xtacacsd RELEASE NOTES
These are the new changes made in each release of
xtacacsd v4.1.2 March 1998
- xtacacsd.c - now does not exit on recvfrom() error (was
returning a CONN_REFUSED when an ICMP unreachable was sent).
- taclast.c - now ignore's case for usernames
- Changed -DDCE to -DOSFDCE since DCE was being
defined by some other include file
- Fixed bug in tacping.pl (sockaddr)
- Added debug messages while working with host MASKS in perm.c
- xtacacsd.c - checking pw->pw_expire field in BSDI/FreeBSD
- perm.c calls authent_files() only if pwfile non-null
- perm.c convert secs to days in check_expiration()
xtacacsd v4.1.1 June 1997
- Fixed bug in uwtmp.c if was compiled without XTACUTMP,
setlogout() was setting logout flag on logins.
- Fixed defines for AIX (needed _AIX).
xtacacsd v4.1 January 1997
- Fixed the sys_errlist multiple define problem in Getpw.c &
- Tried to add heuristics in Getpw.c in case reached end of line in
SysV (try to shift some fields around assuming password file did
not have age, etc.)
- If SHADOW_PW, now also considers the shadow password file
- Stopped forcing the tp->pwlen to PASSWD_LENGTH (was causing
CHAP authentication to fail after Cisco increased the CHAP length
to 16 bytes in v11.1)
- Added support for HOST xxx MASK xxx (assuming HOST is an IP
- Bug in strtodate() which returned 0 in case the password file had
Jan 1, 1970 (which was then okayed by check_expiration()
- Better authtoken_stub() parsing of popen() return values in
- perm.c authent_system() Now checks if user not in shadow password
file (sps->passwd if sps was NULL was dumping core)
- Added SHELL definition in the Makefile since SGI 5.3 was doing
its own thing.
- tacupd.c bug where was using wtmpfd instead of fd. Replaced scanf
with gets + sscanf().
- cur_login_count() changed so it does not count the current login
(thus if a person invokes ppp and a tty_logout is not recieved,
atleast permission is not denied).
- Now creates ASCII wtmp files (with extension .ascii).
- taclast & tacupd modified to handle ASCII wtmp and print out
- xslipon() puts the GID in the STAT line if available.
- In uwtmp_entry(), if the line number is 65535 (e.g. in ISDN
lines) then it compares the username before overwriting the utmp
- Added xpasswd to the
distribution (for changing passwords in alternate password files).
- Added tacping.pl to the
distribution (from Univ of Minnesota)
- Now putting GID or LOGOUT reason in the comment field of WTMP
file for easier accounting.
- taclast fixed for bugs where it was giving inaccurate for first
time users on a particular tty. Added -d option in taclast
for debug output.
- More stringent password parsing in perm.c authent_system() to
avoid problems with OS specific shadow password
getspnam(). Unixware's getspent() was NOT returning a NULL for an
- Put the arguments of popen() within quotes so that the shell does
not misbehave when it sees ';' etc. in the arguments (perm.c)
- Added support for OSF DCE authentication
- Added the QUIETNOUSER keyword (equivalent to the -Q command line
- Converted to HTML documentation
xtacacsd v4.0 April 1996
- SYSV defines in tacupd.c
- Added PIDFILE (
- Fixed %l in tacwho output (on some systems).
- Check for string length in printf() format statement in
- Can now put line ranges in config file (email@example.com)
- Fixed parsing of shell and homedir in Getpw.c (firstname.lastname@example.org)
- perm.c does not overwrite EXPIRING reason with NONE.
- New -Q option- do not respond if user does not exist. Reply
negative if user exists and password failed.
- New ENABLE_LEVELS for setting enable levels for users in the
config file (used in cisco v10.3 and higher). -email@example.com
- Support for QI/CSO names database with timeout reads.
- xtacacsd: Graceful exit on getting SIGHUP
- taclast enhanced. Checks username and tags all possible
- tacupd enhanced. Support for dumping wtmp into ascii and
- New tacutmp.h file for adding comments in the utmp/wtmp
- Autodetect of BSDI in Makefile
- Added support for OSF1 SIA (DEC Enhanced Security)
- Getpw now uses and can generate DBM files for large
- Changed (enhanced structure of the wtmp/utmp with
comments). Logout entries now have ‘?’ as the first character
instead of a NULL.
- Now does not reply if there is any error in the authentication
- Clean rollover of wtmp files in tacupd.
xtacacsd v3.5 Nov 1995
- Fixed lseek() bug for utmp files on BSDI machines.
