From 3ec727670de02cac06321719a0323650046d54a1 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 21 Jun 2023 22:11:44 +0200 Subject: tacacs: T141: initial implementation --- data/templates/login/nsswitch.conf.j2 | 21 +++++++++ data/templates/login/tacplus_nss.conf.j2 | 74 ++++++++++++++++++++++++++++++++ data/templates/login/tacplus_servers.j2 | 59 +++++++++++++++++++++++++ 3 files changed, 154 insertions(+) create mode 100644 data/templates/login/nsswitch.conf.j2 create mode 100644 data/templates/login/tacplus_nss.conf.j2 create mode 100644 data/templates/login/tacplus_servers.j2 (limited to 'data') diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2 new file mode 100644 index 000000000..65dc88291 --- /dev/null +++ b/data/templates/login/nsswitch.conf.j2 @@ -0,0 +1,21 @@ +# Automatically generated by system-login.py +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. + +passwd: {{ 'mapuid ' if radius is vyos_defined }}{{ 'tacplus ' if tacacs is vyos_defined }}files{{ ' mapname' if radius is vyos_defined }} +group: {{ 'mapname ' if radius is vyos_defined }}{{ 'tacplus ' if tacacs is vyos_defined }}files +shadow: files +gshadow: files + +# Per T2678, commenting out myhostname +hosts: files dns #myhostname +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2 new file mode 100644 index 000000000..2a30b1710 --- /dev/null +++ b/data/templates/login/tacplus_nss.conf.j2 @@ -0,0 +1,74 @@ +#%NSS_TACPLUS-1.0 +# Install this file as /etc/tacplus_nss.conf +# Edit /etc/nsswitch.conf to add tacplus to the passwd lookup, similar to this +# where tacplus precede compat (or files), and depending on local policy can +# follow or precede ldap, nis, etc. +# passwd: tacplus compat +# +# Servers are tried in the order listed, and once a server +# replies, no other servers are attempted in a given process instantiation +# +# This configuration is similar to the libpam_tacplus configuration, but +# is maintained as a configuration file, since nsswitch.conf doesn't +# support passing parameters. Parameters must start in the first +# column, and parsing stops at the first whitespace + +# if set, errors and other issues are logged with syslog +#debug=1 + +# min_uid is the minimum uid to lookup via tacacs. Setting this to 0 +# means uid 0 (root) is never looked up, good for robustness and performance +# Cumulus Linux ships with it set to 1001, so we never lookup our standard +# local users, including the cumulus uid of 1000. Should not be greater +# than the local tacacs{0..15} uids +min_uid=900 + +# This is a comma separated list of usernames that are never sent to +# a tacacs server, they cause an early not found return. +# +# "*" is not a wild card. While it's not a legal username, it turns out +# that during pathname completion, bash can do an NSS lookup on "*" +# To avoid server round trip delays, or worse, unreachable server delays +# on filename completion, we include "*" in the exclusion list. +exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} + +# The include keyword allows centralizing the tacacs+ server information +# including the IP address and shared secret +# include=/etc/tacplus_servers + +# The server IP address can be optionally followed by a ':' and a port +# number (server=1.1.1.1:49). It is strongly recommended that you NOT +# add secret keys to this file, because it is world readable. +{% if tacacs.server is vyos_defined %} +{% for server, server_config in tacacs.server.items() %} +secret={{ server_config.key }} +server={{ server }}:{{ server_config.port }} + +{% endfor %} +{% endif %} + +{% if tacacs.vrf is vyos_defined %} +# If the management network is in a vrf, set this variable to the vrf name. +# This would usually be "mgmt". When this variable is set, the connection to the +# TACACS+ accounting servers will be made through the named vrf. +vrf={{ tacacs.vrf }} +{% endif %} + +{% if tacacs.source_address is vyos_defined %} +# Sets the IPv4 address used as the source IP address when communicating with +# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames. +# The address must work when passsed to the bind() system call, that is, it must +# be valid for the interface being used. +source_ip={{ tacacs.source_address }} +{% endif %} + +# The connection timeout for an NSS library should be short, since it is +# invoked for many programs and daemons, and a failure is usually not +# catastrophic. Not set or set to a negative value disables use of poll(). +# This follows the include of tacplus_servers, so it can override any +# timeout value set in that file. +# It's important to have this set in this file, even if the same value +# as in tacplus_servers, since tacplus_servers should not be readable +# by users other than root. +timeout={{ tacacs.timeout }} + diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2 new file mode 100644 index 000000000..5a65d6e68 --- /dev/null +++ b/data/templates/login/tacplus_servers.j2 @@ -0,0 +1,59 @@ +# Automatically generated by system-login.py +# TACACS+ configuration file + +# This is a common file used by audisp-tacplus, libpam_tacplus, and +# libtacplus_map config files as shipped. +# +# Any tac_plus client config can go here that is common to all users of this +# file, but typically it's just the TACACS+ server IP address(es) and shared +# secret(s) +# +# This file should normally be mode 600, if you care about the security of your +# secret key. When set to mode 600 NSS lookups for TACACS users will only work +# for tacacs users that are logged in, via the local mapping. For root, lookups +# will work for any tacacs users, logged in or not. + +# Set a per-connection timeout of 10 seconds, and enable the use of poll() when +# trying to read from tacacs servers. Otherwise standard TCP timeouts apply. +# Not set or set to a negative value disables use of poll(). There are usually +# multiple connection attempts per login. +timeout={{ tacacs.timeout }} + +{% if tacacs.server is vyos_defined %} +{% for server, server_config in tacacs.server.items() %} +secret={{ server_config.key }} +server={{ server }}:{{ server_config.port }} +{% endfor %} +{% endif %} + +# If set, login/logout accounting records are sent to all servers in +# the list, otherwise only to the first responding server +# Also used by audisp-tacplus per-command accounting, if it sources this file. +acct_all=1 + +{% if tacacs.vrf is vyos_defined %} +# If the management network is in a vrf, set this variable to the vrf name. +# This would usually be "mgmt". When this variable is set, the connection to the +# TACACS+ accounting servers will be made through the named vrf. +vrf={{ tacacs.vrf }} +{% endif %} + +{% if tacacs.source_address is vyos_defined %} +# Sets the IPv4 address used as the source IP address when communicating with +# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames. +# The address must work when passsed to the bind() system call, that is, it must +# be valid for the interface being used. +source_ip={{ tacacs.source_address }} +{% endif %} + +# If user_homedir=1, then tacacs users will be set to have a home directory +# based on their login name, rather than the mapped tacacsN home directory. +# mkhomedir_helper is used to create the directory if it does not exist (similar +# to use of pam_mkhomedir.so). This flag is ignored for users with restricted +# shells, e.g., users mapped to a tacacs privilege level that has enforced +# per-command authorization (see the tacplus-restrict man page). +user_homedir=1 + +service=shell +protocol=ssh + -- cgit v1.2.3