[TACACS+] Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting. (#9029)
[TACACS+] Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting. (#9029) #### Why I did it Support TACACS per-command authorization&accounting. #### How I did it Change ConfigDB schema and HostCfg enforcer. Add UT to cover changed code. #### How to verify it Build following project and pass all UTs: make target/python-wheels/sonic_host_services-1.0-py3-none-any.whl #### Which release branch to backport (provide reason below if selected) N/A #### Description for the changelog Add Config DB schema and HostCfg Enforcer plugin to support TACACS+ per-command authorization&accounting. #### A picture of a cute animal (not mandatory but encouraged)
This commit is contained in:
parent
2d7840ce9a
commit
a61ffcd92c
@ -7,6 +7,34 @@
|
|||||||
debug=on
|
debug=on
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
{% if local_accounting %}
|
||||||
|
local_accounting
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
{% if tacacs_accounting %}
|
||||||
|
tacacs_accounting
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
{% if local_authorization %}
|
||||||
|
local_authorization
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
{% if tacacs_authorization %}
|
||||||
|
tacacs_authorization
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# src_ip - set source address of TACACS+ protocol packets
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
# Default: None (auto source ip address)
|
# Default: None (auto source ip address)
|
||||||
# src_ip=2.2.2.2
|
# src_ip=2.2.2.2
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
[pytest]
|
[pytest]
|
||||||
addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/hostcfgd/test_vectors.py --ignore=tests/hostcfgd/test_radius_vectors.py --ignore=tests/caclmgrd/test_dhcp_vectors.py
|
addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/*/test*_vectors.py
|
||||||
|
@ -429,9 +429,15 @@ class Iptables(object):
|
|||||||
|
|
||||||
class AaaCfg(object):
|
class AaaCfg(object):
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.auth_default = {
|
self.authentication_default = {
|
||||||
'login': 'local',
|
'login': 'local',
|
||||||
}
|
}
|
||||||
|
self.authorization_default = {
|
||||||
|
'login': 'local',
|
||||||
|
}
|
||||||
|
self.accounting_default = {
|
||||||
|
'login': 'disable',
|
||||||
|
}
|
||||||
self.tacplus_global_default = {
|
self.tacplus_global_default = {
|
||||||
'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,
|
'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,
|
||||||
'timeout': TACPLUS_SERVER_TIMEOUT_DEFAULT,
|
'timeout': TACPLUS_SERVER_TIMEOUT_DEFAULT,
|
||||||
@ -451,7 +457,9 @@ class AaaCfg(object):
|
|||||||
self.radius_global = {}
|
self.radius_global = {}
|
||||||
self.radius_servers = {}
|
self.radius_servers = {}
|
||||||
|
|
||||||
self.auth = {}
|
self.authentication = {}
|
||||||
|
self.authorization = {}
|
||||||
|
self.accounting = {}
|
||||||
self.debug = False
|
self.debug = False
|
||||||
self.trace = False
|
self.trace = False
|
||||||
|
|
||||||
@ -475,11 +483,15 @@ class AaaCfg(object):
|
|||||||
|
|
||||||
def aaa_update(self, key, data, modify_conf=True):
|
def aaa_update(self, key, data, modify_conf=True):
|
||||||
if key == 'authentication':
|
if key == 'authentication':
|
||||||
self.auth = data
|
self.authentication = data
|
||||||
if 'failthrough' in data:
|
if 'failthrough' in data:
|
||||||
self.auth['failthrough'] = is_true(data['failthrough'])
|
self.authentication['failthrough'] = is_true(data['failthrough'])
|
||||||
if 'debug' in data:
|
if 'debug' in data:
|
||||||
self.debug = is_true(data['debug'])
|
self.debug = is_true(data['debug'])
|
||||||
|
if key == 'authorization':
|
||||||
|
self.authorization = data
|
||||||
|
if key == 'accounting':
|
||||||
|
self.accounting = data
|
||||||
if modify_conf:
|
if modify_conf:
|
||||||
self.modify_conf_file()
|
self.modify_conf_file()
|
||||||
|
|
||||||
@ -628,8 +640,12 @@ class AaaCfg(object):
|
|||||||
os.system(cmd)
|
os.system(cmd)
|
||||||
|
|
||||||
def modify_conf_file(self):
|
def modify_conf_file(self):
|
||||||
auth = self.auth_default.copy()
|
authentication = self.authentication_default.copy()
|
||||||
auth.update(self.auth)
|
authentication.update(self.authentication)
|
||||||
|
authorization = self.authorization_default.copy()
|
||||||
|
authorization.update(self.authorization)
|
||||||
|
accounting = self.accounting_default.copy()
|
||||||
|
accounting.update(self.accounting)
|
||||||
tacplus_global = self.tacplus_global_default.copy()
|
tacplus_global = self.tacplus_global_default.copy()
|
||||||
tacplus_global.update(self.tacplus_global)
