[TACACS+]: Add configDB enforcer for TACACS+ #1214
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* hostcfgd - configDB enforcer for TACACS+, listen configDB to modify the pam configuration for Authentication in host * Add a service script for hostcfgd Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| contents += line | ||
| line = f.readline() | ||
| contents += dbg + servers | ||
| with open(NSS_TACPLUS_CONF, 'w') as f: |
There was a problem hiding this comment.
once you change the conf file, how to make the conf effective? do you need to reload anything?
There was a problem hiding this comment.
If tacplus is enabled for passwd in nsswitch.conf, the conf is loaded by nss-tacplus plugin when the function getpwnam() is called each time. Don't need to reload it.
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| os.system("sed -i -e '/^@include/s/common-auth-sonic$/common-auth/' /etc/pam.d/login") | ||
|
|
||
| # Set tacacs+ server in nss-tacplus conf | ||
| def modify_nss_conf(self): |
There was a problem hiding this comment.
it is very difficult to know what the actual conf file generated, it is better to design a template and use jinja2 library in python to generate the conf file. You can refer to the code in sonic-cfggen.
There was a problem hiding this comment.
I have changed it with jinja2 template.
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| with open(PAM_AUTH_FILE, "w") as f: | ||
| f.write(AUTH_FILE_HEADER + auth_file_body + AUTH_FILE_FOOTER) | ||
|
|
||
| # Modify common-auth include file in /etc/pam.d/type and sshd |
There was a problem hiding this comment.
/etc/pam.d/type -> /etc/pam.d/login
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| self.aaacfg.load(aaa, tacacs_global, tacacs_server) | ||
|
|
||
| def aaa_handler(self, key, data): | ||
| syslog.syslog(syslog.LOG_INFO, 'value for {} changed to {}'.format(key, data)) |
There was a problem hiding this comment.
this is debug level -> LOG_DEBUG
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| self.aaacfg.aaa_update(key, data) | ||
|
|
||
| def tacacs_server_handler(self, key, data): | ||
| syslog.syslog(syslog.LOG_INFO, 'value for {} changed to {}'.format(key, data)) |
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| # Make sure root will always authentication on local, not TACACS+ | ||
| pam_modules = self.tacplus_servers + [AAA_LOCAL] | ||
| auth_file_body += "auth\t[success=%d new_authtok_reqd=done default=ignore]\t" % (len(pam_modules)-1) | ||
| auth_file_body += "pam_succeed_if.so user = root debug\n" |
There was a problem hiding this comment.
root is not allowed to login by default, there is also no debug account, only admin is enabled.
There was a problem hiding this comment.
This configuration is used to ensure that an administrator user always login via local if TACACS+ authentication hangs or other error occur. But it's not correct to use root. The 'debug' means output debug log, not means debug account.
I have removed this logic because it looks like an impossible scenario.
* Generate common-auth-sonic and tacplus_nss.conf by jinja2 template Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
lguohan
approved these changes
Dec 12, 2017
tiantianlv
pushed a commit
to SONIC-DEV/sonic-buildimage
that referenced
this pull request
Apr 24, 2020
Multi-Db changes for NAT feature. (sonic-net#1202) [cfgmgr] clear loopback and vrf in kernel if not warmstart (sonic-net#1141) upon cold reboot, skip remove mgmt vrf table from the kernel (sonic-net#1214)
tiantianlv
pushed a commit
to SONIC-DEV/sonic-buildimage
that referenced
this pull request
Apr 24, 2020
Multi-Db changes for NAT feature. (sonic-net#1202) [cfgmgr] clear loopback and vrf in kernel if not warmstart (sonic-net#1141) upon cold reboot, skip remove mgmt vrf table from the kernel (sonic-net#1214)
3 tasks
jleveque
added a commit
that referenced
this pull request
Nov 13, 2020
