Contributed by jose on from the centralized-authentication dept.
" I come from a pretty decent networking background, including a lot of Cisco work. Given that, and the usefulness I've found from OpenBSD at home (apache, bind, pf, etc...), I've been looking for ways to integrate at least one OpenBSD box in my latest job. What I've come up with is sort of a catch all for miscellaneous services I'd like on my network, including: I.T. web server, ntp server, tftp, and last but not least, a tacacs+ server. For those of you who are unfamiliar with tacacs+, it is a centralized authentication database for Cisco products - routers, switches, etc. I was already thinking I wanted an OpenBSD box somewhere on my network, before I even realized there was a tacacs+ port (~/ports/net/tacacs+). My network only has about 15 routers currently, each previously running its own local authentication database. I hate this, btw. Anytime you can have a centralized authentication scheme set up, I say go for it. "Steve's sent us an entire document, keep reading!
" First, let me start by saying I began with a routine installaltion of OpenBSD 3.2, via ftp - I chose to install everything, including X, well, just because I felt like it. After this, I of course applied all of the latest patches, and recompiled the kernel. Onto the good stuff...I installed tacacs+ from the ports tree. You can also download tacacs+ from Cisco's ftp site, but installing is much easier from the ports tree.
cd ~/ports/net/tacacs+ make installI know there are other ways to install ports, this is just the method I most often choose. This installs the tac_plus daemon under /usr/local/sbin/tac_plus. It is upto you where you want the configuration file to go.mkdir /usr/local/tac cd /usr/local/tac vi tac.confChoose whatever location/filename you're comfortable with. The guide is installed in /usr/local/share/doc/tacacs+/users_guide. This is a really good, and extensive guide, which covers both the router side configuration, as well as the tacacs+ configuration file. I chose to print it out, which came out to just over 40 pages. There is also a man page for tac_plus - 'man tac_plus'. Before you go on, note that you should have a working tacacs+ daemon running BEFORE you configure anything on the router.I kept the tacacs config file very simple, as right now, only one person needs access to the routers - me.
#/usr/local/tac/tac.conf user = myname { global = cleartext password_here ) user = $enab15$ { login = cleartext enable_passwd_here }This was the extent of my config file. Like I said, mine is pretty simple, since it is just me who needs access to the router. There are many more options, with great examples in the users_guide. It also provides for functionality that what is shown here. You can also only give persons access to only certain commands. Anyone needing this kind of functionality, it's here. You can also authenticate off of the /etc/passwd file. Before you start/test the tacacs daemon, add this to your /etc/services file:tacacs 49/tcpWhat follows is the configuration on the routers needed to support tacacs+ authorization.
enable secret local_enable_password aaa new-model tacacs-server host XX.XX.XX.XX aaa authentication login default tacacs+ aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+To start the tacacs+ daemon, simply run:/usr/local/sbin/tac_plus -C /usr/local/tac/tac.confagain, there are plenty more options available if you need them.After doing this, I set up a tftp server on my OpenBSD box also, as most people know who have worked with Cisco products, they love to use tftp servers. Uncomment the following line in /etc/inetd.conf -
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -s -c /tftpbootThen send a sighup to inetd. I used the '-c' option because it allows files to be copied via tftp, if they aren't already created. Why this isn't the default, I dont know. Make sure the directory '/tftpboot' or whatever you choose has the proper permissions. For laziness sake, I do a chmod 777 /tftpboot. I use my tftp server to keep stored copies of the router configs incase I need them, as well as IOS'es for each router model on my network.btw, here's the Cisco license on tacacs+:
Copyright (c) 1995-2000 by Cisco systems, Inc.Permission to use, copy, modify, and distribute modified and unmodified copies of this software for any purpose and without fee is hereby granted, provided that (a) this copyright and permission notice appear on all copies of the software and supporting documentation, (b) the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and (c) notice be given in supporting documentation that use, modification, copying and distribution is by permission of Cisco Systems, Inc.
Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. I know this article will probably raise more questions than it answered, but hopefully it gets some of you started in the right direction. For tac_plus questions, refer to the users_guide. For Cisco config questions, refer to the proper IOS help pages.
- Steve"
(Comments are closed)
By Anonymous Coward () on
> products, they love to use tftp servers
No kidding. Not only do they love tftp, they also love telnet.