|
tacplus_global.update(self.tacplus_global)
|
||||||
if 'src_ip' in tacplus_global:
|
if 'src_ip' in tacplus_global:
|
||||||
@ -688,10 +704,10 @@ class AaaCfg(object):
|
|||||||
env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True)
|
env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True)
|
||||||
env.filters['sub'] = sub
|
env.filters['sub'] = sub
|
||||||
template = env.get_template(template_file)
|
template = env.get_template(template_file)
|
||||||
if 'radius' in auth['login']:
|
if 'radius' in authentication['login']:
|
||||||
pam_conf = template.render(debug=self.debug, trace=self.trace, auth=auth, servers=radsrvs_conf)
|
pam_conf = template.render(debug=self.debug, trace=self.trace, auth=authentication, servers=radsrvs_conf)
|
||||||
else:
|
else:
|
||||||
pam_conf = template.render(auth=auth, src_ip=src_ip, servers=servers_conf)
|
pam_conf = template.render(auth=authentication, src_ip=src_ip, servers=servers_conf)
|
||||||
|
|
||||||
# Use rename(), which is atomic (on the same fs) to avoid empty file
|
# Use rename(), which is atomic (on the same fs) to avoid empty file
|
||||||
with open(PAM_AUTH_CONF + ".tmp", 'w') as f:
|
with open(PAM_AUTH_CONF + ".tmp", 'w') as f:
|
||||||
@ -710,11 +726,11 @@ class AaaCfg(object):
|
|||||||
self.modify_single_file(ETC_PAMD_LOGIN, [ "'/^@include/s/common-auth-sonic$/common-auth/'" ])
|
self.modify_single_file(ETC_PAMD_LOGIN, [ "'/^@include/s/common-auth-sonic$/common-auth/'" ])
|
||||||
|
|
||||||
# Add tacplus/radius in nsswitch.conf if TACACS+/RADIUS enable
|
# Add tacplus/radius in nsswitch.conf if TACACS+/RADIUS enable
|
||||||
if 'tacacs+' in auth['login']:
|
if 'tacacs+' in authentication['login']:
|
||||||
if os.path.isfile(NSS_CONF):
|
if os.path.isfile(NSS_CONF):
|
||||||
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/ radius//'" ])
|
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/ radius//'" ])
|
||||||
self.modify_single_file(NSS_CONF, [ "'/tacplus/b'", "'/^passwd/s/compat/tacplus &/'", "'/^passwd/s/files/tacplus &/'" ])
|
self.modify_single_file(NSS_CONF, [ "'/tacplus/b'", "'/^passwd/s/compat/tacplus &/'", "'/^passwd/s/files/tacplus &/'" ])
|
||||||
elif 'radius' in auth['login']:
|
elif 'radius' in authentication['login']:
|
||||||
if os.path.isfile(NSS_CONF):
|
if os.path.isfile(NSS_CONF):
|
||||||
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //'" ])
|
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //'" ])
|
||||||
self.modify_single_file(NSS_CONF, [ "'/radius/b'", "'/^passwd/s/compat/& radius/'", "'/^passwd/s/files/& radius/'" ])
|
self.modify_single_file(NSS_CONF, [ "'/radius/b'", "'/^passwd/s/compat/& radius/'", "'/^passwd/s/files/& radius/'" ])
|
||||||
@ -723,10 +739,33 @@ class AaaCfg(object):
|
|||||||
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //g'" ])
|
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //g'" ])
|
||||||
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/ radius//'" ])
|
self.modify_single_file(NSS_CONF, [ "'/^passwd/s/ radius//'" ])
|
||||||
|
|
||||||
|
# Add tacplus authorization configration in nsswitch.conf
|
||||||
|
tacacs_authorization_conf = None
|
||||||
|
local_authorization_conf = None
|
||||||
|
if 'tacacs+' in authorization['login']:
|
||||||
|
tacacs_authorization_conf = "on"
|
||||||
|
if 'local' in authorization['login']:
|
||||||
|
local_authorization_conf = "on"
|
||||||
|
|
||||||
|
# Add tacplus accounting configration in nsswitch.conf
|
||||||
|
tacacs_accounting_conf = None
|
||||||
|
local_accounting_conf = None
|
||||||
|
if 'tacacs+' in accounting['login']:
|
||||||
|
tacacs_accounting_conf = "on"
|
||||||
|
if 'local' in accounting['login']:
|
||||||
|
local_accounting_conf = "on"
|
||||||
|
|
||||||
# Set tacacs+ server in nss-tacplus conf
|
# Set tacacs+ server in nss-tacplus conf
|
||||||
template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE)
|
template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE)
|
||||||
template = env.get_template(template_file)
|
template = env.get_template(template_file)
|
||||||
nss_tacplus_conf = template.render(debug=self.debug, src_ip=src_ip, servers=servers_conf)
|
nss_tacplus_conf = template.render(
|
||||||
|
debug=self.debug,
|
||||||
|
src_ip=src_ip,
|
||||||
|
servers=servers_conf,
|
||||||
|
local_accounting=local_accounting_conf,
|
||||||
|
tacacs_accounting=tacacs_accounting_conf,
|
||||||
|
local_authorization=local_authorization_conf,
|
||||||
|
tacacs_authorization=tacacs_authorization_conf)
|
||||||
with open(NSS_TACPLUS_CONF, 'w') as f:
|
with open(NSS_TACPLUS_CONF, 'w') as f:
|
||||||
f.write(nss_tacplus_conf)
|
f.write(nss_tacplus_conf)
|
||||||
|
