First time when we give wrong credentials and second time give correct credentials TACACS sever error.
This happens when we do two logins back to back first wrong and then correct...
Can someone check whether issue is from CISCO tacacs server side or client side.
When we checked debug logs from server side got the below..

Tue Feb 6 13:59:19 2024 [10495]: Reading config
Tue Feb 6 13:59:19 2024 [10495]: Version F4.0.4.26 Initialized 1
Tue Feb 6 13:59:19 2024 [10495]: tac_plus server F4.0.4.26 starting
Tue Feb 6 13:59:19 2024 [10495]: uid=0 euid=0 gid=0 egid=0 s=4
Tue Feb 6 14:01:02 2024 [10526]: Reading config
Tue Feb 6 14:01:02 2024 [10526]: Version F4.0.4.26 Initialized 1
Tue Feb 6 14:01:02 2024 [10526]: tac_plus server F4.0.4.26 starting
Tue Feb 6 14:01:02 2024 [10526]: uid=0 euid=0 gid=0 egid=0 s=4
Tue Feb 6 14:03:00 2024 [10526]: connect from 192.168.0.233 [192.168.0.233]
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_value: name=gcom isuser=1 attr=pap rec=1
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_pvalue: returns des QpXJh0JnBY8yc
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_value: name=gcom isuser=1 attr=acl rec=1
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_value: recurse group = admins
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_pvalue: returns tidcbp_tmap
Tue Feb 6 14:03:00 2024 [10526]: pap-login query for 'gcom' ssh from 192.168.0.233 rejected ### >> First time wrong credentials
Tue Feb 6 14:03:00 2024 [10526]: login failure: gcom 192.168.0.233 (192.168.0.233) ssh
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:00 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: connect from 192.168.0.233 [192.168.0.233]
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_value: name=gcom isuser=1 attr=pap rec=1
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_pvalue: returns des QpXJh0JnBY8yc
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_value: name=gcom isuser=1 attr=expires rec=1
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_value: recurse group = admins
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_pvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_value: name=gcom isuser=1 attr=acl rec=1
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_value: recurse group = admins
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_pvalue: returns tidcbp_tmap
Tue Feb 6 14:03:09 2024 [10526]: pap-login query for 'gcom' ssh from 192.168.0.233 accepted >> second time correct credentials.
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: connect from 192.168.0.233 [192.168.0.233]
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: Error 192.168.0.233: author minimum payload length: 143, got: 58
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: connect from 192.168.0.233 [192.168.0.233]
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:09 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:13 2024 [10526]: connect from 192.168.0.233 [192.168.0.233]
Tue Feb 6 14:03:13 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:13 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:13 2024 [10526]: cfg_get_phvalue: returns NULL
Tue Feb 6 14:03:13 2024 [10526]: cfg_get_hvalue: name=192.168.0.233 attr=key
Tue Feb 6 14:03:13 2024 [10526]: cfg_get_hvalue: no host named 192.168.0.233
Tue Feb 6 14:03:13 2024 [10526]: cfg_get_phvalue: returns NULL

Please find the below topology..

The user wants to login with tacacs server, First two times user enters wrong credentials for that the server rejects the request and this expected.

Next user enters with correct credentials and could see that during authorization the connection got closed.

We could see this issue when we enter first wrong credentials and then correct credentials. I have attached the debug logs collected from tacacs server.
240212_083536_tacplus_debug_240213.pdf

Hello,

Thanks for this code.

Please can you advise after running rpmbuild -ba tacacs.spec what will next step to start tac_plus service and make changes to tac_plus.conf?

I'm trying to install on Amazon Machine image vm on AWS.

sorry in advance for my dumb question, as i'm new to linux.

appreciate your support.

It is not possible to build this on CentOS8. glibc removed nsl headers. Until tac_plus is rewritten to use libnsl2 it will not be supported on CentOS8.

