matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-03-20. You can view files and clone it, but cannot push or open issues or pull requests.
6d7ecc426c
sonic-buildimage/files/image_config
History
Renuka Manavalan 6d7ecc426c [hostcfgd] -- Fix the default for failthrough as false. 
This implies that by default, if TACACS is configured properly and it reported auth_err, then don't try fail through to traditional unix authentication through /etc/passwd.

If this failthrough is intended, make it explicit through "sudo config aaa authentication failthrough enable"

Removed an unused variable "aaa.fallback"

Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled.

admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough default; date
Wed Apr  3 23:05:18 UTC 2019
admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic
-rw-r--r-- 1 root root 1316 Apr  3 23:05 /etc/pam.d/common-auth-sonic
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass

admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication"
Wed Apr  3 23:06:37 UTC 2019
admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic
-rw-r--r-- 1 root root 1294 Apr  3 23:06 /etc/pam.d/common-auth-sonic
auth    [success=done new_authtok_reqd=done default=ignore]     pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth    [success=done new_authtok_reqd=done default=ignore]     pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass

admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication"
Wed Apr  3 23:07:09 UTC 2019
admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic
-rw-r--r-- 1 root root 1321 Apr  3 23:07 /etc/pam.d/common-auth-sonic
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
2019-04-03 23:16:56 +00:00
..
apt [baseimage]: Download picocom version 3.1-2 from stretch-backports; No longer build from source (#1946) 2018-08-17 17:38:20 -07:00
asn [BGPD]: add bgp dynamic neighbor configuration (#708) 2017-06-21 18:52:50 -07:00
bash [baseimage]: enable auto logout for console (ttyS*) sessions (#1398) 2018-02-20 09:36:54 -08:00
caclmgrd [caclmgrd] Don't crash if we find empty/null rule_props (#2475) 2019-01-23 18:47:05 -08:00
cron.d [System logs]: Improvements to prevent filling /var/log partition (#865) 2017-08-10 16:24:57 -07:00
environment [image]: Update login message (#706) 2017-06-14 15:18:02 -07:00
hostcfgd [hostcfgd] -- Fix the default for failthrough as false. 2019-04-03 23:16:56 +00:00
hostname [baseimage]: Avoid removing localhost entry from /etc/hosts file (#2452) 2019-01-17 22:47:19 -08:00
interfaces [barefoot]: Allow configuration of platform-specific interfaces used for internal purposes (#2631) 2019-03-09 06:22:32 -08:00
logrotate Decrease usable space in log partition to 90% (#1648) 2018-04-30 11:18:56 -07:00
ntp [boot] Refactor: All services which start Docker containers start before ntp-config service (#2335) 2018-12-03 16:01:44 -08:00
platform [reboot cause] Move reboot-cause files to /host directory so they persist across SONiC upgrades (#2490) 2019-01-29 03:42:19 -08:00
rsyslog [rsyslog] Suppress duplicate messages from base image and all Docker containers (#2497) 2019-01-29 03:41:40 -08:00
snmp Remove extra trailing newlines at EOF (#804) 2017-07-12 20:54:37 -07:00
sudoers [sudoers] Add 'SONIC_CLI_IFACE_MODE' to env_keep to ensure variable is made available to sudo calls (#2249) 2018-11-15 15:16:06 -08:00
systemd Remove extra trailing newlines at EOF (#804) 2017-07-12 20:54:37 -07:00
updategraph Move warm_restart enable/disable config to stateDB WARM_RESTART_ENABLE_TABLE (#2538) 2019-02-19 17:06:56 -08:00