Fetching latest commit…
Cannot retrieve the latest commit at this time.
| Failed to load latest commit information. | |||
|
README | ||
|
|
tacacs+-F4.0.4.15.patch | ||
|
|
tacacs+-F4.0.4.19.patch | ||
README
Recently we have had the need for tac_plus to temporarily disable user accounts based on the number of authentication failures the user has had in a defined window of time. Attached is a patch against F4.0.4.15 with the previously submitted acct+syslog patch (if this is a problem please inform me and I will patch against the base F4.0.4.15 tree). The following global configuration parameter has been added: auth-fail-lock $int1 $int2 $int3 Where $int1 is the number of authentication failures Where $int2 is the window (in seconds) in which to watch for auth fails Where $int3 is the number of seconds to disable the user. An example would be: # Watch for 10 authentication failures within 60 seconds, if triggered # disable user for 120 seconds. auth-fail-lock 10 60 120 The tac_plus daemon will log when a trigger is hit, and when the account has been re-enabled: Jun 23 14:51:36 192.168.0.1 tac_plus[27731]: User mark has been disabled for 120 seconds Jun 23 14:53:46 192.168.0.1 tac_plus[28244]: Re-enabling account: mark Unfortunately since tac_plus is a forked architecture, I had to achieve persistence of data via IPC. I understand that some may be weary of this mechanism so they can turn the feature off at compile time by passing the --disable-afl flag to configure.