Commands I ran:

yum install dnf wget git rpm-build redhat-rpm-config gcc bison flex m4 pam-devel python2 python36
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/tcp_wrappers-libs-7.6-77.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/tcp_wrappers-devel-7.6-77.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/tcp_wrappers-7.6-77.el7.x86_64.rpm
dnf install tcp_wrappers-libs-7.6-77.el7.x86_64.rpm -y
dnf install tcp_wrappers-7.6-77.el7.x86_64.rpm -y
dnf install tcp_wrappers-devel-7.6-77.el7.x86_64.rpm -y
git clone https://github.com/facebookarchive/tac_plus.git
cd tac_plus
mkdir -p ~/rpmbuild/SOURCES
tar cvzf ~/rpmbuild/SOURCES/tacacs-F4.0.4.28.tar.gz tacacs-F4.0.4.28
echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
dnf group install "Development Tools"

I manually linked python to system path:

ln -s /usr/bin/python2.7 /usr/bin/python
alias python=/bin/python2.7

I removed the check for python from the build requirements line in tacacs.spec file.

I attempted to build by running:
rpmbuild -ba tacacs.spec

This returns the error:
configure:3999: error: C compiler cannot create executables  

In our config.log file we see the error:

configure:3950: gcc   -I/usr/local/include  -L/usr/local/lib -L/lib conftest.c -lnsl -lcrypt  >&5
/bin/ld: cannot find -lnsl
collect2: error: ld returned 1 exit status

We see an open bug in RedHat for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1534920 

The issue: glibc removed nsl headers and libnsl.so for building in favor of libnsl2-devel package

Im trying to set up tac_plus+ to use two factor authentication. My setup is as follows:

• CentOS 7.3
• FreeIPA (ldap/kerberos system)
• tacacs+-FB4.0.4.19.1

In ldap I have two users. One configured for two factor and one not.

[root@ipa ~]# id rikkatest
uid=1130400006(rikkatest) gid=1130400006(rikkatest) groups=1130400004(cisco-enable),1130400006(rikkatest)
[root@ipa ~]# id netvik
uid=1130400009(netvik) gid=1130400009(netvik) groups=1130400004(cisco-enable),1130400008(service_accounts),1130400009(netvik)

[root@ipa ~]# ssh rikkatest@localhost
First Factor:
Second Factor:
Last login: Tue Jul 25 16:44:20 2017 from localhost
-sh-4.2$

[root@ipa netvik]# ssh netvik@localhost
Password:
Last login: Tue Jul 25 17:18:43 2017
-sh-4.2$

[root@ipa ~]# cat /etc/pam.d/tac_plus
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

[root@ipa ~]# cat /etc/tac_plus.conf
accounting file = /var/log/tacacs.log

key = testing123

host = 94.142.159.65 { key = testing123 }
host = pat.ok.is { key = testing123 }

group = enable {
login = PAM
}

user = netvik {
member = enable
}

user = rikkatest {
member = enable
}

(Yes, that's a lousy key, but only here for testing)

Running daemon as such:
[root@ipa ~]# tac_plus -C /etc/tac_plus.conf -L -p 49 -d1016 -g

Then I have a Cisco router configured to authenticate against this tac_plus server and it "works".
First the plain user with no two factor auth:

[ra@hamburger ~]$ telnet 10.199.6.87
Trying 10.199.6.87...
Connected to 10.199.6.87.
Escape character is '^]'.

User Access Verification

Username: netvik
Password:

Router>

so far so good. Daemon stdout has:

