Change password dialog Issue
26 views
Skip to first unread message
Thanh Pham
Feb 3, 2026, 12:12:05 AM (11 days ago) Feb 3
to Event-Driven Servers
Hi, I have an issue with tac_plus-ng using chpass and mavis_tacplus_shadow.pl.
I can change the password for the first time, but I cannot change it again after that. Am I missing any configuration, or is this expected behavior?
Thanks for your help and have a good day!This's my config:
id = spawnd {
background = no
# single process = yes
listen { port = 49 }
spawn {
instances min = 1
instances max = 32
}
}
id = tac_plus-ng {
mavis module = external {
setenv SHADOWFILE = /tmp/shadow
# setenv MKPASSWD = /usr/bin/mkpasswd
# setenv MKPASSWDMETHOD = sha-512
}
login backend = mavis chpass
log authzlog {
destination = /var/log/tac_plus/authz/%Y/%m/%d.log
separator = ","
}
log authclog {
destination = /var/log/tac_plus/authc/%Y/%m/%d.log
separator = ","
}
log acctlog {
destination = /var/log/tac_plus/acct/%Y/%m/%d.log
separator = ","
}
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
acl password-compliance {
if (password =~ /^....../)
permit
deny
}
# password acl = password-compliance
# acl test_acl {
# if (nac == 10.98.13.0/24) {
# deny
# }
# # permit
# }
device juniper_devices {
device junos1 {
address = 10.99.95.1/32
}
device junos30 {
address = 10.99.95.30/32
}
single-connection = no
# password max-attempts = 1
key = demo
welcome banner = "WELCOME TO JUNIPER DEVICE\n"
motd banner = "YOU ARE IN MY EYES\n"
reject banner = "YOU ARE BLOCKED\n"
failed authentication banner = "FAIL AUTHENTICATION\n"
# password max-attempts = 1
}
device cisco_devices {
address = 10.99.95.11/32
key = demo
enable 15 = clear admin
welcome banner = "WELCOME TO CISCO DEVICE\n"
motd banner = "YOU ARE IN MY EYES\n"
reject banner = "YOU ARE BLOCKED\n"
failed authentication banner = "FAIL AUTHENTICATION\n"
}
profile admin {
script {
if (service == junos-exec) {
# set user-permissions = "interface network view"
set local-user-name = "tac_admin"
# set deny-commands = "^(show|configure)"
permit
}
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
permit
}
deny
}
}
profile cisco-admin {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
permit
}
deny
}
}
user thanhpt {
password login = mavis
profile = admin
}
}
My action log:
root@Granary:/opt/tacplus-ng# ssh tha...@10.99.95.30
(tha...@10.99.95.30) WELCOME TO JUNIPER DEVICE
Password:
(tha...@10.99.95.30) Entering password change dialog
Old password:
(tha...@10.99.95.30) New password:
(tha...@10.99.95.30) Retype new password:
YOU ARE IN MY EYES
Password change was successful.
--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC
thanhpt@authen> exit
Connection to 10.99.95.30 closed.
root@Granary:/opt/tacplus-ng# ssh tha...@10.99.95.30
(tha...@10.99.95.30) WELCOME TO JUNIPER DEVICE
Password:
(tha...@10.99.95.30) Entering password change dialog
Old password:
(tha...@10.99.95.30) New password:
(tha...@10.99.95.30) Retype new password:
YOU ARE BLOCKED
tac_plus-ng log:
root@Granary:/opt/tacplus-ng# ssh tha...@10.99.95.30
(tha...@10.99.95.30) WELCOME TO JUNIPER DEVICE
Password:
(tha...@10.99.95.30) Entering password change dialog
Old password:
(tha...@10.99.95.30) New password:
(tha...@10.99.95.30) Retype new password:
YOU ARE IN MY EYES
Password change was successful.
