[TACACS+] Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting. (#9029)

[TACACS+] Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting. (#9029)

#### Why I did it
    Support TACACS per-command authorization&accounting.

#### How I did it
    Change ConfigDB schema and HostCfg enforcer.
    Add UT to cover changed code.

#### How to verify it
    Build following project and pass all UTs:
    make target/python-wheels/sonic_host_services-1.0-py3-none-any.whl

#### Which release branch to backport (provide reason below if selected)
    N/A

#### Description for the changelog
    Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting.

#### A picture of a cute animal (not mandatory but encouraged)

src/sonic-host-services-data/templates/tacplus_nss.conf.j2

@@ -7,6 +7,34 @@
 debug=on
 {% endif %}
 
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+{% if local_accounting %}
+local_accounting
+{% endif %}
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+{% if tacacs_accounting %}
+tacacs_accounting
+{% endif %}
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+{% if local_authorization %}
+local_authorization
+{% endif %}
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+{% if tacacs_authorization %}
+tacacs_authorization
+{% endif %}
+
 # src_ip - set source address of TACACS+ protocol packets
 # Default: None (auto source ip address)
 # src_ip=2.2.2.2

src/sonic-host-services/pytest.ini

@@ -1,2 +1,2 @@
 [pytest]
-addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/hostcfgd/test_vectors.py --ignore=tests/hostcfgd/test_radius_vectors.py  --ignore=tests/caclmgrd/test_dhcp_vectors.py
+addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/*/test*_vectors.py 

src/sonic-host-services/scripts/hostcfgd

@@ -429,9 +429,15 @@ class Iptables(object):
 
 class AaaCfg(object):
     def __init__(self):
-        self.auth_default = {
+        self.authentication_default = {
             'login': 'local',
         }
+        self.authorization_default = {
+            'login': 'local',
+        }
+        self.accounting_default = {
+            'login': 'disable',
+        }
         self.tacplus_global_default = {
             'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,
             'timeout': TACPLUS_SERVER_TIMEOUT_DEFAULT,
@@ -451,7 +457,9 @@ class AaaCfg(object):
         self.radius_global = {}
         self.radius_servers = {}
 
-        self.auth = {}
+        self.authentication = {}
+        self.authorization = {}
+        self.accounting = {}
         self.debug = False
         self.trace = False
 
@@ -475,11 +483,15 @@ class AaaCfg(object):
 
     def aaa_update(self, key, data, modify_conf=True):
         if key == 'authentication':
-            self.auth = data
+            self.authentication = data
             if 'failthrough' in data:
-                self.auth['failthrough'] = is_true(data['failthrough'])
+                self.authentication['failthrough'] = is_true(data['failthrough'])
             if 'debug' in data:
                 self.debug = is_true(data['debug'])
+        if key == 'authorization':
+            self.authorization = data
+        if key == 'accounting':
+            self.accounting = data
         if modify_conf:
             self.modify_conf_file()
 
@@ -628,8 +640,12 @@ class AaaCfg(object):
             os.system(cmd)
 
     def modify_conf_file(self):
-        auth = self.auth_default.copy()
+        authentication = self.authentication_default.copy()
-        auth.update(self.auth)
+        authentication.update(self.authentication)
+        authorization = self.authorization_default.copy()
+        authorization.update(self.authorization)
+        accounting = self.accounting_default.copy()
+        accounting.update(self.accounting)
         tacplus_global = self.tacplus_global_default.copy()
         tacplus_global.update(self.tacplus_global)
         if 'src_ip' in tacplus_global:
@@ -688,10 +704,10 @@ class AaaCfg(object):
         env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True)
         env.filters['sub'] = sub
         template = env.get_template(template_file)
-        if 'radius' in auth['login']:
+        if 'radius' in authentication['login']:
-            pam_conf = template.render(debug=self.debug, trace=self.trace, auth=auth, servers=radsrvs_conf)
+            pam_conf = template.render(debug=self.debug, trace=self.trace, auth=authentication, servers=radsrvs_conf)
         else:
-            pam_conf = template.render(auth=auth, src_ip=src_ip, servers=servers_conf)
+            pam_conf = template.render(auth=authentication, src_ip=src_ip, servers=servers_conf)
 
