[TACACS+]: Add support for TACACS+ Authentication (#1019)

* [TACACS+]: Add support for TACACS+ Authentication

* pam_tacplus - A TACACS+ protocol client library and PAM module to
  supports core TACACS+ functions for AAA.
* nss_tacplus - A NSS plugin for TACACS+ to extend function getpwnam,
  make the TACACS+ authenticated user which is not found in local
  could login successfully.

* Add make rules for pam_tacplus and install script
* Add a patch for pam_tacplus to disable pam-auth-update pam-tacplus
  by default
* Add a patch for pam_tacplus to inlucde and build nss_tacplus

  Signed-off-by: chenchen.qcc@alibaba-inc.com

* [TACACS+]: Add nss-tacplus as a separate src repo

* Separate nss-tacplus from pam-tacplus, modify tacacs.mk and
  makefile, add a patch to adapt to the new user map profile.
* Use the lastest stable version for pam-tacplus, add a dependent
  package in sonic-salve, add two patches to fix build error.
* Add scripts to disable tacplus by default.
* Remove hostcfgd service file

  Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>

* [TACACS+]: Fix nss-tacplus filter some valid TACACS+ username

* The NAME_REGEX for username check in plugin nss-tacplus is
  the ANSI version "^[0-9a-zA-Z_-\ ]*$", but the regular expression
  in /etc/adduser.conf is not defined as ANSI version. To avoid
  nss-tacplus filter some valid TACACS+ username, remove username
  check.

  Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
This commit is contained in:
Liuqu 2017-12-07 19:36:17 +08:00 committed by lguohan
parent 4213b2dcc7
commit 8383b1f256
9 changed files with 1612 additions and 1 deletions

View File

@ -89,6 +89,14 @@ sudo cp -f $IMAGE_CONFIGS/bash/bash.bashrc $FILESYSTEM_ROOT/etc/
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/sonic-device-data_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
# Install pam-tacplus and nss-tacplus
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libtac2_*.deb
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libpam-tacplus_*.deb
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libnss-tacplus_*.deb
# Disable tacplus by default
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
# Copy crontabs
sudo cp -f $IMAGE_CONFIGS/cron.d/* $FILESYSTEM_ROOT/etc/cron.d/

29
rules/tacacs.mk Normal file
View File

@ -0,0 +1,29 @@
# libpam-tacplus packages
PAM_TACPLUS_VERSION = 1.4.1-1
export PAM_TACPLUS_VERSION
LIBPAM_TACPLUS = libpam-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
$(LIBPAM_TACPLUS)_RDEPENDS += $(LIBTAC2)
$(LIBPAM_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/pam
SONIC_MAKE_DEBS += $(LIBPAM_TACPLUS)
LIBTAC_DEV = libtac-dev_$(PAM_TACPLUS_VERSION)_amd64.deb
$(LIBTAC_DEV)_DEPENDS += $(LIBTAC2)
$(eval $(call add_derived_package,$(LIBTAC2),$(LIBTAC_DEV)))
LIBTAC2 = libtac2_$(PAM_TACPLUS_VERSION)_amd64.deb
$(eval $(call add_extra_package,$(LIBPAM_TACPLUS),$(LIBTAC2)))
# libnss-tacplus packages
NSS_TACPLUS_VERSION = 1.0.4-1
export NSS_TACPLUS_VERSION
LIBNSS_TACPLUS = libnss-tacplus_$(NSS_TACPLUS_VERSION)_amd64.deb
$(LIBNSS_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
$(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
$(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)

View File

@ -391,7 +391,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
$(LINUX_KERNEL) \
$(IGB_DRIVER) \
$(SONIC_DEVICE_DATA) \
$(SONIC_UTILS)) \
$(SONIC_UTILS) \
$(LIBPAM_TACPLUS) \
$(LIBNSS_TACPLUS)) \
$$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
$$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE))
$(HEADER)

View File

@ -204,6 +204,8 @@ RUN apt-get update && apt-get install -y \
# For gtest
libgtest-dev \
cmake \
# For pam_tacplus build
autoconf-archive \
# For python-based swsscommon
swig3.0 \
# For iproute2