--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC
thanhpt@authen> exit
Connection to 10.99.95.30 closed.
root@Granary:/opt/tacplus-ng# ssh tha...@10.99.95.30
(tha...@10.99.95.30) WELCOME TO JUNIPER DEVICE
Password:
(tha...@10.99.95.30) Entering password change dialog
Old password:
(tha...@10.99.95.30) New password:
(tha...@10.99.95.30) Retype new password:
YOU ARE BLOCKED
tac_plus-ng log:
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 6, flags: unencrypted
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 20
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 packet body (len: 20):
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 0000 03 01 00 0e 00 00 4e 65 77 20 70 61 73 73 77 6f ......Ne w passwo
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 0010 72 64 3a 20 rd:
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 AUTHEN, status=3 (AUTHEN/GETDATA) flags=0x1
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 msg_len=14, data_len=0
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 msg (len: 14): New password:
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 data (len: 0):
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 7, flags: unencrypted
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 10
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 packet body [partially masked] (len: 5):
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 0000 00 05 00 00 00 2a 2a 2a 2a 2a .....*** **
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 AUTHEN/CONT user_msg_len=5, user_data_len=0
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 authen: hdr->seq_no: 7
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 Writing AUTHEN/GETDATA size=39
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 8, flags: unencrypted
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 27
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 packet body (len: 27):
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 0000 03 01 00 15 00 00 52 65 74 79 70 65 20 6e 65 77 ......Re type new
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 0010 20 70 61 73 73 77 6f 72 64 3a 20 passwor d:
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 AUTHEN, status=3 (AUTHEN/GETDATA) flags=0x1
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 msg_len=21, data_len=0
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 msg (len: 21): Retype new password:
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 data (len: 0):
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 9, flags: unencrypted
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 10
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 packet body [partially masked] (len: 5):
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 0000 00 05 00 00 00 2a 2a 2a 2a 2a .....*** **
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 AUTHEN/CONT user_msg_len=5, user_data_len=0
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 6, flags: unencrypted
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 20
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 packet body (len: 20):
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 0000 03 01 00 0e 00 00 4e 65 77 20 70 61 73 73 77 6f ......Ne w passwo
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 0010 72 64 3a 20 rd:
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 AUTHEN, status=3 (AUTHEN/GETDATA) flags=0x1
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 msg_len=14, data_len=0
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 msg (len: 14): New password:
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 data (len: 0):
3276: 03:30:51.519 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 7, flags: unencrypted
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 10
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 packet body [partially masked] (len: 5):
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 0000 00 05 00 00 00 2a 2a 2a 2a 2a .....*** **
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 AUTHEN/CONT user_msg_len=5, user_data_len=0
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 authen: hdr->seq_no: 7
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 Writing AUTHEN/GETDATA size=39
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 8, flags: unencrypted
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 27
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 packet body (len: 27):
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 0000 03 01 00 15 00 00 52 65 74 79 70 65 20 6e 65 77 ......Re type new
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 0010 20 70 61 73 73 77 6f 72 64 3a 20 passwor d:
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 AUTHEN, status=3 (AUTHEN/GETDATA) flags=0x1
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 msg_len=21, data_len=0
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 msg (len: 21): Retype new password:
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 data (len: 0):
3276: 03:30:56.133 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 9, flags: unencrypted
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 10
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 packet body [partially masked] (len: 5):
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 0000 00 05 00 00 00 2a 2a 2a 2a 2a .....*** **
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 AUTHEN/CONT user_msg_len=5, user_data_len=0
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 authen: hdr->seq_no: 9
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 looking for user thanhpt realm default
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 user lookup succeded
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 password change for 'thanhpt' from 10.98.13.98 failed
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 Writing AUTHEN/FAIL size=34
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 10, flags: unencrypted
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 22
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 packet body (len: 22):
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 0000 02 00 00 10 00 00 59 4f 55 20 41 52 45 20 42 4c ......YO U ARE BL
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 0010 4f 43 4b 45 44 0a OCKED.
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 msg_len=16, data_len=0
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 msg (len: 16): YOU ARE BLOCKED\n
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 data (len: 0):
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:58.698 6/00000000: 10.99.95.30 connection request from 10.99.95.30 (realm: default)
3276: 03:30:58.698 6/b368102d: 10.99.95.30 New tacacs session
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 looking for user thanhpt realm default
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 user lookup succeded
3276: 03:30:57.687 5/7c2ef730: 10.99.95.30 password change for 'thanhpt' from 10.98.13.98 failed
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 Writing AUTHEN/FAIL size=34
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 ---<start packet>---
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 key used: demo
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 version: 192, type: 1, seq no: 10, flags: unencrypted
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 session id: 7c2ef730, data length: 22
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 packet body (len: 22):
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 0000 02 00 00 10 00 00 59 4f 55 20 41 52 45 20 42 4c ......YO U ARE BL
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 0010 4f 43 4b 45 44 0a OCKED.
