From e67cc45553763774fdc63e5f098e7f139b4b63a6 Mon Sep 17 00:00:00 2001 From: Matt Date: Mon, 13 May 2019 11:50:44 -0400 Subject: [PATCH 1/2] add pam support to config.c --- tacacs-F4.0.4.28/config.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tacacs-F4.0.4.28/config.c b/tacacs-F4.0.4.28/config.c index b67daec..c728d7c 100644 --- a/tacacs-F4.0.4.28/config.c +++ b/tacacs-F4.0.4.28/config.c @@ -63,9 +63,16 @@ := host = { key = prompt = - enable = aceclnt|cleartext|des| + enable = cleartext|des| file | +#ifdef ACECLNT + aceclnt| +#endif +#ifdef HAVE_PAM + PAM | +#endif nopassword|skey + } := user = { @@ -1296,6 +1303,11 @@ parse_user(void) user->enable = tac_strdup(sym_buf); break; #endif +#ifdef HAVE_PAM + case S_pam: + user->enable = tac_strdup(sym_buf); + break; +#endif default: parse_error("expecting 'file', 'cleartext', 'nopassword', " @@ -1304,6 +1316,9 @@ parse_user(void) #endif #ifdef ACECLNT "'aceclnt', " +#endif +#ifdef HAVE_PAM + "'PAM', " #endif "or 'des' keyword after 'enable =' on line %d", sym_line); From 50070b76c55efe668a066af239754fa461bd94d6 Mon Sep 17 00:00:00 2001 From: Matt Date: Mon, 13 May 2019 11:51:30 -0400 Subject: [PATCH 2/2] add pam support to pwlib.c --- tacacs-F4.0.4.28/pwlib.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tacacs-F4.0.4.28/pwlib.c b/tacacs-F4.0.4.28/pwlib.c index 288197d..e711c48 100644 --- a/tacacs-F4.0.4.28/pwlib.c +++ b/tacacs-F4.0.4.28/pwlib.c @@ -238,6 +238,18 @@ verify_pwd(char *username, char *passwd, struct authen_data *data, { char *p; +#if HAVE_PAM + if (strcmp(cfg_passwd, "PAM") == 0) { + /* try to verify the password via PAM */ + if (!pam_verify(username, passwd, data)) { + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; + return(0); + } else + data->status = TAC_PLUS_AUTHEN_STATUS_PASS; + return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); + } +#endif + /* Deal with the cfg_passwd depending on its type */ p = tac_find_substring("cleartext ", cfg_passwd); if (p) {