File diff suppressed because it is too large Load Diff

22
src/tacacs/nss/Makefile Normal file
View File

@ -0,0 +1,22 @@
.ONESHELL:
SHELL = /bin/bash
.SHELLFLAGS += -e
MAIN_TARGET = libnss-tacplus_$(NSS_TACPLUS_VERSION)_amd64.deb
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
# Obtain libnss-tacplus
rm -rf ./libnss-tacplus
git clone https://github.com/daveolson53/libnss-tacplus.git
pushd ./libnss-tacplus
git checkout -f 19008ab
# Apply patch
git apply ../0001-Modify-user-map-profile.patch
dpkg-buildpackage -rfakeroot -b -us -uc
popd
mv $(DERIVED_TARGETS) $* $(DEST)/
$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)

View File

@ -0,0 +1,45 @@
From f293353127c504490f8d892afe39766ec94137bf Mon Sep 17 00:00:00 2001
From: Liuqu <chenchen.qcc@alibaba-inc.com>
Date: Sun, 8 Oct 2017 07:32:11 -0700
Subject: [PATCH 1/2] Don't init declarations in a for loop
* It comes from the commit "3299028... Don't init declarations in
a for loop", and modified source format to resolve conflict in
v1.4.1
---
libtac/lib/author_r.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c
index a028144..f3b544e 100644
--- a/libtac/lib/author_r.c
+++ b/libtac/lib/author_r.c
@@ -47,6 +47,7 @@ int tac_author_read(int fd, struct areply *re) {
char *msg = NULL;
int timeleft;
re->msg = NULL;
+ unsigned int r = 0;
bzero(re, sizeof(struct areply));
if (tac_readtimeout_enable &&
@@ -132,7 +133,7 @@ int tac_author_read(int fd, struct areply *re) {
pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
/* cycle through the arguments supplied in the packet */
- for (unsigned int r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT; r++) {
+ for (r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT; r++) {
if (len_from_body > packet_read || ((void *)pktp - (void *) tb) > packet_read) {
TACSYSLOG((LOG_ERR,\
"%s: arguments supplied in packet seem to exceed its size",\
@@ -205,7 +206,7 @@ int tac_author_read(int fd, struct areply *re) {
TACSYSLOG((LOG_DEBUG, "Args cnt %d", tb->arg_cnt));
/* argp points to current argument string
pktp points to current argument length */
- for (unsigned int r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT;
+ for (r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT;
r++) {
unsigned char buff[256];
unsigned char *sep;
--
2.7.4

View File

@ -0,0 +1,19 @@
From 85bae6b84d93c4b243d29ee08ff7030376bf80cb Mon Sep 17 00:00:00 2001
From: Liuqu <chenchen.qcc@alibaba-inc.com>
Date: Sun, 8 Oct 2017 19:39:23 -0700
Subject: [PATCH 2/2] Fix libtac2-bin install directory error
---
debian/libtac2-bin.install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/libtac2-bin.install b/debian/libtac2-bin.install
index 236670a..1df36c6 100644
--- a/debian/libtac2-bin.install
+++ b/debian/libtac2-bin.install
@@ -1 +1 @@
-usr/sbin
+usr/bin/*
--
2.7.4

25
src/tacacs/pam/Makefile Normal file
View File

@ -0,0 +1,25 @@
.ONESHELL:
SHELL = /bin/bash
.SHELLFLAGS += -e
MAIN_TARGET = libpam-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
DERIVED_TARGETS = libtac2_$(PAM_TACPLUS_VERSION)_amd64.deb \
libtac-dev_$(PAM_TACPLUS_VERSION)_amd64.deb
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
# Obtain pam_tacplus
rm -rf ./pam_tacplus
git clone https://github.com/jeroennijhof/pam_tacplus.git
pushd ./pam_tacplus
git checkout -f v1.4.1
# Apply patch
git apply ../0001-Don-t-init-declarations-in-a-for-loop.patch
git apply ../0002-Fix-libtac2-bin-install-directory-error.patch
dpkg-buildpackage -rfakeroot -b -us -uc
popd
mv $(DERIVED_TARGETS) $* $(DEST)/
$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)