[202012] [TACACS+] Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting.(#9029) (#15718)

This pull request add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting.

##### Work item tracking
- Microsoft ADO **(number only)**: 24433713

#### Why I did it
    Support TACACS per-command authorization&accounting.

#### How I did it
    Change ConfigDB schema and HostCfg enforcer.
    Add UT to cover changed code.

#### How to verify it
    Build following project and pass all UTs:
    make target/python-wheels/sonic_host_services-1.0-py3-none-any.whl

#### Which release branch to backport (provide reason below if selected)
    N/A

#### Tested branch (Please provide the tested image version)
Extract tacacs support functions into library, this will share TACACS config file parse code with other project.
Also fix memory leak issue in parse config code.

- [ ]  SONiC.202012-15723.309781-38d8852cd

#### Description for the changelog
    Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting.

src/sonic-host-services-data/templates/tacplus_nss.conf.j2

@@ -7,6 +7,34 @@
 debug=on
 {% endif %}
 
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+{% if local_accounting %}
+local_accounting
+{% endif %}
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+{% if tacacs_accounting %}
+tacacs_accounting
+{% endif %}
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+{% if local_authorization %}
+local_authorization
+{% endif %}
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+{% if tacacs_authorization %}
+tacacs_authorization
+{% endif %}
+
 # src_ip - set source address of TACACS+ protocol packets
 # Default: None (auto source ip address)
 # src_ip=2.2.2.2

src/sonic-host-services/pytest.ini

@@ -1,2 +1,2 @@
 [pytest]
-addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/hostcfgd/test_vectors.py --ignore=tests/caclmgrd/test_dhcp_vectors.py
+addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/hostcfgd/test*_vectors.py  --ignore=tests/caclmgrd/test_dhcp_vectors.py

src/sonic-host-services/scripts/hostcfgd

@@ -161,15 +161,23 @@ class Iptables(object):
 
 class AaaCfg(object):
     def __init__(self):
-        self.auth_default = {
+        self.authentication_default = {
             'login': 'local',
         }
+        self.authorization_default = {
+            'login': 'local',
+        }
+        self.accounting_default = {
+            'login': 'disable',
+        }
         self.tacplus_global_default = {
             'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,
             'timeout': TACPLUS_SERVER_TIMEOUT_DEFAULT,
             'passkey': TACPLUS_SERVER_PASSKEY_DEFAULT
         }
-        self.auth = {}
+        self.authentication = {}
+        self.authorization = {}
+        self.accounting = {}
         self.tacplus_global = {}
         self.tacplus_servers = {}
         self.debug = False
@@ -186,11 +194,15 @@ class AaaCfg(object):
 
     def aaa_update(self, key, data, modify_conf=True):
         if key == 'authentication':
-            self.auth = data
+            self.authentication = data
             if 'failthrough' in data:
-                self.auth['failthrough'] = is_true(data['failthrough'])
+                self.authentication['failthrough'] = is_true(data['failthrough'])
             if 'debug' in data:
                 self.debug = is_true(data['debug'])
+        if key == 'authorization':
+            self.authorization = data
+        if key == 'accounting':
+            self.accounting = data
         if modify_conf:
             self.modify_conf_file()
 
@@ -231,8 +243,12 @@ class AaaCfg(object):
         self.check_file_not_empty(filename)
 
     def modify_conf_file(self):
-        auth = self.auth_default.copy()
-        auth.update(self.auth)
+        authentication = self.authentication_default.copy()
+        authentication.update(self.authentication)
+        authorization = self.authorization_default.copy()
+        authorization.update(self.authorization)
+        accounting = self.accounting_default.copy()
+        accounting.update(self.accounting)
         tacplus_global = self.tacplus_global_default.copy()
         tacplus_global.update(self.tacplus_global)
         if 'src_ip' in tacplus_global:
@@ -253,7 +269,7 @@ class AaaCfg(object):
         env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True)
         env.filters['sub'] = sub
         template = env.get_template(template_file)
-        pam_conf = template.render(auth=auth, src_ip=src_ip, servers=servers_conf)
+        pam_conf = template.render(auth=authentication, src_ip=src_ip, servers=servers_conf)
         with open(PAM_AUTH_CONF, 'w') as f:
             f.write(pam_conf)
 
@@ -266,17 +282,40 @@ class AaaCfg(object):
             self.modify_single_file('/etc/pam.d/login', [ "'/^@include/s/common-auth-sonic$/common-auth/'" ])
 
         # Add tacplus in nsswitch.conf if TACACS+ enable
-        if 'tacacs+' in auth['login']:
+        if 'tacacs+' in authentication['login']:
             if os.path.isfile(NSS_CONF):
                 self.modify_single_file(NSS_CONF, [ "'/tacplus/b'", "'/^passwd/s/compat/tacplus &/'", "'/^passwd/s/files/tacplus &/'" ])
         else:
             if os.path.isfile(NSS_CONF):
                 self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //g'" ])
 