Reading config
Version F4.0.4.19-fb Initialized 1
tac_plus server F4.0.4.19-fb starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=26448032
session request from pat.ok.is sock=6
connect from pat.ok.is [94.142.159.65]
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/START size=38
validation request from pat.ok.is
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 3891870596 (0xe7f93b84), Data length 26 (0x1a)
End header
Packet body hex dump:
0x1 0x1 0x1 0x1 0x0 0x6 0xc 0x0 0x74 0x74 0x79 0x35 0x37 0x38 0x31 0x30 0x2e
0x31 0x39 0x39 0x2e 0x36 0x2e 0x31 0x31 0x30
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=0 port_len=6 (0x6), rem_addr_len=12 (0xc)
data_len=0
User:
port:
tty578
rem_addr:
10.199.6.110
data:
End packet
Authen Start request
choose_authen returns 1
cfg_get_hvalue: name=94.142.159.65 attr=prompt
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=pat.ok.is attr=prompt
cfg_get_phvalue: returns NULL
Writing AUTHEN/GETUSER size=55
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 3891870596 (0xe7f93b84), Data length 43 (0x2b)
End header
Packet body hex dump:
0x4 0x0 0x25 0x0 0x0 0x0 0xa 0x55 0x73 0x65 0x72 0x20 0x41 0x63 0x63 0x65 0x73
0x73 0x20 0x56 0x65 0x72 0x69 0x66 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0xa 0xa
0x55 0x73 0x65 0x72 0x6e 0x61 0x6d 0x65 0x3a 0x20
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=23
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 3891870596 (0xe7f93b84), Data length 11 (0xb)
End header
Packet body hex dump:
0x6 0x0 0x0 0x0 0x0 0x6e 0x65 0x74 0x76 0x69 0x6b
type=AUTHEN/CONT
user_msg_len 6 (0x6), user_data_len 0 (0x0)
flags=0x0
User msg:
netvik
User data:
End packet
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
choose_authen chose default_fn
Calling authentication function
cfg_get_value: name=netvik isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = enable
cfg_get_intvalue: returns 0
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
pam_verify netvik
pam_tacacs received 1 pam_messages
pat.ok.is tty578: PAM_PROMPT_ECHO_OFF
Writing AUTHEN/GETPASS size=28
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 3891870596 (0xe7f93b84), Data length 16 (0x10)
End header
Packet body hex dump:
0x5 0x1 0xa 0x0 0x0 0x0 0x50 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x3a 0x20
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=33
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 3891870596 (0xe7f93b84), Data length 21 (0x15)
End header
Packet body hex dump:
0x10 0x0 0x0 0x0 0x0 0x36 0x28 0x5b 0x35 0x31 0x76 0x22 0x4c 0x42 0x52 0x66
0x43 0x71 0x6d 0x7b 0x38
type=AUTHEN/CONT
user_msg_len 16 (0x10), user_data_len 0 (0x0)
flags=0x0
User msg:
6([51v"LBRfCqm{8
User data:
End packet
pam_acct_mgmt returns PAM_SUCCESS
pam_verify returns 1
cfg_get_value: name=netvik isuser=1 attr=expires rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns NULL
Password has not expired
cfg_get_value: name=netvik isuser=1 attr=acl rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns NULL
login query for 'netvik' tty578 from pat.ok.is accepted
login success: user=netvik device=pat.ok.is port=94.142.159.65 client=tty578
Writing AUTHEN/SUCCEED size=18
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 6, flags 0x1
session_id 3891870596 (0xe7f93b84), Data length 6 (0x6)
End header
Packet body hex dump:
0x1 0x0 0x0 0x0 0x0 0x0
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
pat.ok.is: disconnect

Then I try the two factor user:

[ra@hamburger ~]$ telnet 10.199.6.87
Trying 10.199.6.87...
Connected to 10.199.6.87.
Escape character is '^]'.

User Access Verification

Username: rikkatest
First Factor:

Second Factor:

Router>

This seems to have worked. However the daemons stdout has:

Reading config
Version F4.0.4.19-fb Initialized 1
tac_plus server F4.0.4.19-fb starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=23187616
session request from pat.ok.is sock=6
connect from pat.ok.is [94.142.159.65]
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/START size=38
validation request from pat.ok.is
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 26 (0x1a)
End header
Packet body hex dump:
0x1 0x1 0x1 0x1 0x0 0x6 0xc 0x0 0x74 0x74 0x79 0x35 0x37 0x38 0x31 0x30 0x2e
0x31 0x39 0x39 0x2e 0x36 0x2e 0x31 0x31 0x30
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=0 port_len=6 (0x6), rem_addr_len=12 (0xc)
data_len=0
User:
port:
tty578
rem_addr:
10.199.6.110
data:
End packet
Authen Start request
choose_authen returns 1
cfg_get_hvalue: name=94.142.159.65 attr=prompt
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=pat.ok.is attr=prompt
cfg_get_phvalue: returns NULL
Writing AUTHEN/GETUSER size=55
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 43 (0x2b)
End header
Packet body hex dump:
0x4 0x0 0x25 0x0 0x0 0x0 0xa 0x55 0x73 0x65 0x72 0x20 0x41 0x63 0x63 0x65 0x73
0x73 0x20 0x56 0x65 0x72 0x69 0x66 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0xa 0xa
0x55 0x73 0x65 0x72 0x6e 0x61 0x6d 0x65 0x3a 0x20
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=26
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 14 (0xe)
End header
Packet body hex dump:
0x9 0x0 0x0 0x0 0x0 0x72 0x69 0x6b 0x6b 0x61 0x74 0x65 0x73 0x74
type=AUTHEN/CONT
user_msg_len 9 (0x9), user_data_len 0 (0x0)
flags=0x0
User msg:
rikkatest
User data:
End packet
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
choose_authen chose default_fn
Calling authentication function
cfg_get_value: name=rikkatest isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = enable
cfg_get_intvalue: returns 0
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
pam_verify rikkatest
pam_tacacs received 2 pam_messages
pat.ok.is tty578: PAM_PROMPT_ECHO_OFF
Writing AUTHEN/GETPASS size=32
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 20 (0x14)
End header
Packet body hex dump:
0x5 0x1 0xe 0x0 0x0 0x0 0x46 0x69 0x72 0x73 0x74 0x20 0x46 0x61 0x63 0x74 0x6f
0x72 0x3a 0x20
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=14, data_len=0
msg:
First Factor:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=29
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 17 (0x11)
End header
Packet body hex dump:
0xc 0x0 0x0 0x0 0x0 0x72 0x69 0x6b 0x6b 0x61 0x74 0x65 0x73 0x74 0x31 0x32 0x33
type=AUTHEN/CONT
user_msg_len 12 (0xc), user_data_len 0 (0x0)
flags=0x0
User msg:
rikkatest123
User data:
End packet
pat.ok.is tty578: PAM_PROMPT_ECHO_OFF
Writing AUTHEN/GETPASS size=33
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 6, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 21 (0x15)
End header
Packet body hex dump:
0x5 0x1 0xf 0x0 0x0 0x0 0x53 0x65 0x63 0x6f 0x6e 0x64 0x20 0x46 0x61 0x63 0x74
0x6f 0x72 0x3a 0x20
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=15, data_len=0
msg:
Second Factor:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=23
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 7, flags 0x1
session_id 3576905187 (0xd5333de3), Data length 11 (0xb)
End header
Packet body hex dump:
0x6 0x0 0x0 0x0 0x0 0x31 0x38 0x38 0x38 0x33 0x36
type=AUTHEN/CONT
user_msg_len 6 (0x6), user_data_len 0 (0x0)
flags=0x0
User msg:
188836
User data:
End packet
Segmentation fault (core dumped)

Looking into the core:

[root@ipa ~]# gdb /usr/bin/tac_plus core.31038
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/bin/tac_plus...Reading symbols from /usr/lib/debug/usr/bin/tac_plus.debug...done.
done.
[New LWP 31038]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `tac_plus -C /etc/tac_plus.conf -L -p 49 -d1016 -g'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004122b5 in pam_tacacs (nmsg=2, pmpp=0x7ffe5c4bba70, prpp=0x7ffe5c4bba60, appdata_ptr=0x0) at pwlib.c:568
568 prpp[i]->resp = (char *) tac_malloc(acp->user_msg_len + 1);
(gdb) where
#0 0x00000000004122b5 in pam_tacacs (nmsg=2, pmpp=0x7ffe5c4bba70, prpp=0x7ffe5c4bba60, appdata_ptr=0x0) at pwlib.c:568
#1 0x00007f4816f23b88 in prompt_2fa (pamh=pamh@entry=0x161d510, pi=pi@entry=0x7ffe5c4bbb50, prompt_fa1=0x7f4816f279fe "First Factor: ",
prompt_fa2=prompt_fa2@entry=0x7f4816f27a0d "Second Factor: ") at src/sss_client/pam_sss.c:1323
#2 0x00007f4816f25426 in get_authtok_for_authentication (flags=, pi=0x7ffe5c4bbb50, pamh=0x161d510) at src/sss_client/pam_sss.c:1584
#3 pam_sss (task=, pamh=0x161d510, pam_flags=, argc=, argv=) at src/sss_client/pam_sss.c:1826
#4 0x00007f481903bf1a in _pam_dispatch_aux (use_cached_chain=, resumed=, h=, flags=0, pamh=0x161d510) at pam_dispatch.c:110
#5 _pam_dispatch (pamh=pamh@entry=0x161d510, flags=0, choice=choice@entry=1) at pam_dispatch.c:426
#6 0x00007f481903b7e0 in pam_authenticate (pamh=0x161d510, flags=) at pam_auth.c:34
#7 0x0000000000412774 in pam_verify (user=0x161d0f0 "rikkatest", passwd=0x161d400 "", data=0x7ffe5c4bbf80) at pwlib.c:672
#8 0x00000000004114da in verify (name=0x161d0f0 "rikkatest", passwd=0x161d400 "", data=0x7ffe5c4bbf80, recurse=1) at pwlib.c:158
#9 0x0000000000409130 in tac_login (data=0x7ffe5c4bbf80, p=0x161d400) at default_fn.c:315
#10 0x0000000000408c5b in default_fn (data=0x7ffe5c4bbf80) at default_fn.c:170
#11 0x000000000040371a in authenticate (datap=0x7ffe5c4bbf80, typep=0x7ffe5c4bbef0) at authen.c:319
#12 0x00000000004031ed in do_start (pak=0x161d0c0 "\300\001\001\001\325\063", <incomplete sequence \343>) at authen.c:139
#13 0x0000000000402f53 in authen (pak=0x161d0c0 "\300\001\001\001\325\063", <incomplete sequence \343>) at authen.c:53
#14 0x00000000004168eb in start_session () at tac_plus.c:853
#15 0x0000000000416760 in main (argc=8, argv=0x7ffe5c4bc678) at tac_plus.c:764

apparently pwlib's, line 568:
prpp[i]->resp = (char *) tac_malloc(acp->user_msg_len + 1);
Is not making the system happy. Some checking:

(gdb) print prpp
$1 = (struct pam_response **) 0x7ffe5c4bba60
(gdb) print i
$2 = 1
(gdb) print nmsg
$3 = 2
(gdb) print prpp[0]
$4 = (struct pam_response *) 0x161da10
(gdb) print prpp[1]
$5 = (struct pam_response *) 0x5
(gdb) print prpp[0]->resp
$6 = 0x162e320 "rikkatest123"
(gdb) print prpp[1]->resp
Cannot access memory at address 0x5
(gdb) print appdata_ptr
$7 = (void *) 0x0

(yes, thats a lousy password and it's just for testing)

Im not into PAM on this level but to me it looks like pam library is calling pam_tacacs() in the daemon with either nmsg off by one or something missing from prpp

Any ideas what is going on? Have I stumbled across a bug or am I doing something drastically wrong?
And should the login succeed when the daemon crashes like that?

• Facebook is not a Debian shop, so HEAD has no been tested with it at all.

If there are any Debian people out there who can test and confirm it works or ship a PR that would be much appreciated.

How can I add to the services section of the file via the GUI. for example how to add the section in bold.

group = Network_Engineers {
valid until = 3000-04-01
service = shell {
default cmd = permit
set priv-lvl = 15
}
service = exec {
set priv-lvl = 15
}
service = junos-exec {
set local-user-name = super-users
}
service = ssh {
set local-user-name = TACP-0
}
}

Thanks!!

Ive tried a bunch of rpms / tars on rhel 7 .. Everything compiles just fine..
I have issues with accounting payload and thus get no command accounting logs..

Error 10.3.254.15: acct minimum payload: 191, got: 127

I know my tac config is good as i have an older version running on Rhel 6 , and when i have my
switch point to it all is well..

Also , I ran a capture and i can see the accounting info in the pcap being sent to the tac_plus server.

Id be thankful for any help / direction on this.

This fork seems to be off a rather old release of Heasley's tac_plus. Is there a more recent one running around? I have about 20 commits for various bugs, performance improvements, and packaging fixes...