From dce6d3536bfda3c5377ef0fdbdc1592e30c7982f Mon Sep 17 00:00:00 2001 From: Liuqu Date: Tue, 12 Dec 2017 19:45:44 +0800 Subject: [PATCH] [TACACS+]: Add configDB enforcer for TACACS+ (#1214) * [TACACS+]: Add configDB enforcer for TACACS+ * hostcfgd - configDB enforcer for TACACS+, listen configDB to modify the pam configuration for Authentication in host * Add a service script for hostcfgd Signed-off-by: Chenchen Qi * [TACACS+]: Generate conf file by template file * Generate common-auth-sonic and tacplus_nss.conf by jinja2 template Signed-off-by: Chenchen Qi --- .../build_templates/sonic_debian_extension.j2 | 6 + .../hostcfgd/common-auth-sonic.j2 | 43 +++++ files/image_config/hostcfgd/hostcfgd | 172 ++++++++++++++++++ files/image_config/hostcfgd/hostcfgd.service | 11 ++ .../image_config/hostcfgd/tacplus_nss.conf.j2 | 25 +++ 5 files changed, 257 insertions(+) create mode 100644 files/image_config/hostcfgd/common-auth-sonic.j2 create mode 100755 files/image_config/hostcfgd/hostcfgd create mode 100644 files/image_config/hostcfgd/hostcfgd.service create mode 100644 files/image_config/hostcfgd/tacplus_nss.conf.j2 diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index fd67444fb4..7de8f85979 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -128,6 +128,12 @@ sudo cp $IMAGE_CONFIGS/interfaces/*.j2 $FILESYSTEM_ROOT/usr/share/sonic/template # Copy initial interfaces configuration file, will be overwritten on first boot sudo cp $IMAGE_CONFIGS/interfaces/init_interfaces $FILESYSTEM_ROOT/etc/network +# Copy hostcfgd files +sudo cp $IMAGE_CONFIGS/hostcfgd/hostcfgd.service $FILESYSTEM_ROOT/etc/systemd/system/ +sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable hostcfgd.service +sudo cp $IMAGE_CONFIGS/hostcfgd/hostcfgd $FILESYSTEM_ROOT/usr/bin/ +sudo cp $IMAGE_CONFIGS/hostcfgd/*.j2 $FILESYSTEM_ROOT/usr/share/sonic/templates/ + # Copy hostname configuration scripts sudo cp $IMAGE_CONFIGS/hostname/hostname-config.service $FILESYSTEM_ROOT/etc/systemd/system/ sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable hostname-config.service diff --git a/files/image_config/hostcfgd/common-auth-sonic.j2 b/files/image_config/hostcfgd/common-auth-sonic.j2 new file mode 100644 index 0000000000..d91a02120f --- /dev/null +++ b/files/image_config/hostcfgd/common-auth-sonic.j2 @@ -0,0 +1,43 @@ +# THIS IS AN AUTO-GENERATED FILE +# +# /etc/pam.d/common-auth- authentication settings common to all services +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# here are the per-package modules (the "Primary" block) + +{% if auth['login'] == 'local' %} +auth [success=1 default=ignore] pam_unix.so nullok try_first_pass + +{% elif auth['login'] == 'local,tacacs+' %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass +{% for server in servers | sub(0, -1) %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} try_first_pass +{% endfor %} +{% if servers | count %} +{% set last_server = servers | last %} +auth [success=1 default=ignore] pam_tacplus.so server={{ last_server.ip }}:{{ last_server.tcp_port }} secret={{ last_server.passkey }} login={{ last_server.auth_type }} timeout={{ last_server.timeout }} try_first_pass + +{% endif %} +{% elif auth['login'] == 'tacacs+' or auth['login'] == 'tacacs+,local' %} +{% for server in servers %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} try_first_pass +{% endfor %} +auth [success=1 default=ignore] pam_unix.so nullok try_first_pass + +{% else %} +auth [success=1 default=ignore] pam_unix.so nullok try_first_pass + +{% endif %} +# +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) + diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd new file mode 100755 index 0000000000..837c5351e0 --- /dev/null +++ b/files/image_config/hostcfgd/hostcfgd @@ -0,0 +1,172 @@ +#!