         # Use rename(), which is atomic (on the same fs) to avoid empty file
         with open(PAM_AUTH_CONF + ".tmp", 'w') as f:
@@ -710,11 +726,11 @@ class AaaCfg(object):
             self.modify_single_file(ETC_PAMD_LOGIN, [ "'/^@include/s/common-auth-sonic$/common-auth/'" ])
 
         # Add tacplus/radius in nsswitch.conf if TACACS+/RADIUS enable
-        if 'tacacs+' in auth['login']:
+        if 'tacacs+' in authentication['login']:
             if os.path.isfile(NSS_CONF):
                 self.modify_single_file(NSS_CONF, [ "'/^passwd/s/ radius//'" ])
                 self.modify_single_file(NSS_CONF, [ "'/tacplus/b'", "'/^passwd/s/compat/tacplus &/'", "'/^passwd/s/files/tacplus &/'" ])
-        elif 'radius' in auth['login']:
+        elif 'radius' in authentication['login']:
             if os.path.isfile(NSS_CONF):
                 self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //'" ])
                 self.modify_single_file(NSS_CONF, [ "'/radius/b'", "'/^passwd/s/compat/& radius/'", "'/^passwd/s/files/& radius/'" ])
@@ -723,10 +739,33 @@ class AaaCfg(object):
                 self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //g'" ])
                 self.modify_single_file(NSS_CONF, [ "'/^passwd/s/ radius//'" ])
 
+        # Add tacplus authorization configration in nsswitch.conf
+        tacacs_authorization_conf = None
+        local_authorization_conf = None
+        if 'tacacs+' in authorization['login']:
+            tacacs_authorization_conf = "on"
+        if 'local' in authorization['login']:
+            local_authorization_conf = "on"
+
+        # Add tacplus accounting configration in nsswitch.conf
+        tacacs_accounting_conf = None
+        local_accounting_conf = None
+        if 'tacacs+' in accounting['login']:
+            tacacs_accounting_conf = "on"
+        if 'local' in accounting['login']:
+            local_accounting_conf = "on"
+
         # Set tacacs+ server in nss-tacplus conf
         template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE)
         template = env.get_template(template_file)
-        nss_tacplus_conf = template.render(debug=self.debug, src_ip=src_ip, servers=servers_conf)
+        nss_tacplus_conf = template.render(
+                                        debug=self.debug,
+                                        src_ip=src_ip,
+                                        servers=servers_conf,
+                                        local_accounting=local_accounting_conf,
+                                        tacacs_accounting=tacacs_accounting_conf,
+                                        local_authorization=local_authorization_conf,
+                                        tacacs_authorization=tacacs_authorization_conf)
         with open(NSS_TACPLUS_CONF, 'w') as f:
             f.write(nss_tacplus_conf)
 
@@ -752,7 +791,7 @@ class AaaCfg(object):
                     f.write(pam_radius_auth_conf)
 
         # Start the statistics service. Only RADIUS implemented
-        if ('radius' in auth['login']) and ('statistics' in radius_global) and\
+        if ('radius' in authentication['login']) and ('statistics' in radius_global) and \
                 radius_global['statistics']:
             cmd = 'service aaastatsd start'
         else:

src/sonic-host-services/tests/hostcfgd/hostcfgd_tacacs_test.py

@@ -0,0 +1,118 @@
+import importlib.machinery
+import importlib.util
+import filecmp
+import shutil
+import os
+import sys
+import subprocess
+from swsscommon import swsscommon
+
+from parameterized import parameterized
+from unittest import TestCase, mock
+from tests.hostcfgd.test_tacacs_vectors import HOSTCFGD_TEST_TACACS_VECTOR
+from tests.common.mock_configdb import MockConfigDb, MockSubscriberStateTable
+from tests.common.mock_configdb import MockSelect, MockDBConnector
+
+test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+modules_path = os.path.dirname(test_path)
+scripts_path = os.path.join(modules_path, "scripts")
+src_path = os.path.dirname(modules_path)
+templates_path = os.path.join(src_path, "sonic-host-services-data/templates")
+output_path = os.path.join(test_path, "hostcfgd/output")
+sample_output_path = os.path.join(test_path, "hostcfgd/sample_output")
+sys.path.insert(0, modules_path)
+
+# Load the file under test
+hostcfgd_path = os.path.join(scripts_path, 'hostcfgd')
+loader = importlib.machinery.SourceFileLoader('hostcfgd', hostcfgd_path)
+spec = importlib.util.spec_from_loader(loader.name, loader)
+hostcfgd = importlib.util.module_from_spec(spec)
+loader.exec_module(hostcfgd)
+sys.modules['hostcfgd'] = hostcfgd
+
+# Mock swsscommon classes
+hostcfgd.ConfigDBConnector = MockConfigDb
+hostcfgd.SubscriberStateTable = MockSubscriberStateTable
+hostcfgd.Select = MockSelect
+hostcfgd.DBConnector = MockDBConnector
+
+class TestHostcfgdTACACS(TestCase):
+    """
+        Test hostcfd daemon - TACACS
+    """
+    def run_diff(self, file1, file2):
+        return subprocess.check_output('diff -uR {} {} || true'.format(file1, file2), shell=True)
+
+    """
+        Check different config 
+    """
+    def check_config(self, test_name, test_data, config_name):
+        t_path = templates_path
+        op_path = output_path + "/" + test_name + "_" + config_name
+        sop_path = sample_output_path + "/" +  test_name + "_" + config_name
+
+        hostcfgd.PAM_AUTH_CONF_TEMPLATE = t_path + "/common-auth-sonic.j2"
+        hostcfgd.NSS_TACPLUS_CONF_TEMPLATE = t_path + "/tacplus_nss.conf.j2"
+        hostcfgd.NSS_RADIUS_CONF_TEMPLATE = t_path + "/radius_nss.conf.j2"
+        hostcfgd.PAM_RADIUS_AUTH_CONF_TEMPLATE = t_path + "/pam_radius_auth.conf.j2"
+        hostcfgd.PAM_AUTH_CONF = op_path + "/common-auth-sonic"
+        hostcfgd.NSS_TACPLUS_CONF = op_path + "/tacplus_nss.conf"
+        hostcfgd.NSS_RADIUS_CONF = op_path + "/radius_nss.conf"
+        hostcfgd.NSS_CONF = op_path + "/nsswitch.conf"
+        hostcfgd.ETC_PAMD_SSHD = op_path + "/sshd"
+        hostcfgd.ETC_PAMD_LOGIN = op_path + "/login"
+        hostcfgd.RADIUS_PAM_AUTH_CONF_DIR = op_path + "/"
+
+        shutil.rmtree( op_path, ignore_errors=True)
+        os.mkdir( op_path)
+
+        shutil.copyfile( sop_path + "/sshd.old", op_path + "/sshd")
+        shutil.copyfile( sop_path + "/login.old", op_path + "/login")
+
+        MockConfigDb.set_config_db(test_data[config_name])
+        host_config_daemon = hostcfgd.HostConfigDaemon()
+
+        aaa = host_config_daemon.config_db.get_table('AAA')
+
+        try:
+            tacacs_global = host_config_daemon.config_db.get_table('TACPLUS')
+        except:
+            tacacs_global = []
+        try:
+            tacacs_server = \
+                host_config_daemon.config_db.get_table('TACPLUS_SERVER')
+        except:
+            tacacs_server = []
+
+        host_config_daemon.aaacfg.load(aaa,tacacs_global,tacacs_server,[],[])
+        dcmp = filecmp.dircmp(sop_path, op_path)
+        diff_output = ""
+        for name in dcmp.diff_files:
+            diff_output += \
+                "Diff: file: {} expected: {} output: {}\n".format(\
+                    name, dcmp.left, dcmp.right)
+            diff_output += self.run_diff( dcmp.left + "/" + name,\
+                dcmp.right + "/" + name)
+        self.assertTrue(len(diff_output) == 0, diff_output)
+
+
+    @parameterized.expand(HOSTCFGD_TEST_TACACS_VECTOR)
+    def test_hostcfgd_tacacs(self, test_name, test_data):
+        """
+            Test TACACS hostcfd daemon initialization
+
+            Args:
+                test_name(str): test name
+                test_data(dict): test data which contains initial Config Db tables, and expected results
+
+            Returns:
+                None
+        """
+        # test local config
+        self.check_config(test_name, test_data, "config_db_local")
+        # test remote config
+        self.check_config(test_name, test_data, "config_db_tacacs")
+        # test local + tacacs config
+        self.check_config(test_name, test_data, "config_db_local_and_tacacs")
+        # test disable accounting
+        self.check_config(test_name, test_data, "config_db_disable_accounting")

