xtacacsd RELEASE NOTES
(Change Log)

These are the new changes made in each release of xtacacsd.

xtacacsd v4.1.2 March 1998

  1. xtacacsd.c - now does not exit on recvfrom() error (was returning a CONN_REFUSED when an ICMP unreachable was sent).
  2. taclast.c - now ignore's case for usernames
  3. Changed -DDCE to -DOSFDCE since DCE was being defined by some other include file
  4. Fixed bug in tacping.pl (sockaddr)
  5. Added debug messages while working with host MASKS in perm.c
  6. xtacacsd.c - checking pw->pw_expire field in BSDI/FreeBSD
  7. perm.c calls authent_files() only if pwfile[0] non-null
  8. perm.c convert secs to days in check_expiration()

xtacacsd v4.1.1 June 1997

  1. Fixed bug in uwtmp.c if was compiled without XTACUTMP, setlogout() was setting logout flag on logins.
  2. Fixed defines for AIX (needed _AIX).

xtacacsd v4.1 January 1997

  1. Fixed the sys_errlist[] multiple define problem in Getpw.c & common.h
  2. Tried to add heuristics in Getpw.c in case reached end of line in SysV (try to shift some fields around assuming password file did not have age, etc.)
  3. If SHADOW_PW, now also considers the shadow password file age.
  4. Stopped forcing the tp->pwlen to PASSWD_LENGTH (was causing CHAP authentication to fail after Cisco increased the CHAP length to 16 bytes in v11.1)
  5. Added support for HOST xxx MASK xxx (assuming HOST is an IP addresss).
  6. Bug in strtodate() which returned 0 in case the password file had Jan 1, 1970 (which was then okayed by check_expiration()
  7. Better authtoken_stub() parsing of popen() return values in perm.c
  8. perm.c authent_system() Now checks if user not in shadow password file (sps->passwd if sps was NULL was dumping core)
  9. Added SHELL definition in the Makefile since SGI 5.3 was doing its own thing.
  10. tacupd.c bug where was using wtmpfd instead of fd. Replaced scanf with gets + sscanf().
  11. cur_login_count() changed so it does not count the current login (thus if a person invokes ppp and a tty_logout is not recieved, atleast permission is not denied).
  12. Now creates ASCII wtmp files (with extension .ascii).
  13. taclast & tacupd modified to handle ASCII wtmp and print out incorrect times.
  14. xslipon() puts the GID in the STAT line if available.
  15. In uwtmp_entry(), if the line number is 65535 (e.g. in ISDN lines) then it compares the username before overwriting the utmp entry.
  16. Added xpasswd to the distribution (for changing passwords in alternate password files).
  17. Added tacping.pl to the distribution (from Univ of Minnesota)
  18. Now putting GID or LOGOUT reason in the comment field of WTMP file for easier accounting.
  19. taclast fixed for bugs where it was giving inaccurate for first time users on a particular tty. Added -d option in taclast for debug output.
  20. More stringent password parsing in perm.c authent_system() to avoid problems with OS specific shadow password getspnam(). Unixware's getspent() was NOT returning a NULL for an unknown user.
  21. Put the arguments of popen() within quotes so that the shell does not misbehave when it sees ';' etc. in the arguments (perm.c)
  22. Added support for OSF DCE authentication (pbhenson@csupomona.edu)
  23. Added the QUIETNOUSER keyword (equivalent to the -Q command line option
  24. Converted to HTML documentation

xtacacsd v4.0 April 1996

  1. SYSV defines in tacupd.c
  2. Added PIDFILE ( meyer@uoregon.edu)
  3. Fixed %l in tacwho output (on some systems).
  4. Check for string length in printf() format statement in uwtmp_entry().
  5. Can now put line ranges in config file (kissg@sztaki.hu)
  6. Fixed parsing of shell and homedir in Getpw.c (kissg@sztaki.hu)
  7. perm.c does not overwrite EXPIRING reason with NONE.
  8. New -Q option- do not respond if user does not exist. Reply negative if user exists and password failed.
  9. New ENABLE_LEVELS for setting enable levels for users in the config file (used in cisco v10.3 and higher). -kissg@sztaki.hu
  10. Support for QI/CSO names database with timeout reads.
  11. xtacacsd: Graceful exit on getting SIGHUP
  12. taclast enhanced. Checks username and tags all possible INACCURATE entries
  13. tacupd enhanced. Support for dumping wtmp into ascii and back.
  14. New tacutmp.h file for adding comments in the utmp/wtmp files.
  15. Autodetect of BSDI in Makefile
  16. Added support for OSF1 SIA (DEC Enhanced Security)
  17. Getpw now uses and can generate DBM files for large databases.
  18. Changed (enhanced structure of the wtmp/utmp with comments). Logout entries now have ‘?’ as the first character instead of a NULL.
  19. Now does not reply if there is any error in the authentication routines
  20. Clean rollover of wtmp files in tacupd.

