TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
Previously, if a large TACACS+ Authorization-Reply packet was sent across the TCP connection it could arrive over multiple segments. If all segments hadn't arrived at the time of the second read (the first being the TACACS+ packet header), then a partial TACACS+ Authorization-Reply body would be processed resulting in the syslog message:
tac_author_read: short reply body, read 7228 of 9408: Operation now in progress
And the PAM module would return an error status.
Now, continuously read from the socket until the number of bytes indicated in the header has been read into the body buffer.
I've created a docker-compose environment which can be found here to reproduce the bug.
Essentially what is required is to create a user in your /etc/tacacs+/tac_plus.conf that returns a large amount of attributes in the Authorization-Reply packet e.g.
# This type of user generates a large Authorization-Reply packet
user = bigpuser {
service = ppp protocol = ip {
arg0 = "A lot of words to beef up the size of the packet that contains this which i can only have 255 of these and 255 chars in each of them"
arg1 = "A lot of words to beef up the size of the packet that contains this which i can only have 255 of these and 255 chars in each of them"
...
arg238 = "A lot of words to beef up the size of the packet that contains this which i can only have 255 of these and 255 chars in each of them"
arg239 = "A lot of words to beef up the size of the packet that contains this which i can only have 255 of these and 255 chars in each of them"
}
global = cleartext "default"
}
Now, when logging in as this user with pamtester -v -I rhost=tac_plus test bigpuser authenticate acct_mgmt <<< default I see this in the syslog:
Previously, if a large TACACS+ Authorization-Reply packet was sent across the TCP connection it could arrive over multiple segments. If all segments hadn't arrived at the time of the second read (the first being the TACACS+ packet header), then a partial TACACS+ Authorization-Reply body would be processed resulting in the syslog message:
tac_author_read: short reply body, read 7228 of 9408: Operation now in progress
And the PAM module would return an error status.
Now, continuously read from the socket until the number of bytes indicated in the header has been read into the body buffer.
I've created a docker-compose environment which can be found here to reproduce the bug.
Essentially what is required is to create a user in your
/etc/tacacs+/tac_plus.confthat returns a large amount of attributes in the Authorization-Reply packet e.g.Now, when logging in as this user with
pamtester -v -I rhost=tac_plus test bigpuser authenticate acct_mgmt <<< defaultI see this in the syslog:The user is denied access whereas what should happen is the user is provided access.