Index: head/net/tac_plus4/Makefile =================================================================== --- head/net/tac_plus4/Makefile (revision 402249) +++ head/net/tac_plus4/Makefile (revision 402250) @@ -1,55 +1,55 @@ # Created by: Igor Vinokurov # $FreeBSD$ PORTNAME= tac_plus -PORTVERSION= F4.0.4.27a +PORTVERSION= F4.0.4.28 CATEGORIES= net security -MASTER_SITES= ftp://ftp.shrubbery.net/pub/tac_plus/ -DISTNAME= tacacs+-F4.0.4.27a +MASTER_SITES= ftp://ftp.shrubbery.net/pub/${PORTNAME}/ +DISTNAME= tacacs-${PORTVERSION} MAINTAINER= marcus@FreeBSD.org -COMMENT= The Cisco remote authentication/authorization/accounting server +COMMENT= Cisco remote authentication/authorization/accounting server GNU_CONFIGURE= yes USES= bison perl5 libtool USE_PERL5= build USE_RC_SUBR= tac_plus USE_LDCONFIG= yes CONFIGURE_ARGS= --with-groupid=$$(/usr/bin/id -g tacacs 2>/dev/null || echo '559') \ --with-userid=$$(/usr/bin/id -u tacacs 2>/dev/null || echo '559') USERS= tacacs GROUPS= tacacs CONFLICTS= ru-tac+ia-[0-9]* tac_plus-libradius-[0-9]* MAKE_JOBS_UNSAFE= yes OPTIONS_DEFINE= DOCS # check expiration dates against 'expire' field of master.passwd file .if defined(TAC_EXPIRE_MASTER_PASSWD) EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-bb .endif .if exists(/usr/include/skey.h) && !defined(WITHOUT_SKEY) CONFIGURE_ARGS+= --with-skey .else CONFIGURE_ARGS+= --without-skey .endif .if exists(/usr/include/opie.h) && !defined(WITHOUT_OPIE) CPPFLAGS+= -DOPIE LIBS+= -lopie -lmd .endif post-patch: @${REINPLACE_CMD} -e 's|skey_get_algorithm|skeychallenge|g' \ ${WRKSRC}/configure post-install: ${INSTALL_DATA} ${FILESDIR}/tac_plus.conf.example ${STAGEDIR}${PREFIX}/etc @${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/tac_plus ${INSTALL_DATA} ${WRKSRC}/users_guide ${STAGEDIR}${PREFIX}/share/doc/tac_plus ${INSTALL_SCRIPT} ${WRKSRC}/tac_convert ${STAGEDIR}${PREFIX}/share/doc/tac_plus .include Index: head/net/tac_plus4/distinfo =================================================================== --- head/net/tac_plus4/distinfo (revision 402249) +++ head/net/tac_plus4/distinfo (revision 402250) @@ -1,2 +1,2 @@ -SHA256 (tacacs+-F4.0.4.27a.tar.gz) = 512e1c30389b102d4af25d7e9bc3bdcd9d39d70e5e7d8a98c8f785733df8d9a1 -SIZE (tacacs+-F4.0.4.27a.tar.gz) = 504395 +SHA256 (tacacs-F4.0.4.28.tar.gz) = 147f2dc98d26d2f93f0aba76c988ced196ffe1c001dc2e91f788a1a2c747219e +SIZE (tacacs-F4.0.4.28.tar.gz) = 530049 Index: head/net/tac_plus4/files/patch-Makefile.in =================================================================== --- head/net/tac_plus4/files/patch-Makefile.in (revision 402249) +++ head/net/tac_plus4/files/patch-Makefile.in (revision 402250) @@ -1,38 +1,38 @@ ---- Makefile.in.orig 2012-04-17 02:56:54.000000000 +0400 -+++ Makefile.in 2013-04-13 13:43:18.000000000 +0400 -@@ -98,7 +98,7 @@ +--- Makefile.in.orig 2012-04-16 22:56:21 UTC ++++ Makefile.in +@@ -162,7 +162,7 @@ am__tac_plus_SOURCES_DIST = acct.c authe config.c default_fn.c default_v0_fn.c do_acct.c do_author.c \ dump.c enable.c encrypt.c expire.c hash.c maxsessint.c parse.c \ programs.c pw.c pwlib.c report.c sendauth.c sendpass.c \ - tac_plus.c utils.c skey_fn.c aceclnt_fn.c + tac_plus.c utils.c skey_fn.c aceclnt_fn.c opie_fn.c @TACSKEY_TRUE@am__objects_1 = skey_fn.$(OBJEXT) @TACACECLNT_TRUE@am__objects_2 = aceclnt_fn.$(OBJEXT) am_tac_plus_OBJECTS = acct.$(OBJEXT) authen.$(OBJEXT) author.$(OBJEXT) \ -@@ -109,7 +109,7 @@ +@@ -173,7 +173,7 @@ am_tac_plus_OBJECTS = acct.$(OBJEXT) aut parse.$(OBJEXT) programs.$(OBJEXT) pw.$(OBJEXT) \ pwlib.$(OBJEXT) report.$(OBJEXT) sendauth.