tac_plus do_chpass vendors compatibility

[OlexanderH]

Hi,

In the tac_plus package, I noticed that when changing the password, when prompted for "New password: " in the TAC_PLUS_AUTHEN_STATUS_GETPASS mode, Juniper provides the very first password entered by the user, it does not ask the user for "New password: " and "Retype new password: " at all.

When I change the mode to TAC_PLUS_AUTHEN_STATUS_GETDATA, the dialog runs normally.

tac_plus/authen.c

static void do_chpass(tac_session * session)
...
  if (!session->password_new) {
    send_authen_reply(session, TAC_PLUS_AUTHEN_STATUS_GETPASS, "New password: ", 0, NULL, 0, TAC_PLUS_REPLY_FLAG_NOECHO);
    return;
  }
...
  if (!session->authen_data->msg) {
    send_authen_reply(session, TAC_PLUS_AUTHEN_STATUS_GETPASS, "Retype new password: ", 0, NULL, 0, TAC_PLUS_REPLY_FLAG_NOECHO);
    return;
  }

found that in the tac_plus-ng package this situation is fixed by checking session->chpass ? TAC_PLUS_AUTHEN_STATUS_GETPASS : TAC_PLUS_AUTHEN_STATUS_GETDATA
tac_plus-ng/authen.c

static void do_chpass(tac_session *session)
...
  if (!session->password_new) {
    send_authen_reply(session, session->chpass ? TAC_PLUS_AUTHEN_STATUS_GETPASS : TAC_PLUS_AUTHEN_STATUS_GETDATA,
                      eval_log_format(session, session->ctx, NULL, li_password_new, io_now.tv_sec, NULL), 0, NULL, 0, TAC_PLUS_REPLY_FLAG_NOECHO);
    str_set(&session->user_msg, NULL, 0);
    return;
  }
...
  if (!session->authen_data->msg) {
    send_authen_reply(session, session->chpass ? TAC_PLUS_AUTHEN_STATUS_GETPASS : TAC_PLUS_AUTHEN_STATUS_GETDATA,
                      eval_log_format(session, session->ctx, NULL, li_password_again, io_now.tv_sec, NULL), 0, NULL, 0, TAC_PLUS_REPLY_FLAG_NOECHO);
    return;
  }

so in tac_plus I fixed it this way and it worked

static void do_chpass(tac_session * session)
...
  if (!session->password_new) {
    send_authen_reply(session, session->ctx->aaa_realm->chpass ? TAC_PLUS_AUTHEN_STATUS_GETPASS : TAC_PLUS_AUTHEN_STATUS_GETDATA, "New password: ", 0, NULL, 0, TAC_PLUS_REPLY_FLAG_NOECHO);
    return;
  }
...
  if (!session->authen_data->msg) {
    send_authen_reply(session, session->ctx->aaa_realm->chpass ? TAC_PLUS_AUTHEN_STATUS_GETPASS : TAC_PLUS_AUTHEN_STATUS_GETDATA, "Retype new password: ", 0, NULL, 0, TAC_PLUS_REPLY_FLAG_NOECHO);
    return;
  }

but I couldn't understand what session->ctx->aaa_realm->chpass should contain, logically it should be "true" when do_chpass, but then TAC_PLUS_AUTHEN_STATUS_GETPASS would executed, maybe it's better to leave only TAC_PLUS_AUTHEN_STATUS_GETDATA in do_chpass for compatibility reason?

Tested on Cisco, Huawei routers - works in both versions (GETDATA and GETPASS), Juniper only with GETDATA.

[MarcJHuber]

Hi Olexander,

I usually don't backport from tac_plus-ng to tac_plus, however this one looks trivial. Adding a "chpass" member to the session struct and changing the two send_authen_reply calls to what -ng does seems sufficient. session->ctx->aaa_realm->chpass isn't suitable for this check, that one just allows/denies chpass on a per-realm basis. The dedicated session->chpass from -ng sets GETPASS/GETDATA based on context (ASCII login vs. CHPASS).

I'll push a patch.

Thanks,

Marc