Cisco doesn't exactly a legacy of security going for them and their products.
After far too much experience with Cisco products, I'd much rather use OpenBSD on something like a blade server. Security, performace, flexibility, easy administration, etc.
Comments
By miro () on
Does an OBSD blade server have better performance than a Cisco?
Comments
By Anonymous Coward () on
By Anonymous Coward () on
i'm sure the obsd box is more flexible than a cisco device, but we're talking performance here.
Comments
By Anonymous Coward () on
Comments
By RC () on
OpenBSD does have IPX support, as well as AppleTalk support, you just need to compile a new kernel with them uncommented. OpenBSD doesn't include the IPX RIP software, but FreeBSD does, so that would be a possibility as well.
So tell me again what OpenBSD is seriously lacking.
Comments
By Anonymous Coward () on
- 24 hour top-notch software and hardware support, even 24x7x2-hour hardware replacement if you can afford it
- Modular, hot-swap components, including network interfaces, power supplies and even processor modules
- Layer 3 switching (yes, in hardware)
- Extremely simple-to-configure failover systems for firewalls
- Integrated routing and bridging that works correctly
- DECNet and Vines. Yes, people still use them. I'm sure. Somewhere.
- Frame Relay
- DLSW/DLSW+
- iSCSI
- IPX/DECNet/Vines/etc packet filtering
Oh, and you can have two different LAN interfaces in the same subnet. Try that with an OpenBSD box sometime.
I'm all for OpenBSD, it's great, but fer cryin' out loud, choose the right tool for the job!
Comments
By RC () on
> Modular, hot-swap components, including network
> interfaces, power supplies and even processor modules
Yeah, I'm sure computers can't do hot-swapping.
> Layer 3 switching (yes, in hardware)
Like it or not, even the highest-end router does a good deal of switching in software. If it didn't, you wouldn't be able to set an IP address or routing/ACL rules, it would be hard-coded. The only way to determine the performance difference would be to test them both.
> Frame Relay
Well, from a quick google, it appears that FreeBSD supports Frame Relay
> - DLSW/DLSW+
> - iSCSI
> - IPX/DECNet/Vines/etc packet filtering
I see... Just because a Cisco router can do a good job with traffic that 99% of routers won't ever see, everyone should use Cisco routers for everything. Gee, here's a thought... On the rare occasion that someone needs to work with that traffic... THEN they could use a Cisco router.
> Oh, and you can have two different LAN
> interfaces in the same subnet. Try that with an
> OpenBSD box sometime.
I'd be willing to bet that I could do that.
> but fer cryin' out loud, choose the right tool for the job!
Sounds to me that you've mentally locked yourself into Cisco. Likely because you read something that told you they were better, and you haven't questioned it. No doubt it was Cisco's own material.
When you have a job where you need to drill billions of holes, and occasionally need to hammer a nail, do you buy the incredibly expensive drill that doubles as a hammer, and is harder to repair/upgrade, or do you just get the better, cheaper drill, and occasionally pick up a hammer when you need it?
It's not that I like OpenBSD too much, and it's not that I hate Cisco hardware... What I hate is having a crippled, bundled piece of software that I can't extend any way I choose to. Before Cisco embrased SSH, there was no way for you to get SSH onto a Cisco router. Meanwhile, if your Operating system was some normal Unix system, you could put anything on there that you want. That is invaluable, ESPECIALLY from a security standpoint.
Say you don't like Cisco's ACL software, you don't have any choice. Say you don't like their SSH implimentation, you don't have a choice. Now, on OpenBSD, you would have all the choice in the world.
By Lars Hansson () lars@unet.net.ph on mailto:lars@unet.net.ph
Exactly. The keywords are "can afford it". i'll bet you can get that kind of support from MS too if you cough up enough money.
This is usually not justifiable though.
>- Modular, hot-swap components, including network >interfaces, power supplies and even processor >modules
That must be the reason the Cisco's tech's here always bring our rotuers down when they do something. Ahum. Tnen again, maybe they're just clueless.
> - DECNet and Vines. Yes, people still use them. > I'm sure. Somewhere.
Yeah, and some people still use Betamax.
>- Frame Relay
Sure, the few times you need.