$(OBJEXT) \ sendpass.$(OBJEXT) tac_plus.$(OBJEXT) utils.$(OBJEXT) \ - $(am__objects_1) $(am__objects_2) + opie_fn.$(OBJEXT) $(am__objects_1) $(am__objects_2) tac_plus_OBJECTS = $(am_tac_plus_OBJECTS) am__DEPENDENCIES_1 = tac_plus_DEPENDENCIES = $(am__DEPENDENCIES_1) -@@ -592,6 +592,7 @@ +@@ -770,6 +770,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sendauth.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sendpass.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/skey_fn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/opie_fn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tac_plus.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tac_pwd.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Po@am__quote@ -@@ -1049,8 +1050,7 @@ +@@ -1256,8 +1257,7 @@ info: info-am info-am: -install-data-am: install-includeHEADERS install-man \ - install-pkgdataDATA install-pkgdataSCRIPTS +install-data-am: install-includeHEADERS install-man install-dvi: install-dvi-am Index: head/net/tac_plus4/files/patch-choose_authen.c =================================================================== --- head/net/tac_plus4/files/patch-choose_authen.c (revision 402249) +++ head/net/tac_plus4/files/patch-choose_authen.c (revision 402250) @@ -1,34 +1,34 @@ ---- choose_authen.c.orig 2012-04-17 01:42:55.000000000 +0400 -+++ choose_authen.c 2013-04-13 13:55:20.000000000 +0400 -@@ -130,12 +130,29 @@ +--- choose_authen.c.orig 2012-04-16 21:42:55 UTC ++++ choose_authen.c +@@ -130,12 +130,29 @@ choose_login(struct authen_data *data, s #else /* SKEY */ report(LOG_ERR, "%s %s: user %s s/key support has not been compiled in", - name ? name : "", - session.peer, session.port); + session.peer, session.port, + name ? name : ""); return(CHOOSE_FAILED); #endif /* SKEY */ } + if (cfg_passwd && STREQ(cfg_passwd, "opie")) { + if (debug & DEBUG_PASSWD_FLAG) + report(LOG_DEBUG, "%s %s: user %s requires opie", + session.peer, session.port, name); +#ifdef OPIE + type->authen_func = opie_fn; + strcpy(type->authen_name, "opie_fn"); + return (CHOOSE_OK); +#else /* OPIE */ + report(LOG_ERR, + "%s %s: user %s opie support has not been compiled in", + session.peer, session.port, + name ? name : ""); + return(CHOOSE_FAILED); +#endif /* OPIE */ + } + /* Does this user require aceclnt */ cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE); if (cfg_passwd && STREQ(cfg_passwd, "aceclnt")) { Index: head/net/tac_plus4/files/patch-opie_fn.c =================================================================== --- head/net/tac_plus4/files/patch-opie_fn.c (revision 402249) +++ head/net/tac_plus4/files/patch-opie_fn.c (revision 402250) @@ -1,242 +1,242 @@ ---- opie_fn.c.orig Sun Dec 8 15:26:20 2002 -+++ opie_fn.c Sun Dec 8 15:27:01 2002 +--- opie_fn.c.orig 2002-12-08 11:26:20 UTC ++++ opie_fn.c @@ -0,0 +1,239 @@ +/* + Copyright (c) 1995-2000 by Cisco systems, Inc. + + Permission to use, copy, modify, and distribute modified and + unmodified copies of this software for any purpose and without fee is + hereby granted, provided that (a) this copyright and permission notice + appear on all copies of the software and supporting documentation, (b) + the name of Cisco Systems, Inc. not be used in advertising or + publicity pertaining to distribution of the program without specific + prior permission, and (c) notice be given in supporting documentation + that use, modification, copying and distribution is by permission of + Cisco Systems, Inc. + + Cisco Systems, Inc. makes no representations about the suitability + of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS + IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS FOR A PARTICULAR PURPOSE. +*/ + +#ifdef OPIE +#include "tac_plus.h" +#include "expire.h" + +/* internal state variables */ +#define STATE_AUTHEN_START 0 /* no requests issued */ +#define STATE_AUTHEN_GETUSER 1 /* username has been requested */ +#define STATE_AUTHEN_GETPASS 2 /* password has been requested */ + +#include + +struct private_data { + struct opie opiedata; + char password[MAX_PASSWD_LEN + 1]; + int state; +}; + +/* Use s/key to verify a supplied password using state set up earlier +when the username was supplied */ + +static int +opie_verify(passwd, data) +char *passwd; +struct authen_data *data; +{ + struct private_data *p = data->method_data; + struct opie *opiep = &p->opiedata; + + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; + + if (opieverify(opiep, passwd) == 0) { + /* S/Key authentication succeeded */ + data->status = TAC_PLUS_AUTHEN_STATUS_PASS; + if (opiep->opie_n < 5) { + data->server_msg = tac_strdup("Password will expire soon"); + return (1); + } + } + return (0); +} + +/* + * Skey tacacs login authentication function. Wants a username + * and a password, and tries to verify them via opie. + * + * Choose_authen will ensure that we already have a username before this + * gets called. + * + * We will query for a password and keep it in the method_data. + * + * Any strings returned via pointers in authen_data must come from the + * heap. They will get freed by the caller. + * + * Return 0 if data->status is valid, otherwise 1 + */ + +int +opie_fn(data) +struct authen_data *data; +{ + char *name, *passwd; + struct private_data *p; + char *prompt; + int pwlen; + + p = (struct private_data *) data->method_data; + + /* An abort has been received. Clean up and return */ + if (data->flags & TAC_PLUS_CONTINUE_FLAG_ABORT) { + if (data->method_data) + free(data->method_data); + data->method_data = NULL; + return (1); + } + /* Initialise method_data if first time through */ + if (!p) { + p = (struct private_data *) tac_malloc(sizeof(struct private_data)); + bzero(p, sizeof(struct private_data)); + data->method_data = p; + p->state = STATE_AUTHEN_START; + } + + /* Unless we're enabling, we need a username */ + if (data->service != TAC_PLUS_AUTHEN_SVC_ENABLE && + !(char) data->NAS_id->username[0]) { + switch (p->state) { + + case STATE_AUTHEN_GETUSER: + /* we have previously asked for a username but none came back. + * This is a gross error */ + data->status = TAC_PLUS_AUTHEN_STATUS_ERROR; + report(LOG_ERR, "%s: No username supplied after GETUSER", + session.peer); + return (0); + + case STATE_AUTHEN_START: + /* No username. Try requesting one */ + data->status = TAC_PLUS_AUTHEN_STATUS_GETUSER; + if (data->service == TAC_PLUS_AUTHEN_SVC_LOGIN) { + prompt = "\nUser Access Verification\n\nUsername: "; + } else { + prompt = "Username: "; + } + data->server_msg = tac_strdup(prompt); + p->state = STATE_AUTHEN_GETUSER; + return (0); + + default: + /* something awful has happened. Give up and die */ + report(LOG_ERR, "%s: opie_fn bad state %d", + session.peer, p->state); + return (1); + } + } + + /* we now have a username if we needed one */ + name = data->NAS_id->username; + + /* Do we have a password? */ + passwd = p->password; + + if (!passwd[0]) { + char opieprompt[80]; + + /* no password yet. Either we need to ask for one and expect to get + * called again, or we asked but nothing came back, which is fatal */ + + switch (p->state) { + case STATE_AUTHEN_GETPASS: + /* We already asked for a password. This should be the reply */ + if (data->client_msg) { + pwlen = MIN(strlen(data->client_msg), MAX_PASSWD_LEN); + } else { + pwlen = 0; + } + strncpy(passwd, data->client_msg, pwlen); + passwd[pwlen] = '\0'; + break; + + default: + /* Request a password */ + passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE); + if (!passwd && !STREQ(passwd, "opie")) { + report(LOG_ERR, "Cannot find opie password declaration for %s", + name); + data->status = TAC_PLUS_AUTHEN_STATUS_ERROR; + return(1); + } + + if (opiechallenge(&p->opiedata, name, opieprompt) == 0) { + char buf[256]; + sprintf(buf, "%s\nPassword: ", opieprompt); + data->server_msg = tac_strdup(buf); + + /* We try to make it in accordance of standard FreeBSD + * behaviour in order to avoid surprises for user */ + data->flags = TAC_PLUS_AUTHEN_FLAG_NOECHO; + + data->status = TAC_PLUS_AUTHEN_STATUS_GETPASS; + p->state = STATE_AUTHEN_GETPASS; + return (0); + } + + data->status = TAC_PLUS_AUTHEN_STATUS_ERROR; + report(LOG_ERR, "Cannot generate opie prompt for %s", name); + return(1); + } + } + + /* We have a username and password. Try validating */ + + /* Assume the worst */ + data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; + + switch (data->service) { + case TAC_PLUS_AUTHEN_SVC_LOGIN: + opie_verify(passwd, data); + if (debug) + report(LOG_INFO, "login query for '%s' %s from %s %s", + name && name[0] ? name : "unknown", + data->NAS_id->NAS_port && data->NAS_id->NAS_port[0] ? + data->NAS_id->NAS_port : "unknown", + session.peer, + (data->status == TAC_PLUS_AUTHEN_STATUS_PASS) ? + "accepted" : "rejected"); + break; + + default: + data->status = TAC_PLUS_AUTHEN_STATUS_ERROR; + report(LOG_ERR, "%s: Bogus service value %d from packet", + session.peer, data->service); + break; + } + + if (data->method_data) + free(data->method_data); + data->method_data = NULL; + + switch (data->status) { + case TAC_PLUS_AUTHEN_STATUS_ERROR: + case TAC_PLUS_AUTHEN_STATUS_FAIL: + case TAC_PLUS_AUTHEN_STATUS_PASS: + return (0); + default: + report(LOG_ERR, "%s: opie_fn couldn't set recognizable status %d", + session.peer, data->status); + data->status = TAC_PLUS_AUTHEN_STATUS_ERROR; + return (1); + } +} +#else /* OPIE */ + +/* The following code is not needed or used. It exists solely to + prevent compilers from "helpfully" complaining that this source + file is empty, which upsets novices building the software */ + +static int dummy = 0; + +#endif /* OPIE */ Index: head/net/tac_plus4/files/patch-parse.h =================================================================== --- head/net/tac_plus4/files/patch-parse.h (revision 402249) +++ head/net/tac_plus4/files/patch-parse.h (revision 402250) @@ -1,10 +1,10 @@ ---- parse.h.orig 2012-04-10 22:34:40.000000000 +0400 -+++ parse.h 2013-04-13 14:02:27.000000000 +0400 +--- parse.h.orig 2012-04-10 18:34:40 UTC ++++ parse.h @@ -74,6 +74,7 @@ #ifdef MSCHAP #define S_mschap 42 #endif /* MSCHAP */ +#define S_opie 43 #define S_enable 43 #ifdef ACLS # define S_acl 44 Index: head/net/tac_plus4/files/patch-skey_fn.c =================================================================== --- head/net/tac_plus4/files/patch-skey_fn.c (revision 402249) +++ head/net/tac_plus4/files/patch-skey_fn.c (revision 402250) @@ -1,11 +1,11 @@ ---- skey_fn.c.orig 2012-06-06 22:34:55.000000000 +0400 -+++ skey_fn.c 2013-04-13 14:08:31.000000000 +0400 -@@ -164,7 +164,7 @@ +--- skey_fn.c.orig 2012-06-06 18:34:55 UTC ++++ skey_fn.c +@@ -164,7 +164,7 @@ skey_fn(struct authen_data *data) return(1); } - if (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) { + if (skeychallenge(&p->skey, name, skeyprompt) == 