/usr/bin/python -u +# -*- coding: utf-8 -*- + +import os +import sys +import subprocess +import syslog +import jinja2 +from swsssdk import ConfigDBConnector + +# FILE +PAM_AUTH_CONF = "/etc/pam.d/common-auth-sonic" +PAM_AUTH_CONF_TEMPLATE = "/usr/share/sonic/templates/common-auth-sonic.j2" +NSS_TACPLUS_CONF = "/etc/tacplus_nss.conf" +NSS_TACPLUS_CONF_TEMPLATE = "/usr/share/sonic/templates/tacplus_nss.conf.j2" +NSS_CONF = "/etc/nsswitch.conf" + +# TACACS+ +TACPLUS_SERVER_PASSKEY_DEFAULT = "" +TACPLUS_SERVER_TIMEOUT_DEFAULT = "5" +TACPLUS_SERVER_AUTH_TYPE_DEFAULT = "pap" + + +def is_true(val): + if val == 'True' or val == 'true': + return True + else: + return False + + +def sub(l, start, end): + return l[start:end] + + +class AaaCfg(object): + def __init__(self): + self.auth_default = { + 'login': 'local', + 'failthrough': True, + 'fallback': True + } + self.tacplus_global_default = { + 'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT, + 'timeout': TACPLUS_SERVER_TIMEOUT_DEFAULT, + 'passkey': TACPLUS_SERVER_PASSKEY_DEFAULT + } + self.auth = {} + self.tacplus_global = {} + self.tacplus_servers = {} + self.debug = False + + # Load conf from ConfigDb + def load(self, aaa_conf, tac_global_conf, tacplus_conf): + for row in aaa_conf: + self.aaa_update(row, aaa_conf[row], modify_conf=False) + for row in tac_global_conf: + self.tacacs_global_update(row, tac_global_conf[row], modify_conf=False) + for row in tacplus_conf: + self.tacacs_server_update(row, tacplus_conf[row], modify_conf=False) + self.modify_conf_file() + + def aaa_update(self, key, data, modify_conf=True): + if key == 'authentication': + self.auth = data + if 'failthrough' in data: + self.auth['failthrough'] = is_true(data['failthrough']) + if 'debug' in data: + self.debug = is_true(data['debug']) + if modify_conf: + self.modify_conf_file() + + def tacacs_global_update(self, key, data, modify_conf=True): + if key == 'global': + self.tacplus_global = data + if modify_conf: + self.modify_conf_file() + + def tacacs_server_update(self, key, data, modify_conf=True): + if data == {}: + if key in self.tacplus_servers: + del self.tacplus_servers[key] + else: + self.tacplus_servers[key] = data + + if modify_conf: + self.modify_conf_file() + + def modify_conf_file(self): + auth = self.auth_default.copy() + auth.update(self.auth) + tacplus_global = self.tacplus_global_default.copy() + tacplus_global.update(self.tacplus_global) + + servers_conf = [] + if self.tacplus_servers: + for addr in self.tacplus_servers: + server = tacplus_global.copy() + server['ip'] = addr + server.update(self.tacplus_servers[addr]) + servers_conf.append(server) + sorted(servers_conf, key=lambda t: t['priority'], reverse=True) + + template_file = os.path.abspath(PAM_AUTH_CONF_TEMPLATE) + env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True) + env.filters['sub'] = sub + template = env.get_template(template_file) + pam_conf = template.render(auth=auth, servers=servers_conf) + with open(PAM_AUTH_CONF, 'w') as f: + f.write(pam_conf) + + # Modify common-auth include file in /etc/pam.d/login and sshd + if os.path.isfile(PAM_AUTH_CONF): + os.system("sed -i -e '/^@include/s/common-auth$/common-auth-sonic/' /etc/pam.d/sshd") + os.system("sed -i -e '/^@include/s/common-auth$/common-auth-sonic/' /etc/pam.d/login") + else: + os.system("sed -i -e '/^@include/s/common-auth-sonic$/common-auth/' /etc/pam.d/sshd") + os.system("sed -i -e '/^@include/s/common-auth-sonic$/common-auth/' /etc/pam.d/login") + + # Add tacplus in nsswitch.conf if TACACS+ enable + if 'tacacs+' in auth['login']: + if os.path.isfile(NSS_CONF): + os.system("sed -i -e '/tacplus/b' -e '/^passwd/s/compat/& tacplus/' /etc/nsswitch.conf") + else: + if os.path.isfile(NSS_CONF): + os.system("sed -i -e '/^passwd/s/ tacplus//' /etc/nsswitch.conf") + + # Set tacacs+ server in nss-tacplus conf + template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE) + template = env.get_template(template_file) + nss_tacplus_conf = template.render(debug=self.debug, servers=servers_conf) + with open(NSS_TACPLUS_CONF, 'w') as f: + f.write(nss_tacplus_conf) + + +class HostConfigDaemon: + def __init__(self): + self.config_db = ConfigDBConnector() + self.config_db.connect(wait_for_init=True, retry_on=True) + syslog.syslog(syslog.LOG_INFO, 'ConfigDB connect success') + aaa = self.config_db.get_table('AAA') + tacacs_global = self.config_db.get_table('TACPLUS') + tacacs_server = self.config_db.get_table('TACPLUS_SERVER') + self.aaacfg = AaaCfg() + self.aaacfg.load(aaa, tacacs_global, tacacs_server) + + def aaa_handler(self, key, data): + syslog.syslog(syslog.LOG_DEBUG, 'value for {} changed to {}'.format(key, data)) + self.aaacfg.aaa_update(key, data) + + def tacacs_server_handler(self, key, data): + syslog.syslog(syslog.LOG_DEBUG, 'value for {} changed to {}'.format(key, data)) + self.aaacfg.tacacs_server_update(key, data) + + def tacacs_global_handler(self, key, data): + syslog.syslog(syslog.LOG_DEBUG, 'value for {} changed to {}'.format(key, data)) + self.aaacfg.tacacs_global_update(key, data) + + def start(self): + self.config_db.subscribe('AAA', lambda table, key, data: self.aaa_handler(key, data)) + self.config_db.subscribe('TACPLUS_SERVER', lambda table, key, data: self.tacacs_server_handler(key, data)) + self.config_db.subscribe('TACPLUS', lambda table, key, data: self.tacacs_global_handler(key, data)) + self.config_db.listen() + + +def main(): + daemon = HostConfigDaemon() + daemon.start() + + +if __name__ == "__main__": + main() + diff --git a/files/image_config/hostcfgd/hostcfgd.service b/files/image_config/hostcfgd/hostcfgd.service new file mode 100644 index 0000000000..4f6151a471 --- /dev/null +++ b/files/image_config/hostcfgd/hostcfgd.service @@ -0,0 +1,11 @@ +[Unit] +Description=Host config enforcer daemon +Requires=database.service +After=database.service + +[Service] +Type=simple +ExecStart=/usr/bin/hostcfgd + +[Install] +WantedBy=multi-user.target diff --git a/files/image_config/hostcfgd/tacplus_nss.conf.j2 b/files/image_config/hostcfgd/tacplus_nss.conf.j2 new file mode 100644 index 0000000000..61ab905ecb --- /dev/null +++ b/files/image_config/hostcfgd/tacplus_nss.conf.j2 @@ -0,0 +1,25 @@ +onfiguration for libnss-tacplus + +# debug - If you want to open debug log, set it on +# Default: off +# debug=on +{% if debug %} +debug=on +{% endif %} + +# server - set ip address, tcp port, secret string and timeout for TACACS+ servers +# Default: None (no TACACS+ server) +# server=1.1.1.1:49,secret=test,timeout=3 +{% for server in servers %} +server={{ server.ip }}:{{ server.tcp_port }},secret={{ server.passkey }},timeout={{ server.timeout }} +{% endfor %} + +# user_priv - set the map between TACACS+ user privilege and local user's passwd +# Default: +# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash +# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash + +# many_to_one - create one local user for many TACACS+ users which has the same privilege +# Default: many_to_one=n +# many_to_one=y +