|
||||||
@ -752,7 +791,7 @@ class AaaCfg(object):
|
|||||||
f.write(pam_radius_auth_conf)
|
f.write(pam_radius_auth_conf)
|
||||||
|
|
||||||
# Start the statistics service. Only RADIUS implemented
|
# Start the statistics service. Only RADIUS implemented
|
||||||
if ('radius' in auth['login']) and ('statistics' in radius_global) and\
|
if ('radius' in authentication['login']) and ('statistics' in radius_global) and \
|
||||||
radius_global['statistics']:
|
radius_global['statistics']:
|
||||||
cmd = 'service aaastatsd start'
|
cmd = 'service aaastatsd start'
|
||||||
else:
|
else:
|
||||||
|
118
src/sonic-host-services/tests/hostcfgd/hostcfgd_tacacs_test.py
Normal file
118
src/sonic-host-services/tests/hostcfgd/hostcfgd_tacacs_test.py
Normal file
@ -0,0 +1,118 @@
|
|||||||
|
import importlib.machinery
|
||||||
|
import importlib.util
|
||||||
|
import filecmp
|
||||||
|
import shutil
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import subprocess
|
||||||
|
from swsscommon import swsscommon
|
||||||
|
|
||||||
|
from parameterized import parameterized
|
||||||
|
from unittest import TestCase, mock
|
||||||
|
from tests.hostcfgd.test_tacacs_vectors import HOSTCFGD_TEST_TACACS_VECTOR
|
||||||
|
from tests.common.mock_configdb import MockConfigDb, MockSubscriberStateTable
|
||||||
|
from tests.common.mock_configdb import MockSelect, MockDBConnector
|
||||||
|
|
||||||
|
test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
||||||
|
modules_path = os.path.dirname(test_path)
|
||||||
|
scripts_path = os.path.join(modules_path, "scripts")
|
||||||
|
src_path = os.path.dirname(modules_path)
|
||||||
|
templates_path = os.path.join(src_path, "sonic-host-services-data/templates")
|
||||||
|
output_path = os.path.join(test_path, "hostcfgd/output")
|
||||||
|
sample_output_path = os.path.join(test_path, "hostcfgd/sample_output")
|
||||||
|
sys.path.insert(0, modules_path)
|
||||||
|
|
||||||
|
# Load the file under test
|
||||||
|
hostcfgd_path = os.path.join(scripts_path, 'hostcfgd')
|
||||||
|
loader = importlib.machinery.SourceFileLoader('hostcfgd', hostcfgd_path)
|
||||||
|
spec = importlib.util.spec_from_loader(loader.name, loader)
|
||||||
|
hostcfgd = importlib.util.module_from_spec(spec)
|
||||||
|
loader.exec_module(hostcfgd)
|
||||||
|
sys.modules['hostcfgd'] = hostcfgd
|
||||||
|
|
||||||
|
# Mock swsscommon classes
|
||||||
|
hostcfgd.ConfigDBConnector = MockConfigDb
|
||||||
|
hostcfgd.SubscriberStateTable = MockSubscriberStateTable
|
||||||
|
hostcfgd.Select = MockSelect
|
||||||
|
hostcfgd.DBConnector = MockDBConnector
|
||||||
|
|
||||||
|
class TestHostcfgdTACACS(TestCase):
|
||||||
|
"""
|
||||||
|
Test hostcfd daemon - TACACS
|
||||||
|
"""
|
||||||
|
def run_diff(self, file1, file2):
|
||||||
|
return subprocess.check_output('diff -uR {} {} || true'.format(file1, file2), shell=True)
|
||||||
|
|
||||||
|
"""
|
||||||
|
Check different config
|
||||||
|
"""
|
||||||
|
def check_config(self, test_name, test_data, config_name):
|
||||||
|
t_path = templates_path
|
||||||
|
op_path = output_path + "/" + test_name + "_" + config_name
|
||||||
|
sop_path = sample_output_path + "/" + test_name + "_" + config_name
|
||||||
|
|
||||||
|
hostcfgd.PAM_AUTH_CONF_TEMPLATE = t_path + "/common-auth-sonic.j2"
|
||||||
|
hostcfgd.NSS_TACPLUS_CONF_TEMPLATE = t_path + "/tacplus_nss.conf.j2"
|
||||||
|
hostcfgd.NSS_RADIUS_CONF_TEMPLATE = t_path + "/radius_nss.conf.j2"
|
||||||
|
hostcfgd.PAM_RADIUS_AUTH_CONF_TEMPLATE = t_path + "/pam_radius_auth.conf.j2"
|
||||||
|
hostcfgd.PAM_AUTH_CONF = op_path + "/common-auth-sonic"
|
||||||
|
hostcfgd.NSS_TACPLUS_CONF = op_path + "/tacplus_nss.conf"
|
||||||
|
hostcfgd.NSS_RADIUS_CONF = op_path + "/radius_nss.conf"
|
||||||
|
hostcfgd.NSS_CONF = op_path + "/nsswitch.conf"
|
||||||
|
hostcfgd.ETC_PAMD_SSHD = op_path + "/sshd"
|
||||||
|
hostcfgd.ETC_PAMD_LOGIN = op_path + "/login"
|
||||||
|
hostcfgd.RADIUS_PAM_AUTH_CONF_DIR = op_path + "/"
|
||||||
|
|
||||||
|
shutil.rmtree( op_path, ignore_errors=True)
|
||||||
|
os.mkdir( op_path)
|
||||||
|
|
||||||
|
shutil.copyfile( sop_path + "/sshd.old", op_path + "/sshd")
|
||||||
|
shutil.copyfile( sop_path + "/login.old", op_path + "/login")
|
||||||
|
|
||||||
|
MockConfigDb.set_config_db(test_data[config_name])
|
||||||
|
host_config_daemon = hostcfgd.HostConfigDaemon()
|
||||||
|
|
||||||
|
aaa = host_config_daemon.config_db.get_table('AAA')
|
||||||
|
|
||||||
|
try:
|
||||||
|
tacacs_global = host_config_daemon.config_db.get_table('TACPLUS')
|
||||||
|
except:
|
||||||
|
tacacs_global = []
|
||||||
|
try:
|
||||||
|
tacacs_server = \
|
||||||
|
host_config_daemon.config_db.get_table('TACPLUS_SERVER')
