[hostcfgd] -- Fix the default for failthrough as false.
This implies that by default, if TACACS is configured properly and it reported auth_err, then don't try fail through to traditional unix authentication through /etc/passwd. If this failthrough is intended, make it explicit through "sudo config aaa authentication failthrough enable" Removed an unused variable "aaa.fallback" Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled. admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough default; date Wed Apr 3 23:05:18 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1316 Apr 3 23:05 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication" Wed Apr 3 23:06:37 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1294 Apr 3 23:06 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication" Wed Apr 3 23:07:09 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1321 Apr 3 23:07 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
This commit is contained in:
parent
e65d9c5c88
commit
6d7ecc426c
@ -44,8 +44,6 @@ class AaaCfg(object):
|
||||
def __init__(self):
|
||||
self.auth_default = {
|
||||
'login': 'local',
|
||||
'failthrough': True,
|
||||
'fallback': True
|
||||
}
|
||||
self.tacplus_global_default = {
|
||||
'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,
|
||||
|
Loading…
Reference in New Issue
Block a user