Date: Thu, 22 Aug 1996 09:03:57 +0200 (MET DST) From: Andrzej Bialecki <abial@korin.warman.org.pl> To: Alexander Snarskii <snar@lucky.net> Cc: freebsd-hackers@FreeBSD.ORG Subject: Login.c (was: Radius Support for FreeBSD) Message-ID: <Pine.BSF.3.91.960822080534.21674A-100000@korin.warman.org.pl> In-Reply-To: <199608211121.OAA26069@burka.carrier.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear hackers!
Maybe some of you would look over the code for tacacs+, please. I
think it presents a good approach to writing code that authenticates users
via several methods - it's really easy to add totally new and different
method there. This would require some rewrite of ftp/login/skey, but it
would make the whole subject much more flexible (at least IMHO).
On Wed, 21 Aug 1996, Alexander Snarskii wrote:
> Andrzej, forgive me for a silly question, but may be you know about
> login.c which can use tacacs+ for authorisation ?
I looked over the code in login.c, and it allows the following three ways
of authentication (in FreeBSD 2.1):
* /etc/passwd
* S/Key (based on contents of /etc/skey.access)
* Kerberos (files in /etc/kerberosIV)
So, if you want to authenticate using tacacs, you have to either rewrite
the login.c to ask only the tacacs server (but this sounds silly..), OR
create something like skey.access (tacacs.access ?), and provide some
hooks.
It could be something like
/* This would fall back to other means of authentication, if tacacs fails.
Perhaps this should be an option - that is, for these users (group,
terminal etc.) use tacacs _only_ and give up if it fails */
if(tacacs_user(username,tty,hostname,/* ..bunch of others..*/)) {
* First, this function would check local file, let's say
* /etc/tacacs.access, if this user should be authenticated
* by tacacs. If so, it tries to get appropriate prompt for
* password from tacacs server -according to its config-
* for plaintext, S/Key, DES, or something. Then you proceed
* with getpass("Gimme you password, dude: ") or so. And
* then you send it to tacacs to authenticate.
* NOTE: these prompts and responses will
* be checked against tacacs srv database, not local
* ones */
} else {
/* Normal code from login.c goes here, which maybe includes
* authentication via DES, MD5, Kerberos, S/Key .... based on
* checking against local databases */
}
Frankly, I didn't do this and I haven't seen this done. But if I had some
time, I would do a complete rewrite of login to resemble the tacacs
server, and add one common cfg file, let's say /etc/login.conf. Then it
would be very easy to add new methods of authentication - just write a new
wrapper function and insert one keyword to the config file. This sounds
like seriuos project, but if you have source for tacacs+ server and
login.c, it shouldn't be a big problem - it just takes time.
Andy
+-------------------------------------------------------------------------+
Andrzej Bialecki <abial@warman.org.pl> _) _) _)_) _)_)_) _) _)
--------------------------------------- _)_) _) _) _) _)_) _)_)
Research and Academic Network in Poland _) _)_) _)_)_)_) _) _) _)
Bartycka 18, 00-716 Warsaw, Poland _) _) _) _) _)_)_) _) _)
+-------------------------------------------------------------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960822080534.21674A-100000>