|
||||||
|
except:
|
||||||
|
tacacs_server = []
|
||||||
|
|
||||||
|
host_config_daemon.aaacfg.load(aaa,tacacs_global,tacacs_server,[],[])
|
||||||
|
dcmp = filecmp.dircmp(sop_path, op_path)
|
||||||
|
diff_output = ""
|
||||||
|
for name in dcmp.diff_files:
|
||||||
|
diff_output += \
|
||||||
|
"Diff: file: {} expected: {} output: {}\n".format(\
|
||||||
|
name, dcmp.left, dcmp.right)
|
||||||
|
diff_output += self.run_diff( dcmp.left + "/" + name,\
|
||||||
|
dcmp.right + "/" + name)
|
||||||
|
self.assertTrue(len(diff_output) == 0, diff_output)
|
||||||
|
|
||||||
|
|
||||||
|
@parameterized.expand(HOSTCFGD_TEST_TACACS_VECTOR)
|
||||||
|
def test_hostcfgd_tacacs(self, test_name, test_data):
|
||||||
|
"""
|
||||||
|
Test TACACS hostcfd daemon initialization
|
||||||
|
|
||||||
|
Args:
|
||||||
|
test_name(str): test name
|
||||||
|
test_data(dict): test data which contains initial Config Db tables, and expected results
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
None
|
||||||
|
"""
|
||||||
|
# test local config
|
||||||
|
self.check_config(test_name, test_data, "config_db_local")
|
||||||
|
# test remote config
|
||||||
|
self.check_config(test_name, test_data, "config_db_tacacs")
|
||||||
|
# test local + tacacs config
|
||||||
|
self.check_config(test_name, test_data, "config_db_local_and_tacacs")
|
||||||
|
# test disable accounting
|
||||||
|
self.check_config(test_name, test_data, "config_db_disable_accounting")
|
@ -5,6 +5,23 @@
|
|||||||
# debug=on
|
# debug=on
|
||||||
debug=on
|
debug=on
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
local_authorization
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
|
||||||
# src_ip - set source address of TACACS+ protocol packets
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
# Default: None (auto source ip address)
|
# Default: None (auto source ip address)
|
||||||
# src_ip=2.2.2.2
|
# src_ip=2.2.2.2
|
||||||
|
@ -5,6 +5,23 @@
|
|||||||
# debug=on
|
# debug=on
|
||||||
debug=on
|
debug=on
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
local_authorization
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
|
||||||
# src_ip - set source address of TACACS+ protocol packets
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
# Default: None (auto source ip address)
|
# Default: None (auto source ip address)
|
||||||
# src_ip=2.2.2.2
|
# src_ip=2.2.2.2
|
||||||
|
@ -0,0 +1,21 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
#
|
||||||
|
# /etc/pam.d/common-auth- authentication settings common to all services
|
||||||
|
# This file is included from other service-specific PAM config files,
|
||||||
|
# and should contain a list of the authentication modules that define
|
||||||
|
# the central authentication scheme for use on the system
|
||||||
|
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||||
|
# traditional Unix authentication mechanisms.
|
||||||
|
#
|
||||||
|
# here are the per-package modules (the "Primary" block)
|
||||||
|
|
||||||
|
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
|
||||||
|
|
||||||
|
#
|
||||||
|
# here's the fallback if no module succeeds
|
||||||
|
auth requisite pam_deny.so
|
||||||
|
# prime the stack with a positive return value if there isn't one already;
|
||||||
|
# this avoids us returning an error just because nothing sets a success code
|
||||||
|
# since the modules above will each just jump around
|
||||||
|
auth required pam_permit.so
|
||||||
|
# and here are more per-package modules (the "Additional" block)
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
|
||||||
|
# RADIUS NSS Configuration File
|
||||||
|
#
|
||||||
|
# Debug: on|off|trace
|
||||||
|
# Default: off
|
||||||
|
#
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
#
|
||||||
|
# User Privilege:
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
#
|
||||||
|
|
||||||
|
# many_to_one:
|
||||||
|
# y: Map RADIUS users to one local user per privilege.
|
||||||
|
# n: Create local user account on first successful authentication.
|
||||||
|
# Default: n
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# many_to_one=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_disallow:
|
||||||
|
# y: Do not allow unconfirmed users (users created before authentication)
|
||||||
|
# n: Allow unconfirmed users.
|
||||||
|
# Default: n
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_disallow=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_ageout:
|
||||||
|
# <seconds>: Wait time before purging unconfirmed users
|
||||||
|
# Default: 600
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_ageout=900
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_regexp:
