forked from kravietz/pam_tacplus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
254 lines (220 loc) · 10.2 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
1.7.0
* **`libtac`**
** Refactored the complex and overengineered TACACS+ session id generation, replacing it with
[getrandom](https://man7.org/linux/man-pages/man2/getrandom.2.html) on all systems, with
[gnulib](https://www.gnu.org/software/gnulib/) provided implementation for systems that do not have it.
** Removed legacy MD5 code and replaced it with [gnulib](https://www.gnu.org/software/gnulib/) implementation for
easier maintenance and compatibility.
** Legacy data structures such as attribute lists were replaced with [gnulib](https://www.gnu.org/software/gnulib/)
structures.
** CHAP implementation used a fixed challenge in contradiction with the RFC 1994 requirement. This was replaced
with a pseudo-random challenge generated using `getrandom`.
** [ABI version](https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html#Updating-version-info)
set to `5:0:0`. From now on, this is the only way to version the library. The legacy static variables `tac_ver_`
were removed as confusing.
* **`pam_tacplus`**
** Calling process PID is now used as the `task_id` attribute in TACACS+ accounting session. This replaces
an overengineered cryptographically random tasks identifiers.
1.6.2
* SigStore signed releases
1.6.1
* Fixed security issue (CVE-2020-27743) which could result in packet encryption operate uninitialized in case of RAND_bytes() failure
1.6.0
* Allow selection of source addresses
* Support for DSCP marking packets
* Make most network requests timeout aware
* Fix Debian build scripts
* OpenSSL licensing clarifications
* Use more neutral terminology
1.4.1
* Numerous minor cleanups and fixes
* Tacc now supports --login flag to indicate intended TACPLUS+ login type
(pap, chap etc)
1.3.9
* Close file descriptor leak
* Add client_connect_source_address
1.3.8
* A lot of cleanups and improvements by Walter de Jong <[email protected]>
* Fixed build instruction in spec file and INSTALL
* Active_server can not be a pointer, data lost after authentication.
* Added port option per server, thanks to Luc Ducazu <[email protected]>
* Fixed missing FIONREAD for solaris
* Rearranged header file include for libtac.h, fixes AIX compile problems
* Renamed rem_addr, rem_addr_len to r_addr and r_addr_len
1.3.7
* Tac_encryption fully handled by libtac no need to enable it manually
* Fixed connection handling in _pam_account,
thanks to James Allwright <[email protected]>
* Handle attributes which contains no value,
thanks to James Allwright <[email protected]>
* Global variables tac_login and tac_secret not static anymore,
pointed out by James Allwright <[email protected]>
* version.c: libtac version 1.8.1
* pam_tacplus.c: moved debug message after active_server validation, avoiding
null pointer exception
* attrib.c: explicity setting *attr to NULL after free(),
thanks to Anthony Low <[email protected]>
1.3.6
* Added libpam-runtime support for debian
* Added use_first_pass and try_first_pass option, thanks to Luc Ducazu <[email protected]>
* Changed e-mail adres to [email protected]
* Improved accounting, added cmd attribute for command logging
* Added tac_acct_flag2str()
* Renamed tac_account_read, tac_account_send to tac_acct_read and tac_acct_send
* pam_tacplus.spec.in: fixed static library path and pam_tacplus.so location
* Debian packaging improvements
1.3.5
* This version will be dedicated to Darren Besler, thank you for your major
contribution!
* libtac version is now 1.7.1
* magic.c: magic_inited is only used for linux
* Finally got rid of all goto illness!
* Changed tabsize to 4
* Fixed missing xalloc.h in authen_s.c
* Get PAM_RHOST from PAM stack and use it as rem_addr
* Added _pam_get_rhost() and _pam_get_user()
* The following is done by Darren Besler:
- add ability to set more elements of tacacs+ packet from parameters or globals
- cleanup messaging to be consistent with function and presentation format
- cleanup how strings are handled and returned
- acct and author read require areply.msg to be freed by caller now
- cast return values
- added port # to formatted IP address
- add timeout on read capability
- cleanup method messages are returned to caller, including adding a 0 byte
0 byte added for safety reasons
- caller must free areply.msg now.
- add rem_addr as an argument
- include rem_addr in packet
- include ability to set priv_lvl in packet
- add ability to set authen_service from global variable aot fixed value
Bugs fixed by Darren Besler:
- cleanup various memory leaks, lost memory, and dangling pointers
- attrib.c: wasn't preserving '*' separator in attrib.c
- author_r.c:
- free attributes for replace status. Was always adding.
- uncasted char* for length was producing negative length to bcopy for arg len > 127
- possible null dereference when no separator
- cont_s.c
- was creating a new session id, should be using session id from authen start.
- magic.c
- magic was returning 0 on first call. Wasn't being initialized properly.