#5849) Submodule updates include the following commits. Also adding sonic-swsscommon build dependencies where necessary. * src/sonic-py-swsssdk 1ea30d2...9d9f0c6 (1): > [SonicV2Connector] make decode_responses=True as default, so python2 application need no code change when migrated to python3(#93) * src/sonic-snmpagent 6e4a796...57e54d9 (3): > Interact with Redis by str instead of bytes, migrate to SonicV2Connector with `decode_responses=True` (#171) > Add a test case for LLDP_LOC_CHASSIS.lldp_loc_man_addr has only one IPv6 address (#167) > [LLDP]: Update init_db to load global database config (#166) * src/sonic-utilities acfa824...b693cf6 (11): > Remove SKU create pytest output directory before execution of the script (#1226) > [show][techsupport][multi-ASIC] Add support to collect tech support on multi ASIC platform (#1193) > [show] Fix `show ip bgp sum` (#1194) > [sonic_sku_create] Move tests from sonic-utilities-tests/ folder to tests/ folder (#1222) > Replace swsssdk.SonicV2Connector with swsscommon.SonicV2Connector (SWIG wrapper of C++ implementation) in production code (#1217) > Copy missing values from INIT_CFG to config_db as part of db_migration task (#1209) > [connect][clear] Support --devicename option for connect/clear line commands (#1214) > [consutil][show] Remove root need from show line command (#1218) > [Mellanox] SKU creator Tool (#1163) > SONiC installer - fix string formatting during image type check (#1197) > [show/fgnhg.py] Fix whitespace issues (#1211)
raphaelt-nvidia
pushed a commit
to raphaelt-nvidia/sonic-buildimage
that referenced
this pull request
Jan 14, 2021
…et#1214) * upon cold reboot, skip remove mgmt vrf table from the kernel Co-authored-by: Bing Sun <Bing_Sun@dell.com>
santhosh-kt
pushed a commit
to santhosh-kt/sonic-buildimage
that referenced
this pull request
Feb 25, 2021
sonic-net#5849) Submodule updates include the following commits. Also adding sonic-swsscommon build dependencies where necessary. * src/sonic-py-swsssdk 1ea30d2...9d9f0c6 (1): > [SonicV2Connector] make decode_responses=True as default, so python2 application need no code change when migrated to python3(sonic-net#93) * src/sonic-snmpagent 6e4a796...57e54d9 (3): > Interact with Redis by str instead of bytes, migrate to SonicV2Connector with `decode_responses=True` (sonic-net#171) > Add a test case for LLDP_LOC_CHASSIS.lldp_loc_man_addr has only one IPv6 address (sonic-net#167) > [LLDP]: Update init_db to load global database config (sonic-net#166) * src/sonic-utilities acfa824...b693cf6 (11): > Remove SKU create pytest output directory before execution of the script (sonic-net#1226) > [show][techsupport][multi-ASIC] Add support to collect tech support on multi ASIC platform (sonic-net#1193) > [show] Fix `show ip bgp sum` (sonic-net#1194) > [sonic_sku_create] Move tests from sonic-utilities-tests/ folder to tests/ folder (sonic-net#1222) > Replace swsssdk.SonicV2Connector with swsscommon.SonicV2Connector (SWIG wrapper of C++ implementation) in production code (sonic-net#1217) > Copy missing values from INIT_CFG to config_db as part of db_migration task (sonic-net#1209) > [connect][clear] Support --devicename option for connect/clear line commands (sonic-net#1214) > [consutil][show] Remove root need from show line command (sonic-net#1218) > [Mellanox] SKU creator Tool (sonic-net#1163) > SONiC installer - fix string formatting during image type check (sonic-net#1197) > [show/fgnhg.py] Fix whitespace issues (sonic-net#1211)
stepanblyschak
pushed a commit
to stepanblyschak/sonic-buildimage
that referenced
this pull request
May 10, 2021
…ommands (sonic-net#1214) admin@sonic:~$ sudo connect line --devicename switch1 Successful connection to line 1 Press ^A ^X to disconnect admin@sonic:~$ sudo sonic-clear line --devicename switch1 admin@sonic:~$ sudo show line -b Line Baud PID Start Time Device ------ ------ ----- ------------ -------- 1 9600 - - switch1
theasianpianist
pushed a commit
to theasianpianist/sonic-buildimage
that referenced
this pull request
Feb 5, 2022
…et#1214) * upon cold reboot, skip remove mgmt vrf table from the kernel Co-authored-by: Bing Sun <Bing_Sun@dell.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
- How I did it
- How to verify it
- Description for the changelog
Add configDB enforcer for TACACS+
- A picture of a cute animal (not mandatory but encouraged)