src/sonic-host-services/tests/hostcfgd/sample_output/LOCAL/tacplus_nss.conf

@@ -5,6 +5,23 @@
 # debug=on
 debug=on
 
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
 # src_ip - set source address of TACACS+ protocol packets
 # Default: None (auto source ip address)
 # src_ip=2.2.2.2

src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/tacplus_nss.conf

@@ -5,6 +5,23 @@
 # debug=on
 debug=on
 
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
 # src_ip - set source address of TACACS+ protocol packets
 # Default: None (auto source ip address)
 # src_ip=2.2.2.2

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/tacplus_nss.conf

@@ -0,0 +1,41 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local/tacplus_nss.conf

@@ -0,0 +1,42 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_local_and_tacacs/tacplus_nss.conf

@@ -0,0 +1,44 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/common-auth-sonic

@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/login

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/login.old

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/radius_nss.conf

@@ -0,0 +1,55 @@
+#THIS IS AN AUTO-GENERATED FILE
+# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
+# RADIUS NSS Configuration File
+#
+# Debug: on|off|trace
+# Default: off
+#
+# debug=on
+
+#
+# User Privilege:
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+
+# Eg:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
+# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
+#
+
+# many_to_one:
+#   y: Map RADIUS users to one local user per privilege.
+#   n: Create local user account on first successful authentication.
+# Default: n
+#
+
+# Eg:
+# many_to_one=y
+#
+
+# unconfirmed_disallow:
+#   y: Do not allow unconfirmed users (users created before authentication)
+#   n: Allow unconfirmed users.
+# Default: n
+
+# Eg:
+# unconfirmed_disallow=y
+#
+
+# unconfirmed_ageout:
+#   <seconds>: Wait time before purging unconfirmed users
+# Default: 600
+#
+
+# Eg:
+# unconfirmed_ageout=900
+#
+
+# unconfirmed_regexp:
+#   <regexp>: The RE to match the command line of processes for which the
+#             creation of unconfirmed users are to be allowed.
+# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
+#   where: <user> is the unconfirmed user.
+#

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/sshd

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth-sonic
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/sshd.old

@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

src/sonic-host-services/tests/hostcfgd/sample_output/TACACS_config_db_tacacs/tacplus_nss.conf

@@ -0,0 +1,42 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
+server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y