Other changes by Darren Besler:
* libtac/include/cdefs.h
- add #ifndef guards
* libtac/include/libtac.h
- rename #ifndef guard to match filename
- add extern "C" for C++
- alter define for TACDEBUG
- add define for TACSYSLOG
- alter macro for TACDEBUG to be able to be used at runtime via tac_debug_enable
- add declarations from tacplus.h not related to protocol
- add defines for return status codes for library functions
- add declarations for new additional global variables
tac_priv_lvl
tac_authen_method
tac_authen_service
tac_debug_enable
tac_readtimeout_enable
- revise declarations for functions to that have altered parameters lists, or return value
* libtac/include/tacplus.h
- move library specific declarations to libtac.h, leaving declarations
here to be used for protocol specific details
- add additional declarations for more complete coverage of tacacs+ protocol (v1.78)
1.3.4
* removed encrypt option just check if there is a secret (key).
* removed first_hit option because you can get the same behaviour by using only one server.
* added multiple secret support,
you can now specify different secrets (keys) for different servers.
* connect.c: improved connection error handling by using getpeername() to check if connection
is still valid. This was needed since we are using non-blocking sockets.
* properly handle multiple servers when authenticating, patch from Gregg Nemas, thanks!
1.3.3
* pam_tacplus.h: changed bitflags to hex, thanks Jason!
* Added gitignore for build stuff
* connect.c: removed ifdef for sys/socket.h, it will be included anyway for other platforms,
thanks to Obata Akio for pointing that out.
* connect.c: improved connection error handling, patch from Martin Volf, thanks!
1.3.2
* Added autotool configuration files, thanks to Benoit Donneaux <[email protected]>.
* Added pam_tacplus.spec file, thanks to Benoit Donneaux <[email protected]>.
* Added license information to all files and the license itself.
* All AV pairs are now available to the PAM environment. So you can use pam_exec.so or whatever
to do something with these. Only available for PAM account.
* Rewritten attribute loop in function pam_sm_acct_mgmt() for debug and future use
of AV pairs.
* Fixed attribute buffer in author_r.c, this bug cause program stuck when you get
AV pairs from the server, reported by Oz Shitrit.
1.3.1
* Added custom password prompt option
* Removed password logging when in debug mode
1.3.0
* Released version 1.3.0 based on 1.2.13.
This release finally includes support for TACACS+ chap and login authentication. The
default is still pap for backward compatibility.
1.2.13
* Changed spaces into tabs for pam_tacplus.c so make it more readable
* Did some minor cleanup
* Added login option so you can choose which TACACS+ authentication you want to
use. You can use pap, chap or login (ascii) at the moment. The default login option is pap.
* Added cont_s.c needed for TACACS+ login authentication.
1.2.12
* Missing network byte order convertion to host byte order in function's
tac_account_read, tac_authen_pap_read and tac_author_read, reported and
patch by Sven van den Steene, thanks!
* Fixed potential memory leak, when tac_account_read and tac_authen_pap_read are
successful msg isn't freed, reported by Sven van den Steene
1.2.11
* Added NO_STATIC_MODULES to CFLAGS for linking with openpam on netbsd, tested by
Fredrik Pettai <[email protected]>
* Removed libdl for compiling causing failure on netbsd, reported by
Fredrik Pettai <[email protected]>
* hdr_check.c: forgot to include stdlib, reported by
Fredrik Pettai <[email protected]>
* Changed defines to add support for netbsd, fixed by
Jeroen Nijhof <[email protected]>
* magic.c: read() can have a return value, fixed by
Jeroen Nijhof <[email protected]>
* support.c: _pam_log() va_list converted to string with vsnprintf() to support
syslog(), we have human readable error's in syslog again, fixed by
Jeroen Nijhof <[email protected]>
1.2.10
The following changes where made by Jeroen Nijhof <[email protected]>
* Changed default compile flags to be more compatible
* Fixed serveral bugs including casts and cleanup's, the code can now compile
without any warnings
* Changed some Makefile definitions to be more compatible with other versions of make
* Support added for solaris and aix, tested on aix 5.3, solaris 9 and 10. Including
standalone version of cdefs.h
1.2.9
* Fixed bug with passing username and password, reported by
Mark Volpe <[email protected]>
* Fixed bug in passing the remote address, reported by
Jason Lambert <[email protected]> and
Yury Trembach <[email protected]>
* Fixed bug in reception of authorization packet, reported by
1.2.8
* Another bugfix in tty handling - some daemons don't use any terminal, in
which case we send "unknown" terminal name to the TACACS+ server
1.2.7
* Fixed bug in tty determination
1.2.6
* Better protection against disconnection signals
1.2.5
* Fixed bug in task_id initialisation
1.2.4
* Fixed small bug in accounting
1.2.3
* upgraded to new libtac version, now pam_tacplus returns the attributes
received from server (currently only 'addr' attribute in PAM_RHOST)
* minor fixes
1.2.2
* more fixes
1.2.1
* pam_sm_acct_mgmt() added
* pam_sm_open_session() added
* pam_sm_close_session() added
* minor fixes
1.0.1
* first working version with pam_sm_authenticate()