[TACACS+]: Add support for TACACS+ Authentication (#1019)
* [TACACS+]: Add support for TACACS+ Authentication * pam_tacplus - A TACACS+ protocol client library and PAM module to supports core TACACS+ functions for AAA. * nss_tacplus - A NSS plugin for TACACS+ to extend function getpwnam, make the TACACS+ authenticated user which is not found in local could login successfully. * Add make rules for pam_tacplus and install script * Add a patch for pam_tacplus to disable pam-auth-update pam-tacplus by default * Add a patch for pam_tacplus to inlucde and build nss_tacplus Signed-off-by: chenchen.qcc@alibaba-inc.com * [TACACS+]: Add nss-tacplus as a separate src repo * Separate nss-tacplus from pam-tacplus, modify tacacs.mk and makefile, add a patch to adapt to the new user map profile. * Use the lastest stable version for pam-tacplus, add a dependent package in sonic-salve, add two patches to fix build error. * Add scripts to disable tacplus by default. * Remove hostcfgd service file Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com> * [TACACS+]: Fix nss-tacplus filter some valid TACACS+ username * The NAME_REGEX for username check in plugin nss-tacplus is the ANSI version "^[0-9a-zA-Z_-\ ]*$", but the regular expression in /etc/adduser.conf is not defined as ANSI version. To avoid nss-tacplus filter some valid TACACS+ username, remove username check. Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
This commit is contained in:
parent
4213b2dcc7
commit
8383b1f256
@ -89,6 +89,14 @@ sudo cp -f $IMAGE_CONFIGS/bash/bash.bashrc $FILESYSTEM_ROOT/etc/
|
||||
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/sonic-device-data_*.deb || \
|
||||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
||||
|
||||
# Install pam-tacplus and nss-tacplus
|
||||
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libtac2_*.deb
|
||||
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libpam-tacplus_*.deb
|
||||
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libnss-tacplus_*.deb
|
||||
# Disable tacplus by default
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
|
||||
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
|
||||
|
||||
# Copy crontabs
|
||||
sudo cp -f $IMAGE_CONFIGS/cron.d/* $FILESYSTEM_ROOT/etc/cron.d/
|
||||
|
||||
|
29
rules/tacacs.mk
Normal file
29
rules/tacacs.mk
Normal file
@ -0,0 +1,29 @@
|
||||
# libpam-tacplus packages
|
||||
|
||||
PAM_TACPLUS_VERSION = 1.4.1-1
|
||||
|
||||
export PAM_TACPLUS_VERSION
|
||||
|
||||
LIBPAM_TACPLUS = libpam-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
|
||||
$(LIBPAM_TACPLUS)_RDEPENDS += $(LIBTAC2)
|
||||
$(LIBPAM_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/pam
|
||||
SONIC_MAKE_DEBS += $(LIBPAM_TACPLUS)
|
||||
|
||||
LIBTAC_DEV = libtac-dev_$(PAM_TACPLUS_VERSION)_amd64.deb
|
||||
$(LIBTAC_DEV)_DEPENDS += $(LIBTAC2)
|
||||
$(eval $(call add_derived_package,$(LIBTAC2),$(LIBTAC_DEV)))
|
||||
|
||||
LIBTAC2 = libtac2_$(PAM_TACPLUS_VERSION)_amd64.deb
|
||||
$(eval $(call add_extra_package,$(LIBPAM_TACPLUS),$(LIBTAC2)))
|
||||
|
||||
|
||||
# libnss-tacplus packages
|
||||
NSS_TACPLUS_VERSION = 1.0.4-1
|
||||
|
||||
export NSS_TACPLUS_VERSION
|
||||
|
||||
LIBNSS_TACPLUS = libnss-tacplus_$(NSS_TACPLUS_VERSION)_amd64.deb
|
||||
$(LIBNSS_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
|
||||
$(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
|
||||
$(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
|
||||
SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)
|
4
slave.mk
4
slave.mk
@ -391,7 +391,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
$(LINUX_KERNEL) \
|
||||
$(IGB_DRIVER) \
|
||||
$(SONIC_DEVICE_DATA) \
|
||||
$(SONIC_UTILS)) \
|
||||
$(SONIC_UTILS) \
|
||||
$(LIBPAM_TACPLUS) \
|
||||
$(LIBNSS_TACPLUS)) \
|
||||
$$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
|
||||
$$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE))
|
||||
$(HEADER)
|
||||
|
@ -204,6 +204,8 @@ RUN apt-get update && apt-get install -y \
|
||||
# For gtest
|
||||
libgtest-dev \
|
||||
cmake \
|
||||
# For pam_tacplus build
|
||||
autoconf-archive \
|
||||
# For python-based swsscommon
|
||||
swig3.0 \
|
||||
# For iproute2
|
||||
|
1459
src/tacacs/nss/0001-Modify-user-map-profile.patch
Normal file
1459
src/tacacs/nss/0001-Modify-user-map-profile.patch
Normal file
File diff suppressed because it is too large