- Added tacupd program for manpulating the wtmp and utmp
xtacacsd v3.4 June 1995
- Fixed a large number of reported bugs in the code
- Support for secondary user groups.
- New utmp structure. Not using the /usr/include/utmp.h
file anymore. Yes, that means that your old utmp/wtmp files might
not be readable (if it is a non-BSD architecture).
CHANGE THE WTMP/UTMP FILE LOCATIONS TO SOMETHING TEMPORARY
SO THAT YOU DO NOT WRITE IN YOUR EXISTING USER RECORDS WITH THE
NEW utmp STRUCT.
- Byte ordering problems fixed for DEC alpha, BSDI machines.
- New taclast program for
parsing utmp & wtmp files.
taclast -w -f UTMPFILE
taclast -f WTMPFILE
- New old config keyword for old request types (in
addition to login, connect, slipon, etc.).
Only the permit action is permitted for the old request types.
- Was missing a p in getopt(). Hence was not executing the
system password routines even when specified. Affected YP/NIS
password processing. (Craig.Strickland@corp.wrgrace.com
- gethostbyaddr() returns static() and was not saving the value
before another call in xslipon, xconnect, xslipoff.
- Fixed processing of lineno code in check_perm().
- Fixed numlogins processing (earlier denied slip request if
the numlogins was set to 1 and user tried to invoke
- Now checks for a user's supplementary groups also (and not
just the primary group). (firstname.lastname@example.org
- Changed ‘define SYSV’ etc. to more generic defines.
- Invalid namelen and pwlen values in CHAP reponses.
- New keywords in the config file:
xtacacsd v3.3 December 15, 1994
- Added CHAP and ARAP support (email@example.com).
Note that this xtacacsd software is different from the Cisco
version in that it uses the password file syntax for storing the
secrets instead of a separate secrets file.
- Fixed bug in creation of utmp file.
- Now creates individual host wtmp.host files if specified
in command line options. Needed for the system's last to
process things properly.
- Fixed bug in xslipon- was working on the tacacs packet directly
instead of copying the username + password over.
- Wrote Getpw.c routines and added a PASSWORD DEFAULT flag
for searching names using the getpwnam() call.
If you are using NIS/YellowPages or Shadow passwords, specify this
option in the config file.
Searching using this system call will NOT be in case insensitive
manner (you can always list the file directly for searching using
the Getpw routines). Also, NIS style entries in alternate password
files will not work (since alternate password files are parsed
using the simple Getpw routines).
Essentially, I got sick of getpwent and setpwent not working on
xtacacsd v3.2 October 28, 1994
- Fixed a small bug in the Getpwnam() routine.
xtacacsd v3.1 October 1994
- Added support for permitting or denying SLIP access for
slip default requests also (modified xslipon procedure).
- Support for SLIP ACL in/out lists (merged changes from Cisco's
new release). Have NOT incorporated the CHAP and the ARAP
authentication types yet (short on time :-)
GROUP 10 HOST all slip acl 10-15 (10 in, 15 out)
- Support for Solaris shadow password files (define SHADOW_PW
- More command line options moved into the config file. Also
support for specifying LINE numbers as part of the config lines (in
addition to the HOST keyword). (from
USER unrzh5 HOST 22.214.171.124 LINE 4,5,6 all acl 100
- Patch to the SDI (Security Dynamics) sdcheck.c program that
filters duplicate tries from the terminal
- New tacstats.pl perl script for parsing the STAT lines in
the syslog (firstname.lastname@example.org)
xtacacsd v3.0 Aug 29, 1994
- Supports Enigma Logic, Security Dynamics SDI
cards (and any other password authentication program).
- Ported to Solaris 2.x
- IF USING gcc on Solaris 2.x, MAKE SURE THAT YOU HAVE RUN fix
includes THAT COMES WITH gcc (else it cannot handle variable
length argument lists and might have syslog() discrepancies from
- Case insensitive username matches (better than converting all
- External program verification after password checks for finer
control over the user’s host, line, etc.
- Colon formatted logging at the syslog NOTICE level.
STAT:Service:Username:UID:GID @ From-host:line
- Bug fixes in utmp and wtmp creations (strlen replaced by
xtacacsd v2.0 May 1994
- Support for config file.
- Customizable responses based on username, group-id and geco
- Inactvity timer when running under inetd (server hangs around
after servicing requests for faster responses).
- Updates and maintains a ‘utmp’ file also.
- Can execute any Unix program in response to a query (for
initiating dialback, etc.).
Copyright © 1994-1997