0) { char buf[256]; snprintf(buf, sizeof(buf), "%s\nS/Key challenge: ", skeyprompt); data->server_msg = tac_strdup(buf); Index: head/net/tac_plus4/files/patch-tac_plus.h =================================================================== --- head/net/tac_plus4/files/patch-tac_plus.h (revision 402249) +++ head/net/tac_plus4/files/patch-tac_plus.h (revision 402250) @@ -1,10 +1,10 @@ ---- tac_plus.h.orig 2013-04-13 13:45:20.000000000 +0400 -+++ tac_plus.h 2013-04-13 13:50:14.000000000 +0400 -@@ -452,6 +452,7 @@ +--- tac_plus.h.orig 2012-04-10 19:38:45 UTC ++++ tac_plus.h +@@ -452,6 +452,7 @@ int enable_fn(struct authen_data *data); int sendauth_fn(struct authen_data *data); int sendpass_fn(struct authen_data *data); int skey_fn(struct authen_data *data); +int opie_fn(struct authen_data *data); /* tac_plus.c */ void open_logfile(void); Index: head/net/tac_plus4/files/patch-users_guide.in =================================================================== --- head/net/tac_plus4/files/patch-users_guide.in (revision 402249) +++ head/net/tac_plus4/files/patch-users_guide.in (revision 402250) @@ -1,32 +1,32 @@ ---- users_guide.in.orig 2011-05-28 02:11:57.000000000 +0400 -+++ users_guide.in 2013-04-13 14:16:37.000000000 +0400 -@@ -164,7 +164,10 @@ +--- users_guide.in.orig 2011-05-27 22:11:57 UTC ++++ users_guide.in +@@ -164,7 +164,10 @@ for S/KEY in the Makefile. I got my S/K crimelab.com but now it appears the only source is ftp.bellcore.com. I suggest you try a web search for s/key source code. -Note: S/KEY is a trademark of Bell Communications Research (Bellcore). +To use OPIE, you must have built tac_plus with the -DWITH_OPIE flag. + +Note: S/KEY and OPIE are a trademark of Bell Communications Research +(Bellcore). Should you need them, there are routines for accessing password files (getpwnam,setpwent,endpwent,setpwfile) in pw.c. -@@ -414,7 +417,16 @@ +@@ -414,7 +417,16 @@ be authenticated via s/key, as follows: login = skey } -4). Authentication using PAM (Pluggable Authentication Modules) +4). Authentication using opie. + +If you have successfully built tac_plus with opie support, you can specify +a user be authenticated via opie, as follows: + + user = marcus { + login = opie + } + +5). Authentication using PAM (Pluggable Authentication Modules) Assuming that your OS supports it, tac_plus can be configured to use PAM for authentication, which may make it possible to use LDAP, SecureID, etc Index: head/net/tac_plus4/files/tac_plus.in =================================================================== --- head/net/tac_plus4/files/tac_plus.in (revision 402249) +++ head/net/tac_plus4/files/tac_plus.in (revision 402250) @@ -1,97 +1,97 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: tac_plus # REQUIRE: DAEMON # # Add the following line to /etc/rc.conf to enable the TACACS+ daemon: # # tac_plus_enable (bool): Set to "NO" by default # Set it to "YES" to enable tac_plus # tac_plus_flags (str): Set to "" by default # Extra flags to be passed to start command # tac_plus_profiles (str): Set to "" by default # Allows you to run multiple tac_plus daemons with # different settings # tac_plus_configfile (str): Set to "%%PREFIX%%/etc/tac_plus.conf" by default # Allows you to specify a different config file for # the tac_plus daemon . /etc/rc.subr name=tac_plus rcvar=tac_plus_enable -command="%%PREFIX%%/bin/tac_plus" +command="%%PREFIX%%/sbin/tac_plus" pidfile="/var/run/${name}.pid" tac_plus_enable=${tac_plus_enable:-"NO"} tac_plus_flags=${tac_plus_flags:-} tac_plus_profiles=${tac_plus_profiles:-} tac_plus_configfile=${tac_plus_configfile:-"%%PREFIX%%/etc/tac_plus.conf"} load_rc_config ${name} if [ -n "$2" ]; then profile="$2" if [ "x${tac_plus_profiles}" != "x" ]; then eval tac_plus_configfile="\${tac_plus_${profile}_configfile:-}" if [ "x${tac_plus_configfile}" = "x" ]; then echo "You must define a configuration file (tac_plus_${profile}_configfile)" exit 1 fi required_files="${tac_plus_configfile}" eval tac_plus_enable="\${tac_plus_${profile}_enable:-${tac_plus_enable}}" eval tac_plus_flags="\${tac_plus_${profile}_flags:-${tac_plus_flags}}" eval tac_plus_port="\${tac_plus_${profile}_port:-}" eval tac_plus_ip="\${tac_plus_${profile}_ip:-}" else echo "$0: extra argument ignored" fi else if [ "x${tac_plus_profiles}" != "x" -a "x$1" != "x" ]; then for profile in ${tac_plus_profiles}; do eval _enable="\${tac_plus_${profile}_enable}" case "x${_enable:-${tac_plus_enable}}" in x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee]) continue ;; x[Yy][Ee][Ss]) ;; *) if test -z "$_enable"; then _var=tac_plus_enable else _var=tac_plus_"${profile}"_enable fi echo "Bad value "\ "'${_enable:-${tac_plus_enable}}' "\ "for ${_var}. "\ "Profile ${profile} skipped." continue esac echo "====> tac_plus profile: ${profile}" %%PREFIX%%/etc/rc.d/tac_plus $1 ${profile} retcode="$?" if [ "0${retcode}" -ne 0 ]; then failed="${profile} (${retcode}) ${failed:-}" else success="${profile} ${success:-}" fi done exit 0 fi fi tac_plus_flags="-C ${tac_plus_configfile} ${tac_plus_flags}" if [ "x${tac_plus_ip}" != "x" ]; then pidfile="${pidfile}.${tac_plus_ip}" tac_plus_flags="${tac_plus_flags} -B ${tac_plus_ip}" fi if [ "x${tac_plus_port}" != "x" ]; then pidfile="${pidfile}.${tac_plus_port}" tac_plus_flags="${tac_plus_flags} -p ${tac_plus_port}" fi run_rc_command "$1" Index: head/net/tac_plus4/pkg-descr =================================================================== --- head/net/tac_plus4/pkg-descr (revision 402249) +++ head/net/tac_plus4/pkg-descr (revision 402250) @@ -1,12 +1,16 @@ -TACACS+ program that allow authorization and authentication via net on -remote access servers. Authenticate users, authorize commands and log +A TACACS+ server that allows authorization and authentication via net +on remote access servers: Authenticate users, authorize commands and log accounting information. -This new version 4 has improved features and bugfixes over the older 2.x -version, which is still available, since this source is still marked ALPHA. +Version 4 has improved features and bugfixes over the older 2.x versions. Improved features among others and bugfixes: Microsoft CHAP support. To enable MSCHAP you need to optain a key from Microsoft, see the FAQ section in the users guide. Therefore this isn't enabled by default. +Cisco, the original developers, have stopped tac_plus development around +F4.0.4. There are different versions based on Cisco tac_plus, this is the +version from Shrubbery Networks. + +WWW: http://www.shrubbery.net/tac_plus WWW: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml Index: head/net/tac_plus4/pkg-plist =================================================================== --- head/net/tac_plus4/pkg-plist (revision 402249) +++ head/net/tac_plus4/pkg-plist (revision 402250) @@ -1,13 +1,13 @@ -bin/tac_plus bin/tac_pwd -etc/tac_plus.conf.example +%%ETCDIR%%.conf.example include/tacacs.h lib/libtacacs.a lib/libtacacs.so lib/libtacacs.so.1 lib/libtacacs.so.1.0.0 man/man5/tac_plus.conf.5.gz man/man8/tac_plus.8.gz man/man8/tac_pwd.8.gz +sbin/tac_plus %%PORTDOCS%%%%DOCSDIR%%/tac_convert %%PORTDOCS%%%%DOCSDIR%%/users_guide