src/sonic-host-services/tests/hostcfgd/test_tacacs_vectors.py

@@ -0,0 +1,260 @@
+from unittest.mock import call
+
+"""
+    hostcfgd test tacacs vector
+"""
+HOSTCFGD_TEST_TACACS_VECTOR = [
+    [
+        "TACACS",
+        {
+            "config_db_local": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "local" 
+                    },
+                    "accounting": {
+                        "login": "local" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            },
+            "config_db_tacacs": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "tacacs+" 
+                    },
+                    "accounting": {
+                        "login": "tacacs+" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            },
+            "config_db_local_and_tacacs": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "tacacs+ local" 
+                    },
+                    "accounting": {
+                        "login": "tacacs+ local" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            },
+            "config_db_disable_accounting": {
+                "DEVICE_METADATA": {
+                    "localhost": {
+                        "hostname": "radius",
+                    }
+                },
+                "FEATURE": {
+                    "dhcp_relay": {
+                        "auto_restart": "enabled",
+                        "has_global_scope": "True",
+                        "has_per_asic_scope": "False",
+                        "has_timer": "False",
+                        "high_mem_alert": "disabled",
+                        "set_owner": "kube",
+                        "state": "enabled"
+                    },
+                },
+                "KDUMP": {
+                    "config": {
+                        "enabled": "false",
+                        "num_dumps": "3",
+                        "memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
+                        }
+                },
+                "AAA": {
+                    "authentication": {
+                        "login": "local"
+                    },
+                    "authorization": {
+                        "login": "local" 
+                    },
+                    "accounting": {
+                        "login": "disable" 
+                    }
+                },
+                "TACPLUS": {
+                    "global": {
+                            "auth_type": "chap",
+                            "timeout": 5,
+                            "passkey": "dellsonic",
+                            "src_intf": "Ethernet0"
+                    }
+                },
+                "TACPLUS_SERVER": {
+                    "192.168.1.1" : {
+                            "priority": 5,
+                            "tcp_port": 50,
+                            "timeout": 10,
+                            "auth_type": "chap",
+                            "passkey": "dellsonic",
+                            "vrf": "default"
+                    },
+                    "192.168.1.2" : {
+                            "priority": 2,
+                            "tcp_port": 51,
+                            "timeout": 15,
+                            "auth_type": "pap",
+                            "passkey": "dellsonic1",
+                            "vrf": "mgmt"
+                    }
+                },
+            }
+        }
+    ]
+]

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -935,6 +935,12 @@
         "AAA": {
             "authentication": {
                 "login": "local" 
+            },
+            "authorization": {
+                "login": "local" 
+            },
+            "accounting": {
+                "login": "local" 
             }
         },
         "TACPLUS": {

src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json

@@ -9,5 +9,11 @@
     "AAA_TEST_WRONG_FAILTHROUGH": {
         "desc": "Configure a wrong failthrough in AAA table.",
         "eStrKey": "InvalidValue"
+    },
+    "AAA_AUTHORIZATION_TEST": {
+        "desc": "Configure an authorization type in AAA table."
+    },
+    "AAA_ACCOUNTING_TEST": {
+        "desc": "Configure an accounting type in AAA table."
     }
 }

src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json

@@ -16,7 +16,7 @@
         "sonic-system-aaa:sonic-system-aaa": {
             "sonic-system-aaa:AAA": {
                 "AAA_LIST": [{
-                        "type": "authorization"
+                        "type": "unknowntype"
                 }]
             }
         }
@@ -31,5 +31,27 @@
                 }]
             }
         }
+    },
+
+    "AAA_AUTHORIZATION_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authorization",
+                        "login": "tacacs+"
+                }]
+            }
+        }
+    },
+
+    "AAA_ACCOUNTING_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "accounting",
+                        "login": "tacacs+"
+                }]
+            }
+        }
     }
 }

src/sonic-yang-models/yang-models/sonic-system-aaa.yang

@@ -3,6 +3,10 @@ module sonic-system-aaa {
     prefix ssys;
     yang-version 1.1;
 
+    revision 2021-10-12 {
+        description "Add AAA authorization/accounting support.";
+    }
+
     revision 2021-04-15 {
         description "Initial revision.";
     }
@@ -15,13 +19,15 @@ module sonic-system-aaa {
                 leaf type {
                     type enumeration {
                         enum authentication;
+                        enum authorization;
+                        enum accounting;
                     }
-                    description "AAA type authentication";
+                    description "AAA type authentication/authorization/accounting";
                 }
 
                 leaf login {
                     type string;
-                    description "AAA authentication methods - local/tacacs+";
+                    description "AAA authentication/authorization/accounting methods - local/tacacs+/disable";
                     default "local";
                 }