|
||||||
|
# <regexp>: The RE to match the command line of processes for which the
|
||||||
|
# creation of unconfirmed users are to be allowed.
|
||||||
|
# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
|
||||||
|
# where: <user> is the unconfirmed user.
|
||||||
|
#
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,41 @@
|
|||||||
|
# Configuration for libnss-tacplus
|
||||||
|
|
||||||
|
# debug - If you want to open debug log, set it on
|
||||||
|
# Default: off
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
local_authorization
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
|
||||||
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
|
# Default: None (auto source ip address)
|
||||||
|
# src_ip=2.2.2.2
|
||||||
|
|
||||||
|
# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
|
||||||
|
# Default: None (no TACACS+ server)
|
||||||
|
# server=1.1.1.1:49,secret=test,timeout=3
|
||||||
|
server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
|
||||||
|
server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
|
||||||
|
|
||||||
|
# user_priv - set the map between TACACS+ user privilege and local user's passwd
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
|
||||||
|
|
||||||
|
# many_to_one - create one local user for many TACACS+ users which has the same privilege
|
||||||
|
# Default: many_to_one=n
|
||||||
|
# many_to_one=y
|
@ -0,0 +1,21 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
#
|
||||||
|
# /etc/pam.d/common-auth- authentication settings common to all services
|
||||||
|
# This file is included from other service-specific PAM config files,
|
||||||
|
# and should contain a list of the authentication modules that define
|
||||||
|
# the central authentication scheme for use on the system
|
||||||
|
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||||
|
# traditional Unix authentication mechanisms.
|
||||||
|
#
|
||||||
|
# here are the per-package modules (the "Primary" block)
|
||||||
|
|
||||||
|
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
|
||||||
|
|
||||||
|
#
|
||||||
|
# here's the fallback if no module succeeds
|
||||||
|
auth requisite pam_deny.so
|
||||||
|
# prime the stack with a positive return value if there isn't one already;
|
||||||
|
# this avoids us returning an error just because nothing sets a success code
|
||||||
|
# since the modules above will each just jump around
|
||||||
|
auth required pam_permit.so
|
||||||
|
# and here are more per-package modules (the "Additional" block)
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
|
||||||
|
# RADIUS NSS Configuration File
|
||||||
|
#
|
||||||
|
# Debug: on|off|trace
|
||||||
|
# Default: off
|
||||||
|
#
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
#
|
||||||
|
# User Privilege:
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
#
|
||||||
|
|
||||||
|
# many_to_one:
|
||||||
|
# y: Map RADIUS users to one local user per privilege.
|
||||||
|
# n: Create local user account on first successful authentication.
|
||||||
|
# Default: n
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# many_to_one=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_disallow:
|
||||||
|
# y: Do not allow unconfirmed users (users created before authentication)
|
||||||
|
# n: Allow unconfirmed users.
|
||||||
|
# Default: n
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_disallow=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_ageout:
|
||||||
|
# <seconds>: Wait time before purging unconfirmed users
|
||||||
|
# Default: 600
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_ageout=900
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_regexp:
|
||||||
|
# <regexp>: The RE to match the command line of processes for which the
|
||||||
|
# creation of unconfirmed users are to be allowed.
|
||||||
|
# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
|
||||||
|
# where: <user> is the unconfirmed user.
|
||||||
|
#
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,42 @@
|
|||||||
|
# Configuration for libnss-tacplus
|
||||||
|
|
||||||
|
# debug - If you want to open debug log, set it on
|
||||||
|
# Default: off
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
local_accounting
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
local_authorization
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
|
||||||
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
|
# Default: None (auto source ip address)
|
||||||
|
# src_ip=2.2.2.2
|
||||||
|
|
||||||
|
# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
|
||||||
|
# Default: None (no TACACS+ server)
|
||||||
|
# server=1.1.1.1:49,secret=test,timeout=3
|
||||||
|
server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
|
||||||
|
server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
|
||||||
|
|
||||||
|
# user_priv - set the map between TACACS+ user privilege and local user's passwd
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
|
||||||
|
|
||||||
|
# many_to_one - create one local user for many TACACS+ users which has the same privilege
|
||||||
|
# Default: many_to_one=n
|
||||||
|
# many_to_one=y
|
@ -0,0 +1,21 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
#
|
||||||
|
# /etc/pam.d/common-auth- authentication settings common to all services
|
||||||
|
# This file is included from other service-specific PAM config files,
|
||||||
|
# and should contain a list of the authentication modules that define
|
||||||
|
# the central authentication scheme for use on the system
|
||||||
|
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||||
|
# traditional Unix authentication mechanisms.
|
||||||
|
#
|
||||||
|
# here are the per-package modules (the "Primary" block)
|
||||||
|
|
||||||
|
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
|
||||||
|
|
||||||
|
#
|
||||||
|
# here's the fallback if no module succeeds
|
||||||
|
auth requisite pam_deny.so
|
||||||
|
# prime the stack with a positive return value if there isn't one already;
|
||||||
|
# this avoids us returning an error just because nothing sets a success code
|
||||||
|
# since the modules above will each just jump around
|
||||||
|
auth required pam_permit.so
|
||||||
|
# and here are more per-package modules (the "Additional" block)
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
|
||||||
|
# RADIUS NSS Configuration File
|
||||||
|
#
|
||||||
|
# Debug: on|off|trace
|
||||||
|
# Default: off
|
||||||
|
#
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
#
|
||||||
|
# User Privilege:
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
#
|
||||||
|
|
||||||
|
# many_to_one:
|
||||||
|
# y: Map RADIUS users to one local user per privilege.
|
||||||
|
# n: Create local user account on first successful authentication.
|
||||||
|
# Default: n
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# many_to_one=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_disallow:
|
||||||
|
# y: Do not allow unconfirmed users (users created before authentication)
|
||||||
|
# n: Allow unconfirmed users.
|
||||||
|
# Default: n
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_disallow=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_ageout:
|
||||||
|
# <seconds>: Wait time before purging unconfirmed users
|
||||||
|
# Default: 600
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_ageout=900
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_regexp:
|
||||||
|
# <regexp>: The RE to match the command line of processes for which the
|
||||||
|
# creation of unconfirmed users are to be allowed.
|
||||||
|
# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
|
||||||
|
# where: <user> is the unconfirmed user.
|
||||||
|
#
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,44 @@
|
|||||||
|
# Configuration for libnss-tacplus
|
||||||
|
|
||||||
|
# debug - If you want to open debug log, set it on
|
||||||
|
# Default: off
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
local_accounting
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
tacacs_accounting
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
local_authorization
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
tacacs_authorization
|
||||||
|
|
||||||
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
|
# Default: None (auto source ip address)
|
||||||
|
# src_ip=2.2.2.2
|
||||||
|
|
||||||
|
# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
|
||||||
|
# Default: None (no TACACS+ server)
|
||||||
|
# server=1.1.1.1:49,secret=test,timeout=3
|
||||||
|
server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
|
||||||
|
server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
|
||||||
|
|
||||||
|
# user_priv - set the map between TACACS+ user privilege and local user's passwd
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
|
||||||
|
|
||||||
|
# many_to_one - create one local user for many TACACS+ users which has the same privilege
|
||||||
|
# Default: many_to_one=n
|
||||||
|
# many_to_one=y
|
@ -0,0 +1,21 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
#
|
||||||
|
# /etc/pam.d/common-auth- authentication settings common to all services
|
||||||
|
# This file is included from other service-specific PAM config files,
|
||||||
|
# and should contain a list of the authentication modules that define
|
||||||
|
# the central authentication scheme for use on the system
|
||||||
|
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||||
|
# traditional Unix authentication mechanisms.
|
||||||
|
#
|
||||||
|
# here are the per-package modules (the "Primary" block)
|
||||||
|
|
||||||
|
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
|
||||||
|
|
||||||
|
#
|
||||||
|
# here's the fallback if no module succeeds
|
||||||
|
auth requisite pam_deny.so
|
||||||
|
# prime the stack with a positive return value if there isn't one already;
|
||||||
|
# this avoids us returning an error just because nothing sets a success code
|
||||||
|
# since the modules above will each just jump around
|
||||||
|
auth required pam_permit.so
|
||||||
|
# and here are more per-package modules (the "Additional" block)
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,116 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `login' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enforce a minimal delay in case of failure (in microseconds).
