Recently updated to more current commit on tac_plus, authentication breaking due to "-" in user field

facebook / tac_plus

A Tacacs+ Daemon tested on Linux (CentOS) to run AAA via TACACS+ Protocol via IPv4 and IPv6.

MIT License

218 stars 72 forks source link

Recently updated to more current commit on tac_plus, authentication breaking due to "-" in user field #50

Open nneul opened 4 hours ago

nneul commented 4 hours ago

Oct 23 14:01:52 tacauth-p2 tac_plus[61076]: login success: user=um-ad\swconf device=x.x.x.x ip=x.x.x.x port=tty2 client=x.x.x.x
Oct 23 14:01:52 tacauth-p2 tac_plus[61087]: invalid character '-' inside field [um-ad\swconf]

I have not bisected to see when this was introduced, and will just be working around locally (this was leftover from a domain rename when users NEEDED to log in with the domain prefix) - but was surprised to see it no longer permitted.

nneul commented 4 hours ago

Looks to me that this commit has a mistaken assumption about usernames:

Author: RollerMatic <sahuja4@meta.com>
Date:   Thu Oct 5 11:25:23 2023 -0700

    add a validation function for author_data fields

is valid_name performs basic input santization for fields inside author_data that
- should be alphanumeric (NAC-address field, username)

nneul commented 4 hours ago

As written, this likely breaks any site using UPN form or DOM\username forms for login. I realize this was from back in october last year, but still should probably be revisited.

@RollerMatic