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 msg_len=16, data_len=0
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 msg (len: 16): YOU ARE BLOCKED\n
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 data (len: 0):
3276: 03:30:58.689 5/7c2ef730: 10.99.95.30 ---<end packet>---
3276: 03:30:58.698 6/00000000: 10.99.95.30 connection request from 10.99.95.30 (realm: default)
3276: 03:30:58.698 6/b368102d: 10.99.95.30 New tacacs session
Marc Huber
Feb 3, 2026, 11:18:26 AM (11 days ago) Feb 3
to event-driv...@googlegroups.com
Hi,
guessing here ... mavis_tacplus_shadow.pl defaulted to DES encryption if neither mkpasswd nor Crypt::Passwd::XS were installed. 8ccebd7be885fd3219b0f87ac5cf83972284f17b (please git pull) fixes that, but I've no idea whether that cures the issue you're seeing. If it doesn't: Please show the relevant /tmp/shadow entry before and after changing the password.
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/ff9c2dfa-03c7-4876-8a2d-0714106d8050n%40googlegroups.com.
Thanh Pham
Feb 4, 2026, 4:59:34 AM (10 days ago) Feb 4
to Event-Driven Servers
Hi Marc,
I’ve pulled the commit and rebuilt the app, but it doesn't seem to fix the issue and the encryption seems fine. One thing when I tried testing: the password change works right after I restart the process, but then it fail afterward.
Could this be related to caching?
Before change pass successfully:
root@Granary:/opt/tacplus-ng/event-driven-servers# cat /tmp/shadow
thanhpt:$1$/XH8WcIZ$shtMwKtkQeQW5CYK6VnQB/:20488:0:99999:7:::
After change pass successfully:
I’ve pulled the commit and rebuilt the app, but it doesn't seem to fix the issue and the encryption seems fine. One thing when I tried testing: the password change works right after I restart the process, but then it fail afterward.
Could this be related to caching?
Before change pass successfully:
root@Granary:/opt/tacplus-ng/event-driven-servers# cat /tmp/shadow
thanhpt:$1$/XH8WcIZ$shtMwKtkQeQW5CYK6VnQB/:20488:0:99999:7:::
After change pass successfully:
root@Granary:/opt/tacplus-ng/event-driven-servers# cat /tmp/shadow
thanhpt:$1$dGvo/SKE$NPEKobWXHExz2oEbZw5eC/:20488:0:99999:7:::
thanhpt:$1$dGvo/SKE$NPEKobWXHExz2oEbZw5eC/:20488:0:99999:7:::
Thank and have a good day,
Thanh
Thanh
Vào lúc 23:18:26 UTC+7 ngày Thứ Ba, 3 tháng 2, 2026, Marc Huber đã viết:
Marc Huber
Feb 4, 2026, 11:38:11 AM (10 days ago) Feb 4
to event-driv...@googlegroups.com
Hi,
yes, you're right on the point, that's a caching issue. The daemon shouldn't cache that password for static users at all.
I've just pushed a fix:
commit
e7ff30e5dbb0e0e6995e5aaa91bec105b9854d62
Author: Marc Huber <Marc....@web.de>
Date: Wed Feb 4 17:34:11 2026 +0100
tac_plus-ng/mavis.c: don't remember MAVIS password for
static users
diff --git a/tac_plus-ng/mavis.c b/tac_plus-ng/mavis.c
index 1c6ea79..f844d42 100644
--- a/tac_plus-ng/mavis.c
+++ b/tac_plus-ng/mavis.c
@@ -403,7 +403,7 @@ static void mavis_lookup_final(tac_session
*session, av_ctx *avc)
if (!strcmp(session->mavis_data->mavistype,
AV_V_TACTYPE_AUTH) ||
!strcmp(session->mavis_data->mavistype,
AV_V_TACTYPE_CHPW)) {
session->mavisauth_res = S_permit;
- if ((TRISTATE_YES != u->chalresp) &&
session->password && !u->passwd_oneshot) {
+ if (u->dynamic && (TRISTATE_YES !=
u->chalresp) && session->password &&
!u->passwd_oneshot) {
char *pass = session->password_new ?
session->password_new : session->password;
char *crypt, salt[13];
salt[0] = '$';
Untested, but likely works.
Thanks,
Marc
Thanh Pham
Feb 4, 2026, 10:34:37 PM (9 days ago) Feb 4
to Event-Driven Servers
Hi Marc,
Cheers, Thanh
Vào lúc 23:38:11 UTC+7 ngày Thứ Tư, 4 tháng 2, 2026, Marc Huber đã viết:
Reply all
Reply to author
Forward
0 new messages