|
||||||
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||||
|
# Note that other modules may require another minimal delay. (for example,
|
||||||
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||||
|
auth optional pam_faildelay.so delay=3000000
|
||||||
|
|
||||||
|
# Outputs an issue file prior to each login prompt (Replaces the
|
||||||
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||||
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
|
|
||||||
|
# Disallows root logins except on tty's listed in /etc/securetty
|
||||||
|
# (Replaces the `CONSOLE' setting from login.defs)
|
||||||
|
#
|
||||||
|
# With the default control of this module:
|
||||||
|
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||||
|
# root will not be prompted for a password on insecure lines.
|
||||||
|
# if an invalid username is entered, a password is prompted (but login
|
||||||
|
# will eventually be rejected)
|
||||||
|
#
|
||||||
|
# You can change it to a "requisite" module if you think root may mis-type
|
||||||
|
# her login and should not be prompted for a password in that case. But
|
||||||
|
# this will leave the system as vulnerable to user enumeration attacks.
|
||||||
|
#
|
||||||
|
# You can change it to a "required" module if you think it permits to
|
||||||
|
# guess valid user names of your system (invalid user names are considered
|
||||||
|
# as possibly being root on insecure lines), but root passwords may be
|
||||||
|
# communicated over insecure lines.
|
||||||
|
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||||
|
|
||||||
|
# Disallows other than root logins when /etc/nologin exists
|
||||||
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Sets the loginuid process attribute
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# This allows certain extra groups to be granted to a user
|
||||||
|
# based on things like time of day, tty, service, and user.
|
||||||
|
# Please edit /etc/security/group.conf to fit your needs
|
||||||
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||||
|
auth optional pam_group.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restraint on logins.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to
|
||||||
|
# set access limits.
|
||||||
|
# (Replaces /etc/login.access file)
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the last login info upon successful login
|
||||||
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
|
||||||
|
# Prints the message of the day upon successful login.
|
||||||
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login
|
||||||
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
#
|
||||||
|
# This also defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x account and session
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
#THIS IS AN AUTO-GENERATED FILE
|
||||||
|
# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
|
||||||
|
# RADIUS NSS Configuration File
|
||||||
|
#
|
||||||
|
# Debug: on|off|trace
|
||||||
|
# Default: off
|
||||||
|
#
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
#
|
||||||
|
# User Privilege:
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
|
||||||
|
#
|
||||||
|
|
||||||
|
# many_to_one:
|
||||||
|
# y: Map RADIUS users to one local user per privilege.
|
||||||
|
# n: Create local user account on first successful authentication.
|
||||||
|
# Default: n
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# many_to_one=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_disallow:
|
||||||
|
# y: Do not allow unconfirmed users (users created before authentication)
|
||||||
|
# n: Allow unconfirmed users.
|
||||||
|
# Default: n
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_disallow=y
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_ageout:
|
||||||
|
# <seconds>: Wait time before purging unconfirmed users
|
||||||
|
# Default: 600
|
||||||
|
#
|
||||||
|
|
||||||
|
# Eg:
|
||||||
|
# unconfirmed_ageout=900
|
||||||
|
#
|
||||||
|
|
||||||
|
# unconfirmed_regexp:
|
||||||
|
# <regexp>: The RE to match the command line of processes for which the
|
||||||
|
# creation of unconfirmed users are to be allowed.
|
||||||
|
# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
|
||||||
|
# where: <user> is the unconfirmed user.
|
||||||
|
#
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth-sonic
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,55 @@
|
|||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
|
||||||
|
# Standard Un*x authentication.
|
||||||
|
@include common-auth
|
||||||
|
|
||||||
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||||
|
# access limits that are hard to express in sshd_config.
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Standard Un*x authorization.
|
||||||
|
@include common-account
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without this it is possible that a
|
||||||
|
# module could execute code in the wrong domain.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
# Set the loginuid process attribute.
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# Create a new session keyring.
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
|
# Standard Un*x session setup and teardown.
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
# Print the message of the day upon successful login.
|
||||||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||||||
|
# and a static (admin-editable) part from /etc/motd.
|
||||||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
|
session optional pam_motd.so noupdate
|
||||||
|
|
||||||
|
# Print the status of the user's mailbox upon successful login.
|
||||||
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Read environment variables from /etc/environment and
|
||||||
|
# /etc/security/pam_env.conf.
|
||||||
|
session required pam_env.so # [1]