>- DLSW/DLSW+
>- iSCSI
>- IPX/DECNet/Vines/etc packet filtering
Since 95% of the routers never see or have anything to do with this kind of traffic I dont think this is a very compelling reason for Cisco.
>I'm all for OpenBSD, it's great, but fer cryin' >out loud, choose the right tool for the job!
Yeah, and that means to sometimes go with Cisco but many times something else. Ask Henning what he thinks about Cisco's performance.
By RC () on
As for pure network throughput, I'll go out on a limb and say that I believe the price/performance would certainly be better.
Network throughput depends a great deal on network card being used. It's quite possible that a blade server, with a very fast bus, and with hi-quality NICs COULD out-perform Cisco routers.
Despite the other comments I read here, a Cisco router is really no more hardware-based than a blade server with OpenBSD would be. Hardware can be made to do most of the processing, but the software still has to do the processing of the ACLs (pf rules), routing decisions, etc.
Comments
By Anonymous Coward () on
There are ASICs for ACLs, QoS etc.
Come to think of it, even routing decisions can be said to be done in hardware with CEF.
The CPU doesn't have much work to do in a Cisco box.
Comments
By Srebrenko Sehic () haver@insecure.dk on http://www.insecure.dk
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Yes, Cisco does love tftp and telnet but newer versions of Cisco IOS support ssh/scp. If I recall correctly, there was a bug in their implementation of ssh though but may havy have been fixed in later releases.
OpenBSD on a Dell 1655MC blasde would be cool. Anyone else have experience with OBSD on any blades?
Comments
By Anonymous Coward () on
looking through the specs at Dell's site and the supported hardware at openbsd.org , the PERC 4/im isn't supported, and the scsi 320 probably isnt (but i havent found indication of what chipset is used). The gig-e may be supported by bge(4). So, you probably wont have any disk and the networking is unsure. Maybe you can diskless(8) boot these systems into OpenBSD.
By Anonymous Coward () on
If I recall correctly, there was a bug in their implementation of ssh though but may havy have been fixed in later releases.
It's a royal pain. It might be fixed in newer IOS that happens to break some functionality other places... the end result is something like pasting 5 lines of config into a cisco via ssh connection tends to end the connection with an error. Makes updating access-lists more exciting!
By Anonymous Coward () on
Comments
By Anonymous Coward () on
But if someone chooses not to buy the cd's or anything else i wouldnt consider them evil, because anyone using openBSD supports more use of the OS. Maybe we can call them, neutral :)
By RC () on
So, fuck off.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
i never bought it - why should i when its free and may i burn in hell for eternity.
By RC () on
By chuckx () chuckx - at - cold-sun.com on http://www.cold-sun.com
To enable this functionality, add the following line to the TACACS+ configuration file:
key = "sufficientlylongandrandomkey"
Then add the following configuration line to each of the routers:
tacacs-server key sufficientlylongandrandomkey
If you don't enable this, the username and password will be sent in the clear. Unfortunately, the username and password is already being sent in the clear via the telnet session, but every layer of security helps.
--
chuckx
By chuckx () chuckx - at - cold-sun.com on http://www.cold-sun.com
a DES encrypted copy of the password in the
configuration file instead of a cleartext copy.
A small program to encrypt the password is included
in the TACACS+ source tree. The program is
compiled by the port, but is not installed into
usr/local/bin by default. Just copy the
generate_passwd binary from the source tree to
usr/local/bin.
Once you have access to the program use it's output
to create lines like the following in the
configuration file:
login = des encryptedPassword
--
chuckx
By Skinny Puppy () on
user = skin_pup {
login = des *LK*
member = privs
}
group = privs {
enable 15
serive = exec {
priv-lvl = 1
}
}
This allows the user to login and then use his own password when changing to enable.
I have searched the internet far and wide for this tac server with this option, but never have I found one. All I have is the binary, it is version F4.0.2alpha. The current version F4.0.4 does not have the same features.
Comments
By jcs () on
Comments
By Skinny Puppy () on
Ohh did i say thank you. Well maybe once more for good luck :)
Comments
By jcs@openbsd.org () on
By Steve Rue () on
Comments
By jose () on http://monkey.org/~jose/
By Zeeshan Ahmed () zeeshan@worldcall.net.pk on mailto:zeeshan@worldcall.net.pk
Regards
Zeeshan Ahmed
relply to: zeeshan@worldcall.net.pk