+        # Add tacplus authorization configration in nsswitch.conf
+        tacacs_authorization_conf = None
+        local_authorization_conf = None
+        if 'tacacs+' in authorization['login']:
+            tacacs_authorization_conf = "on"
+        if 'local' in authorization['login']:
+            local_authorization_conf = "on"
+
+        # Add tacplus accounting configration in nsswitch.conf
+        tacacs_accounting_conf = None
+        local_accounting_conf = None
+        if 'tacacs+' in accounting['login']:
+            tacacs_accounting_conf = "on"
+        if 'local' in accounting['login']:
+            local_accounting_conf = "on"
+
         # Set tacacs+ server in nss-tacplus conf
         template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE)
         template = env.get_template(template_file)
-        nss_tacplus_conf = template.render(debug=self.debug, src_ip=src_ip, servers=servers_conf)
+        nss_tacplus_conf = template.render(
+                                        debug=self.debug,
+                                        src_ip=src_ip,
+                                        servers=servers_conf,
+                                        local_accounting=local_accounting_conf,
+                                        tacacs_accounting=tacacs_accounting_conf,
+                                        local_authorization=local_authorization_conf,
+                                        tacacs_authorization=tacacs_authorization_conf)
         with open(NSS_TACPLUS_CONF, 'w') as f:
             f.write(nss_tacplus_conf)
 

src/sonic-host-services/tests/hostcfgd/hostcfgd_tacacs_test.py

@@ -0,0 +1,110 @@
+import importlib.machinery
+import importlib.util
+import filecmp
+import shutil
+import os
+import sys
+import subprocess
+from swsscommon import swsscommon
+
+from parameterized import parameterized
+from unittest import TestCase, mock
+from tests.hostcfgd.test_tacacs_vectors import HOSTCFGD_TEST_TACACS_VECTOR
+from tests.common.mock_configdb import MockConfigDb, MockSubscriberStateTable
+from tests.common.mock_configdb import MockSelect, MockDBConnector
+
+test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+modules_path = os.path.dirname(test_path)
+scripts_path = os.path.join(modules_path, "scripts")
+src_path = os.path.dirname(modules_path)
+templates_path = os.path.join(src_path, "sonic-host-services-data/templates")
+output_path = os.path.join(test_path, "hostcfgd/output")
+sample_output_path = os.path.join(test_path, "hostcfgd/sample_output")
+sys.path.insert(0, modules_path)
+
+# Load the file under test
+hostcfgd_path = os.path.join(scripts_path, 'hostcfgd')
+loader = importlib.machinery.SourceFileLoader('hostcfgd', hostcfgd_path)
+spec = importlib.util.spec_from_loader(loader.name, loader)
+hostcfgd = importlib.util.module_from_spec(spec)
+loader.exec_module(hostcfgd)
+sys.modules['hostcfgd'] = hostcfgd
+
+# Mock swsscommon classes
+hostcfgd.ConfigDBConnector = MockConfigDb
+hostcfgd.SubscriberStateTable = MockSubscriberStateTable
+hostcfgd.Select = MockSelect
+hostcfgd.DBConnector = MockDBConnector
+
+class TestHostcfgdTACACS(TestCase):
+    """
+        Test hostcfd daemon - TACACS
+    """
+    def run_diff(self, file1, file2):
+        return subprocess.check_output('diff -uR {} {} || true'.format(file1, file2), shell=True)
+
+    """
+        Check different config 
+    """
+    def check_config(self, test_name, test_data, config_name):
+        t_path = templates_path
+        op_path = output_path + "/" + test_name + "_" + config_name
+        sop_path = sample_output_path + "/" +  test_name + "_" + config_name
+
+        hostcfgd.PAM_AUTH_CONF_TEMPLATE = t_path + "/common-auth-sonic.j2"
+        hostcfgd.NSS_TACPLUS_CONF_TEMPLATE = t_path + "/tacplus_nss.conf.j2"
+        hostcfgd.PAM_AUTH_CONF = op_path + "/common-auth-sonic"
+        hostcfgd.NSS_TACPLUS_CONF = op_path + "/tacplus_nss.conf"
+        hostcfgd.NSS_CONF = op_path + "/nsswitch.conf"
+
+        shutil.rmtree( op_path, ignore_errors=True)
+        os.mkdir( op_path)
+
+        MockConfigDb.set_config_db(test_data[config_name])
+        host_config_daemon = hostcfgd.HostConfigDaemon()
+
+        aaa = host_config_daemon.config_db.get_table('AAA')
+
+        try:
+            tacacs_global = host_config_daemon.config_db.get_table('TACPLUS')
+        except:
+            tacacs_global = []
+        try:
+            tacacs_server = \
+                host_config_daemon.config_db.get_table('TACPLUS_SERVER')
+        except:
+            tacacs_server = []
+
+        host_config_daemon.aaacfg.load(aaa,tacacs_global,tacacs_server)
+        dcmp = filecmp.dircmp(sop_path, op_path)
+        diff_output = ""
+        for name in dcmp.diff_files:
+            diff_output += \
+                "Diff: file: {} expected: {} output: {}\n".format(\
+                    name, dcmp.left, dcmp.right)
+            diff_output += self.run_diff( dcmp.left + "/" + name,\
+                dcmp.right + "/" + name)
+        self.assertTrue(len(diff_output) == 0, diff_output)
+
+
+    @parameterized.expand(HOSTCFGD_TEST_TACACS_VECTOR)
+    def test_hostcfgd_tacacs(self, test_name, test_data):
+        """
+            Test TACACS hostcfd daemon initialization
+
+            Args:
+                test_name(str): test name
+                test_data(dict): test data which contains initial Config Db tables, and expected results
+
+            Returns:
+                None
+        """
+        os.mkdir(output_path)
+        # test local config
+        self.check_config(test_name, test_data, "config_db_local")
+        # test remote config
+        self.check_config(test_name, test_data, "config_db_tacacs")
+        # test local + tacacs config
+        self.check_config(test_name, test_data, "config_db_local_and_tacacs")
+        # test disable accounting
+        self.check_config(test_name, test_data, "config_db_disable_accounting")