|
||||||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||||
|
# /etc/default/locale, so read that as well.
|
||||||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||||||
|
# in the proper default security context. Only sessions which are intended
|
||||||
|
# to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
|
# Standard Un*x password updating.
|
||||||
|
@include common-password
|
@ -0,0 +1,42 @@
|
|||||||
|
# Configuration for libnss-tacplus
|
||||||
|
|
||||||
|
# debug - If you want to open debug log, set it on
|
||||||
|
# Default: off
|
||||||
|
# debug=on
|
||||||
|
|
||||||
|
# local_accounting - If you want to local accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# local_accounting
|
||||||
|
|
||||||
|
# tacacs_accounting - If you want to tacacs+ accounting, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_accounting
|
||||||
|
tacacs_accounting
|
||||||
|
|
||||||
|
# local_authorization - If you want to local authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# local_authorization
|
||||||
|
|
||||||
|
# tacacs_authorization - If you want to tacacs+ authorization, set it
|
||||||
|
# Default: None
|
||||||
|
# tacacs_authorization
|
||||||
|
tacacs_authorization
|
||||||
|
|
||||||
|
# src_ip - set source address of TACACS+ protocol packets
|
||||||
|
# Default: None (auto source ip address)
|
||||||
|
# src_ip=2.2.2.2
|
||||||
|
|
||||||
|
# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
|
||||||
|
# Default: None (no TACACS+ server)
|
||||||
|
# server=1.1.1.1:49,secret=test,timeout=3
|
||||||
|
server=192.168.1.1:50,secret=dellsonic,timeout=10,vrf=default
|
||||||
|
server=192.168.1.2:51,secret=dellsonic1,timeout=15,vrf=mgmt
|
||||||
|
|
||||||
|
# user_priv - set the map between TACACS+ user privilege and local user's passwd
|
||||||
|
# Default:
|
||||||
|
# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
|
||||||
|
# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
|
||||||
|
|
||||||
|
# many_to_one - create one local user for many TACACS+ users which has the same privilege
|
||||||
|
# Default: many_to_one=n
|
||||||
|
# many_to_one=y
|
260
src/sonic-host-services/tests/hostcfgd/test_tacacs_vectors.py
Normal file
260
src/sonic-host-services/tests/hostcfgd/test_tacacs_vectors.py
Normal file
@ -0,0 +1,260 @@
|
|||||||
|
from unittest.mock import call
|
||||||
|
|
||||||
|
"""
|
||||||
|
hostcfgd test tacacs vector
|
||||||
|
"""
|
||||||
|
HOSTCFGD_TEST_TACACS_VECTOR = [
|
||||||
|
[
|
||||||
|
"TACACS",
|
||||||
|
{
|
||||||
|
"config_db_local": {
|
||||||
|
"DEVICE_METADATA": {
|
||||||
|
"localhost": {
|
||||||
|
"hostname": "radius",
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"FEATURE": {
|
||||||
|
"dhcp_relay": {
|
||||||
|
"auto_restart": "enabled",
|
||||||
|
"has_global_scope": "True",
|
||||||
|
"has_per_asic_scope": "False",
|
||||||
|
"has_timer": "False",
|
||||||
|
"high_mem_alert": "disabled",
|
||||||
|
"set_owner": "kube",
|
||||||
|
"state": "enabled"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"KDUMP": {
|
||||||
|
"config": {
|
||||||
|
"enabled": "false",
|
||||||
|
"num_dumps": "3",
|
||||||
|
"memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"AAA": {
|
||||||
|
"authentication": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"authorization": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"accounting": {
|
||||||
|
"login": "local"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS": {
|
||||||
|
"global": {
|
||||||
|
"auth_type": "chap",
|
||||||
|
"timeout": 5,
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"src_intf": "Ethernet0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS_SERVER": {
|
||||||
|
"192.168.1.1" : {
|
||||||
|
"priority": 5,
|
||||||
|
"tcp_port": 50,
|
||||||
|
"timeout": 10,
|
||||||
|
"auth_type": "chap",
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"vrf": "default"
|
||||||
|
},
|
||||||
|
"192.168.1.2" : {
|
||||||
|
"priority": 2,
|
||||||
|
"tcp_port": 51,
|
||||||
|
"timeout": 15,
|
||||||
|
"auth_type": "pap",
|
||||||
|
"passkey": "dellsonic1",
|
||||||
|
"vrf": "mgmt"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"config_db_tacacs": {
|
||||||
|
"DEVICE_METADATA": {
|
||||||
|
"localhost": {
|
||||||
|
"hostname": "radius",
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"FEATURE": {
|
||||||
|
"dhcp_relay": {
|
||||||
|
"auto_restart": "enabled",
|
||||||
|
"has_global_scope": "True",
|
||||||
|
"has_per_asic_scope": "False",
|
||||||
|
"has_timer": "False",
|
||||||
|
"high_mem_alert": "disabled",
|
||||||
|
"set_owner": "kube",
|
||||||
|
"state": "enabled"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"KDUMP": {
|
||||||
|
"config": {
|
||||||
|
"enabled": "false",
|
||||||
|
"num_dumps": "3",
|
||||||
|
"memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"AAA": {
|
||||||
|
"authentication": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"authorization": {
|
||||||
|
"login": "tacacs+"
|
||||||
|
},
|
||||||
|
"accounting": {
|
||||||
|
"login": "tacacs+"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS": {
|
||||||
|
"global": {
|
||||||
|
"auth_type": "chap",
|
||||||
|
"timeout": 5,
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"src_intf": "Ethernet0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS_SERVER": {
|
||||||
|
"192.168.1.1" : {
|
||||||
|
"priority": 5,
|
||||||
|
"tcp_port": 50,
|
||||||
|
"timeout": 10,
|
||||||
|
"auth_type": "chap",
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"vrf": "default"
|
||||||
|
},
|
||||||
|
"192.168.1.2" : {
|
||||||
|
"priority": 2,
|
||||||
|
"tcp_port": 51,
|
||||||
|
"timeout": 15,
|
||||||
|
"auth_type": "pap",
|
||||||
|
"passkey": "dellsonic1",
|
||||||
|
"vrf": "mgmt"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"config_db_local_and_tacacs": {
|
||||||
|
"DEVICE_METADATA": {
|
||||||
|
"localhost": {
|
||||||
|
"hostname": "radius",
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"FEATURE": {
|
||||||
|
"dhcp_relay": {
|
||||||
|
"auto_restart": "enabled",
|
||||||
|
"has_global_scope": "True",
