TACACS+ server recommendations?

• Previous message (by thread): TACACS+ server recommendations?
• Next message (by thread): TACACS+ server recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In gmane.org.operators.nanog, Mike Lewinski via NANOG wrote:

>> https://www.shrubbery.net/tac_plus/ 
>
> That tac_plus has python 2 dependencies and so has been removed from
> Debian packages. That's not surprising given the last update was 2015
> and Python 2 was EOL in 2020:
> https://www.python.org/doc/sunset-python-2/

I have recently looked at this from the Debian side of things because I
was also hit by the (not unexpected due to the python2 usage) removal
from bookworm.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024129

---
There are multitude of issues with the current codebase and so far I'm
not sure whether all of them can be solved.

- latest Debian package had 4.0.4.27a from 2013
- latest official release is 4.0.4.28 from January 2015
- there is a 4.0.4.29a from March 2015 in the alpha/ directory of the
  upstream FTP server

There is at least one known fork of 4.0.4.28 from Facebook at
https://github.com/facebook/tac_plus . The project started good but
looks dead. There are however a few interesting open pull requests that
appear to fix errors on RHEL9, that should be sufficiently close to us.

The thing that lead to the removal from Debian was python2. Glancing at
the code I could not figure out the reason for the build-time
dependency. There is a python script installed in the tacacs+ binary
package (do_auth.py). Not everyone uses that. We don't, so I cannot
fully test it. But at first glance it appears to be able to be run on
python3 by just dropping the future imports. And there is an official
python3 port by it's original author at https://www.tacacs.org/

So I think using the Facebook fork with a few imported pull-requests and
maybe switching to the newer do_auth.py (in a seperate binary package
while we are at it) could do the trick.
---

> Currently I favor this one which is still being actively developed:
>
> https://www.pro-bono-publico.de/projects/tac_plus.html

That one really looks good. Harder to package with the repository
containing several unrelated things like spawnd, ftpd and tcprelay, but
still possible.

Bernhard

• Previous message (by thread): TACACS+ server recommendations?
• Next message (by thread): TACACS+ server recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]