...
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Sending test authentication request...
tac_plus | 2022-10-04 19:38:25 +0200 127.0.0.1 healthcheck python_tty0 python_device shell login succeeded
tac_plus | status: PASS
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Sending test authorization request...
tac_plus | 2022-10-04 19:38:25 +0200 127.0.0.1 healthcheck python_tty0 python_device healthcheck permit shell healthcheck
tac_plus | status: PASS
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Sending test accounting request...
tac_plus | 2022-10-04 19:38:25 +0200 127.0.0.1 healthcheck python_tty0 python_device start
tac_plus | status: SUCCESS
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Fetching metrics...
tac_plus | procs=2
tac_plus | conns=0
tac_plus | Tue Oct 4 19:38:25 CEST 2022 - Finishing healthcheck...
from event-driven-servers.
Related Issues (20)
- ldapmavis-mt doesn't pass all memberOf groups back to tac_plus-ng HOT 3
- shell login denied by ACL HOT 2
- Alternativ password If LDAP is temporary not available HOT 8
- tac_plus-ng: A device.tag reference in a profile script where no tag present on any device, will break tacacs HOT 1
- Tacacs+ Fortigate Accounting HOT 5
- Ldapmavis-mt doesn’t try to open new session to ldap server after inactivity HOT 5
- tac_plus-ng dns preload file HOT 6
- Trouble to use MEMBEROF value with my OpenLDAP HOT 6
- Tacacs behind AWS NLB HOT 6
- Sporadic TLS negotiation failures with Mavis LDAP backend HOT 6
- libfreeradius-client has been deprecated in favor of radcli HOT 5
- 编译中出现异常 HOT 2
- the error when i execute './configure tac_plus,'the following errors occurs HOT 1
- Connection refused HOT 3
- tacacs configuration file parsing failed with tac_plus-ng while with tac_plus it's working HOT 3
- tac_plus compile error HOT 1
- chap login failed (no clear text password set) HOT 2
- LDAP vendor lookup fails for Okta LDAP Interface HOT 3
- tac_plus-ng external-mt using libmavis-mt, doesn't fall through to fallback accounts when LDAP unavailable HOT 3
- Support for variable option LDAP sizelimit in libmavis-mt HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from event-driven-servers.