|
||||||
|
"has_per_asic_scope": "False",
|
||||||
|
"has_timer": "False",
|
||||||
|
"high_mem_alert": "disabled",
|
||||||
|
"set_owner": "kube",
|
||||||
|
"state": "enabled"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"KDUMP": {
|
||||||
|
"config": {
|
||||||
|
"enabled": "false",
|
||||||
|
"num_dumps": "3",
|
||||||
|
"memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"AAA": {
|
||||||
|
"authentication": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"authorization": {
|
||||||
|
"login": "tacacs+ local"
|
||||||
|
},
|
||||||
|
"accounting": {
|
||||||
|
"login": "tacacs+ local"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS": {
|
||||||
|
"global": {
|
||||||
|
"auth_type": "chap",
|
||||||
|
"timeout": 5,
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"src_intf": "Ethernet0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS_SERVER": {
|
||||||
|
"192.168.1.1" : {
|
||||||
|
"priority": 5,
|
||||||
|
"tcp_port": 50,
|
||||||
|
"timeout": 10,
|
||||||
|
"auth_type": "chap",
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"vrf": "default"
|
||||||
|
},
|
||||||
|
"192.168.1.2" : {
|
||||||
|
"priority": 2,
|
||||||
|
"tcp_port": 51,
|
||||||
|
"timeout": 15,
|
||||||
|
"auth_type": "pap",
|
||||||
|
"passkey": "dellsonic1",
|
||||||
|
"vrf": "mgmt"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"config_db_disable_accounting": {
|
||||||
|
"DEVICE_METADATA": {
|
||||||
|
"localhost": {
|
||||||
|
"hostname": "radius",
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"FEATURE": {
|
||||||
|
"dhcp_relay": {
|
||||||
|
"auto_restart": "enabled",
|
||||||
|
"has_global_scope": "True",
|
||||||
|
"has_per_asic_scope": "False",
|
||||||
|
"has_timer": "False",
|
||||||
|
"high_mem_alert": "disabled",
|
||||||
|
"set_owner": "kube",
|
||||||
|
"state": "enabled"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"KDUMP": {
|
||||||
|
"config": {
|
||||||
|
"enabled": "false",
|
||||||
|
"num_dumps": "3",
|
||||||
|
"memory": "0M-2G:256M,2G-4G:320M,4G-8G:384M,8G-:448M"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"AAA": {
|
||||||
|
"authentication": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"authorization": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"accounting": {
|
||||||
|
"login": "disable"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS": {
|
||||||
|
"global": {
|
||||||
|
"auth_type": "chap",
|
||||||
|
"timeout": 5,
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"src_intf": "Ethernet0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"TACPLUS_SERVER": {
|
||||||
|
"192.168.1.1" : {
|
||||||
|
"priority": 5,
|
||||||
|
"tcp_port": 50,
|
||||||
|
"timeout": 10,
|
||||||
|
"auth_type": "chap",
|
||||||
|
"passkey": "dellsonic",
|
||||||
|
"vrf": "default"
|
||||||
|
},
|
||||||
|
"192.168.1.2" : {
|
||||||
|
"priority": 2,
|
||||||
|
"tcp_port": 51,
|
||||||
|
"timeout": 15,
|
||||||
|
"auth_type": "pap",
|
||||||
|
"passkey": "dellsonic1",
|
||||||
|
"vrf": "mgmt"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
]
|
@ -934,7 +934,13 @@
|
|||||||
},
|
},
|
||||||
"AAA": {
|
"AAA": {
|
||||||
"authentication": {
|
"authentication": {
|
||||||
"login": "local"
|
"login": "local"
|
||||||
|
},
|
||||||
|
"authorization": {
|
||||||
|
"login": "local"
|
||||||
|
},
|
||||||
|
"accounting": {
|
||||||
|
"login": "local"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"TACPLUS": {
|
"TACPLUS": {
|
||||||
|
@ -9,5 +9,11 @@
|
|||||||
"AAA_TEST_WRONG_FAILTHROUGH": {
|
"AAA_TEST_WRONG_FAILTHROUGH": {
|
||||||
"desc": "Configure a wrong failthrough in AAA table.",
|
"desc": "Configure a wrong failthrough in AAA table.",
|
||||||
"eStrKey": "InvalidValue"
|
"eStrKey": "InvalidValue"
|
||||||
|
},
|
||||||
|
"AAA_AUTHORIZATION_TEST": {
|
||||||
|
"desc": "Configure an authorization type in AAA table."
|
||||||
|
},
|
||||||
|
"AAA_ACCOUNTING_TEST": {
|
||||||
|
"desc": "Configure an accounting type in AAA table."
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
"sonic-system-aaa:sonic-system-aaa": {
|
"sonic-system-aaa:sonic-system-aaa": {
|
||||||
"sonic-system-aaa:AAA": {
|
"sonic-system-aaa:AAA": {
|
||||||
"AAA_LIST": [{
|
"AAA_LIST": [{
|
||||||
"type": "authorization"
|
"type": "unknowntype"
|
||||||
}]
|
}]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -31,5 +31,27 @@
|
|||||||
}]
|
}]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
"AAA_AUTHORIZATION_TEST": {
|
||||||
|
"sonic-system-aaa:sonic-system-aaa": {
|
||||||
|
"sonic-system-aaa:AAA": {
|
||||||
|
"AAA_LIST": [{
|
||||||
|
"type": "authorization",
|
||||||
|
"login": "tacacs+"
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
"AAA_ACCOUNTING_TEST": {
|
||||||
|
"sonic-system-aaa:sonic-system-aaa": {
|
||||||
|
"sonic-system-aaa:AAA": {
|
||||||
|
"AAA_LIST": [{
|
||||||
|
"type": "accounting",
|
||||||
|
"login": "tacacs+"
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -3,6 +3,10 @@ module sonic-system-aaa {
|
|||||||
prefix ssys;
|
prefix ssys;
|
||||||
yang-version 1.1;
|
yang-version 1.1;
|
||||||
|
|
||||||
|
revision 2021-10-12 {
|
||||||
|
description "Add AAA authorization/accounting support.";
|
||||||
|
}
|
||||||
|
|
||||||
revision 2021-04-15 {
|
revision 2021-04-15 {
|
||||||
description "Initial revision.";
|
description "Initial revision.";
|
||||||
}
|
}
|
||||||
@ -15,13 +19,15 @@ module sonic-system-aaa {
|
|||||||
leaf type {
|
leaf type {
|
||||||
type enumeration {
|
type enumeration {
|
||||||
enum authentication;
|
enum authentication;
|
||||||
|
enum authorization;
|
||||||
|
enum accounting;
|
||||||
}
|
}
|
||||||
description "AAA type authentication";
|
description "AAA type authentication/authorization/accounting";
|
||||||
}
|
}
|
||||||
|
|
||||||
leaf login {
|
leaf login {
|
||||||
type string;
|
type string;
|
||||||
description "AAA authentication methods - local/tacacs+";
|
description "AAA authentication/authorization/accounting methods - local/tacacs+/disable";
|
||||||
default "local";
|
default "local";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user