matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
f22666ce58
sonic-buildimage/files/image_config
History
Renuka Manavalan 6c1a0ce58c [hostcfgd] -- Fix the default for failthrough as false. 
This implies that by default, if TACACS is configured properly and it reported auth_err, then don't try fail through to traditional unix authentication through /etc/passwd.

If this failthrough is intended, make it explicit through "sudo config aaa authentication failthrough enable"

Removed an unused variable "aaa.fallback"

Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled.

admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough default; date
Wed Apr  3 23:05:18 UTC 2019
admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic
-rw-r--r-- 1 root root 1316 Apr  3 23:05 /etc/pam.d/common-auth-sonic
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass

admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication"
Wed Apr  3 23:06:37 UTC 2019
admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic
-rw-r--r-- 1 root root 1294 Apr  3 23:06 /etc/pam.d/common-auth-sonic
auth    [success=done new_authtok_reqd=done default=ignore]     pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth    [success=done new_authtok_reqd=done default=ignore]     pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass

admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication"
Wed Apr  3 23:07:09 UTC 2019
admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic
-rw-r--r-- 1 root root 1321 Apr  3 23:07 /etc/pam.d/common-auth-sonic
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth    [success=done new_authtok_reqd=done default=ignore auth_err=die]        pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
2019-04-08 23:41:51 +00:00
..
apt [baseimage]: Download picocom version 3.1-2 from stretch-backports; No longer build from source (#1946) 2018-08-17 17:38:20 -07:00
asn [BGPD]: add bgp dynamic neighbor configuration (#708) 2017-06-21 18:52:50 -07:00
bash [baseimage]: enable auto logout for console (ttyS*) sessions (#1398) 2018-02-20 09:36:54 -08:00
caclmgrd [caclmgrd] Don't crash if we find empty/null rule_props (#2475) 2019-01-25 21:10:52 +00:00
cron.d [System logs]: Improvements to prevent filling /var/log partition (#865) 2017-08-10 16:24:57 -07:00
environment [image]: Update login message (#706) 2017-06-14 15:18:02 -07:00
hostcfgd [hostcfgd] -- Fix the default for failthrough as false. 2019-04-08 23:41:51 +00:00
hostname Move all minigraph-related action from rc.local to updategraph (#1452) 2018-03-09 17:17:08 -08:00
interfaces [sonic boot] disable dhcp during boot up, until updategraph service is running (#2316) 2018-11-29 08:34:22 -08:00
logrotate Decrease usable space in log partition to 90% (#1648) 2018-04-30 11:18:56 -07:00
ntp [boot] Refactor: All services which start Docker containers start before ntp-config service (#2335) 2018-12-03 16:01:44 -08:00
platform [reboot cause] Move reboot-cause files to /host directory so they persist across SONiC upgrades (#2490) 2019-02-02 19:29:52 +00:00
rsyslog [rsyslog]: use # to separate container name and program name in syslog message (#1918) 2018-08-12 22:23:58 -07:00
snmp Remove extra trailing newlines at EOF (#804) 2017-07-12 20:54:37 -07:00
sudoers [sudoers] Add 'SONIC_CLI_IFACE_MODE' to env_keep to ensure variable is made available to sudo calls (#2249) 2018-11-15 15:16:06 -08:00
systemd Remove extra trailing newlines at EOF (#804) 2017-07-12 20:54:37 -07:00
updategraph [warm boot] cherry-pick PR #2538 and advance related sub-modules (#2569) 2019-02-14 12:12:55 -08:00
warmboot-finalizer [service] add warmboot finializer service (#2725) 2019-04-01 14:16:31 -07:00