Load Diff
22
src/tacacs/nss/Makefile
Normal file
22
src/tacacs/nss/Makefile
Normal file
@ -0,0 +1,22 @@
|
||||
.ONESHELL:
|
||||
SHELL = /bin/bash
|
||||
.SHELLFLAGS += -e
|
||||
|
||||
MAIN_TARGET = libnss-tacplus_$(NSS_TACPLUS_VERSION)_amd64.deb
|
||||
|
||||
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
|
||||
# Obtain libnss-tacplus
|
||||
rm -rf ./libnss-tacplus
|
||||
git clone https://github.com/daveolson53/libnss-tacplus.git
|
||||
pushd ./libnss-tacplus
|
||||
git checkout -f 19008ab
|
||||
|
||||
# Apply patch
|
||||
git apply ../0001-Modify-user-map-profile.patch
|
||||
|
||||
dpkg-buildpackage -rfakeroot -b -us -uc
|
||||
popd
|
||||
|
||||
mv $(DERIVED_TARGETS) $* $(DEST)/
|
||||
|
||||
$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
|
@ -0,0 +1,45 @@
|
||||
From f293353127c504490f8d892afe39766ec94137bf Mon Sep 17 00:00:00 2001
|
||||
From: Liuqu <chenchen.qcc@alibaba-inc.com>
|
||||
Date: Sun, 8 Oct 2017 07:32:11 -0700
|
||||
Subject: [PATCH 1/2] Don't init declarations in a for loop
|
||||
|
||||
* It comes from the commit "3299028... Don't init declarations in
|
||||
a for loop", and modified source format to resolve conflict in
|
||||
v1.4.1
|
||||
---
|
||||
libtac/lib/author_r.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c
|
||||
index a028144..f3b544e 100644
|
||||
--- a/libtac/lib/author_r.c
|
||||
+++ b/libtac/lib/author_r.c
|
||||
@@ -47,6 +47,7 @@ int tac_author_read(int fd, struct areply *re) {
|
||||
char *msg = NULL;
|
||||
int timeleft;
|
||||
re->msg = NULL;
|
||||
+ unsigned int r = 0;
|
||||
|
||||
bzero(re, sizeof(struct areply));
|
||||
if (tac_readtimeout_enable &&
|
||||
@@ -132,7 +133,7 @@ int tac_author_read(int fd, struct areply *re) {
|
||||
pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
|
||||
|
||||
/* cycle through the arguments supplied in the packet */
|
||||
- for (unsigned int r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT; r++) {
|
||||
+ for (r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT; r++) {
|
||||
if (len_from_body > packet_read || ((void *)pktp - (void *) tb) > packet_read) {
|
||||
TACSYSLOG((LOG_ERR,\
|
||||
"%s: arguments supplied in packet seem to exceed its size",\
|
||||
@@ -205,7 +206,7 @@ int tac_author_read(int fd, struct areply *re) {
|
||||
TACSYSLOG((LOG_DEBUG, "Args cnt %d", tb->arg_cnt));
|
||||
/* argp points to current argument string
|
||||
pktp points to current argument length */
|
||||
- for (unsigned int r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT;
|
||||
+ for (r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT;
|
||||
r++) {
|
||||
unsigned char buff[256];
|
||||
unsigned char *sep;
|
||||
--
|
||||
2.7.4
|
||||
|
@ -0,0 +1,19 @@
|
||||
From 85bae6b84d93c4b243d29ee08ff7030376bf80cb Mon Sep 17 00:00:00 2001
|
||||
From: Liuqu <chenchen.qcc@alibaba-inc.com>
|
||||
Date: Sun, 8 Oct 2017 19:39:23 -0700
|
||||
Subject: [PATCH 2/2] Fix libtac2-bin install directory error
|
||||
|
||||
---
|
||||
debian/libtac2-bin.install | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/debian/libtac2-bin.install b/debian/libtac2-bin.install
|
||||
index 236670a..1df36c6 100644
|
||||
--- a/debian/libtac2-bin.install
|
||||
+++ b/debian/libtac2-bin.install
|
||||
@@ -1 +1 @@
|
||||
-usr/sbin
|
||||
+usr/bin/*
|
||||
--
|
||||
2.7.4
|
||||
|
25
src/tacacs/pam/Makefile
Normal file
25
src/tacacs/pam/Makefile
Normal file
@ -0,0 +1,25 @@
|
||||
.ONESHELL:
|
||||
SHELL = /bin/bash
|
||||
.SHELLFLAGS += -e
|
||||
|
||||
MAIN_TARGET = libpam-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
|
||||
DERIVED_TARGETS = libtac2_$(PAM_TACPLUS_VERSION)_amd64.deb \
|
||||
libtac-dev_$(PAM_TACPLUS_VERSION)_amd64.deb
|
||||
|
||||
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
|
||||
# Obtain pam_tacplus
|
||||
rm -rf ./pam_tacplus
|
||||
git clone https://github.com/jeroennijhof/pam_tacplus.git
|
||||
pushd ./pam_tacplus
|
||||
git checkout -f v1.4.1
|
||||
|
||||
# Apply patch
|
||||
git apply ../0001-Don-t-init-declarations-in-a-for-loop.patch
|
||||
git apply ../0002-Fix-libtac2-bin-install-directory-error.patch
|
||||
|
||||
dpkg-buildpackage -rfakeroot -b -us -uc
|
||||
popd
|
||||
|
||||
mv $(DERIVED_TARGETS) $* $(DEST)/
|
||||
|
||||
$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
|
Loading…
Reference in New Issue
Block a user