xtacacsd v3.5 Nov 1995

  1. Fixed lseek() bug for utmp files on BSDI machines.
  2. Added tacupd program for manpulating the wtmp and utmp files.

xtacacsd v3.4 June 1995

  1. Fixed a large number of reported bugs in the code
  2. Support for secondary user groups.
  3. New utmp structure. Not using the /usr/include/utmp.h file anymore. Yes, that means that your old utmp/wtmp files might not be readable (if it is a non-BSD architecture). CHANGE THE WTMP/UTMP FILE LOCATIONS TO SOMETHING TEMPORARY SO THAT YOU DO NOT WRITE IN YOUR EXISTING USER RECORDS WITH THE NEW utmp STRUCT.
  4. Byte ordering problems fixed for DEC alpha, BSDI machines.
  5. New taclast program for parsing utmp & wtmp files.
    taclast -w -f UTMPFILE
    taclast -f WTMPFILE
  6. New old config keyword for old request types (in addition to login, connect, slipon, etc.). Only the permit action is permitted for the old request types. (Robert.Kiessling@rrze.uni-erlangen.de)
  7. Was missing a p in getopt(). Hence was not executing the system password routines even when specified. Affected YP/NIS password processing. (Craig.Strickland@corp.wrgrace.com
  8. gethostbyaddr() returns static() and was not saving the value before another call in xslipon, xconnect, xslipoff. (guenther@gac.edu
  9. Fixed processing of lineno code in check_perm(). (john@gulfa.kuwait.net
  10. Fixed numlogins processing (earlier denied slip request if the numlogins was set to 1 and user tried to invoke slip). (bk@galaxy.net).
  11. Now checks for a user's supplementary groups also (and not just the primary group). (steph@candide.uchicago.edu
  12. Changed ‘define SYSV’ etc. to more generic defines.
  13. Invalid namelen and pwlen values in CHAP reponses.
  14. New keywords in the config file:
    LOGGING
    QUIET
    DEBUGLEVEL x

xtacacsd v3.3 December 15, 1994

  1. Added CHAP and ARAP support (brisco@rutgers.edu). Note that this xtacacsd software is different from the Cisco version in that it uses the password file syntax for storing the secrets instead of a separate secrets file.
  2. Fixed bug in creation of utmp file.
  3. Now creates individual host wtmp.host files if specified in command line options. Needed for the system's last to process things properly.
  4. Fixed bug in xslipon- was working on the tacacs packet directly instead of copying the username + password over.
  5. Wrote Getpw.c routines and added a PASSWORD DEFAULT flag for searching names using the getpwnam() call. If you are using NIS/YellowPages or Shadow passwords, specify this option in the config file. Searching using this system call will NOT be in case insensitive manner (you can always list the file directly for searching using the Getpw routines). Also, NIS style entries in alternate password files will not work (since alternate password files are parsed using the simple Getpw routines).
    Essentially, I got sick of getpwent and setpwent not working on most machines.

xtacacsd v3.2 October 28, 1994

  1. Fixed a small bug in the Getpwnam() routine.

xtacacsd v3.1 October 1994

  1. Added support for permitting or denying SLIP access for slip default requests also (modified xslipon procedure).
  2. Support for SLIP ACL in/out lists (merged changes from Cisco's new release). Have NOT incorporated the CHAP and the ARAP authentication types yet (short on time :-)
    GROUP 10 HOST all slip acl 10-15 (10 in, 15 out)
  3. Support for Solaris shadow password files (define SHADOW_PW while compiling). -rozycki@oeto.pk.edu.pl
  4. More command line options moved into the config file. Also support for specifying LINE numbers as part of the config lines (in addition to the HOST keyword). (from Robert.Kiessling@rrze.uni-erlangen.de)
    USER unrzh5 HOST 131.188.254.50 LINE 4,5,6 all acl 100
  5. Patch to the SDI (Security Dynamics) sdcheck.c program that filters duplicate tries from the terminal server (jposner@saratoga.dcrt.nih.gov)
  6. New tacstats.pl perl script for parsing the STAT lines in the syslog (jposner@saratoga.dcrt.nih.gov)

xtacacsd v3.0 Aug 29, 1994

  1. Supports Enigma Logic, Security Dynamics SDI cards (and any other password authentication program).
  2. Ported to Solaris 2.x
  3. IF USING gcc on Solaris 2.x, MAKE SURE THAT YOU HAVE RUN fix includes THAT COMES WITH gcc (else it cannot handle variable length argument lists and might have syslog() discrepancies from report()).
  4. Case insensitive username matches (better than converting all to lowercase).
  5. External program verification after password checks for finer control over the user’s host, line, etc.
  6. Colon formatted logging at the syslog NOTICE level.
    STAT:Service:Username:UID:GID @ From-host:line Line:TransID:action-specific:service-specific
  7. Bug fixes in utmp and wtmp creations (strlen replaced by sizeof)

xtacacsd v2.0 May 1994

  1. Support for config file.
  2. Customizable responses based on username, group-id and geco string.
  3. Inactvity timer when running under inetd (server hangs around after servicing requests for faster responses).
  4. Updates and maintains a ‘utmp’ file also.
  5. Can execute any Unix program in response to a query (for initiating dialback, etc.).

Feedback

Copyright © 1994-1997 Vikas Aggarwal