src/sonic-host-services/tests/hostcfgd/sample_output/LOCAL/tacplus_nss.conf

@@ -0,0 +1,40 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/tacplus_nss.conf

@@ -0,0 +1,40 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/tacplus_nss.conf

@@ -0,0 +1,41 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/tacplus_nss.conf

@@ -0,0 +1,42 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/tacplus_nss.conf

@@ -0,0 +1,44 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/tacplus_nss.conf

@@ -0,0 +1,42 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/test_tacacs_vectors.py

@@ -0,0 +1,260 @@
+from unittest.mock import call
+
+"""
+    hostcfgd test tacacs vector
+"""
+HOSTCFGD_TEST_TACACS_VECTOR = [
+    [
+        "TACACS",
+        {
+            "config_db_local": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "local" 
+                    },
+                    "accounting": {
+                        "login": "local" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            },
+            "config_db_tacacs": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "tacacs+" 
+                    },
+                    "accounting": {
+                        "login": "tacacs+" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            },
+            "config_db_local_and_tacacs": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "tacacs+ local" 
+                    },
+                    "accounting": {
+                        "login": "tacacs+ local" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            },
+            "config_db_disable_accounting": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "local" 
+                    },
+                    "accounting": {
+                        "login": "disable" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            }
+        }
+    ]
+]

src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json

@@ -0,0 +1,19 @@
+{
+    "AAA_TEST": {
+        "desc": "Configure an authentication type in AAA table."
+    },
+    "AAA_TEST_WRONG_TYPE": {
+        "desc": "Configure a wrong type in AAA table.",
+        "eStrKey": "InvalidValue"
+    },
+    "AAA_TEST_WRONG_FAILTHROUGH": {
+        "desc": "Configure a wrong failthrough in AAA table.",
+        "eStrKey": "InvalidValue"
+    },
+    "AAA_AUTHORIZATION_TEST": {
+        "desc": "Configure an authorization type in AAA table."
+    },
+    "AAA_ACCOUNTING_TEST": {
+        "desc": "Configure an accounting type in AAA table."
+    }
+}

src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json

@@ -0,0 +1,57 @@
+{
+    "AAA_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authentication",
+                        "login": "tacacs+,local",
+                        "failthrough": "true",
+                        "debug": "true"
+                }]
+            }
+        }
+    },
+
+    "AAA_TEST_WRONG_TYPE": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "unknowntype"
+                }]
+            }
+        }
+    },
+
+    "AAA_TEST_WRONG_FAILTHROUGH": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authentication",
+                        "failthrough": "enable"
+                }]
+            }
+        }
+    },
+
+    "AAA_AUTHORIZATION_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authorization",
+                        "login": "tacacs+"
+                }]
+            }
+        }
+    },
+
+    "AAA_ACCOUNTING_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "accounting",
+                        "login": "tacacs+"
+                }]
+            }
+        }
+    }
+}

src/sonic-yang-models/yang-models/sonic-system-aaa.yang

@@ -0,0 +1,50 @@
+module sonic-system-aaa {
+    namespace "http://github.com/Azure/sonic-system-aaa";
+    prefix ssys;
+    yang-version 1.1;
+
+    revision 2021-10-12 {
+        description "Add AAA authorization/accounting support.";
+    }
+
+    revision 2021-04-15 {
+        description "Initial revision.";
+    }
+
+    container sonic-system-aaa {
+        container AAA {
+            list AAA_LIST {
+                key "type";
+
+                leaf type {
+                    type enumeration {
+                        enum authentication;
+                        enum authorization;
+                        enum accounting;
+                    }
+                    description "AAA type authentication/authorization/accounting";
+                }
+
+                leaf login {
+                    type string;
+                    description "AAA authentication/authorization/accounting methods - local/tacacs+/disable";
+                    default "local";
+                }
+
+                leaf failthrough {
+                    type boolean;
+                    description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";
+                    default false;
+                }
+                
+                leaf debug {
+                    type boolean;
+                    description "Enable/disable AAA debugging";
+                    default false;
+                }
+
+            }
+        }
+    }
+}
+