Package for mapping radius users to local users (mirror of https://github.com/vyos/libnss-mapuser.git) https://git.amelek.net/vyos/libnss-mapuser.git/atom?h=circinus 2023-03-12T19:24:13+00:00 2023-03-12T19:24:13+00:00 Christian Breunig christian@breunig.cc 2023-03-12T19:24:13+00:00 urn:sha1:3f11d8263d0272f544254b21335f8b517f745aa0 2021-05-02T16:14:59+00:00 Christian Poessinger christian@poessinger.com 2021-05-02T16:14:59+00:00 urn:sha1:2ded63a0e6748018dada646691843462797cc7fc 2018-05-17T20:09:09+00:00 UnicronNL kim.sidney@gmail.com 2018-05-17T20:09:09+00:00 urn:sha1:2392d2acdff02dbf3d04b6a7eb08c195bd3a6168 2018-04-13T23:25:19+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-13T08:04:39+00:00 urn:sha1:613f1949208809a116bd1b3737e39a1599bf7d43 Ticket: CM-19457 Reviewed By: nobody Testing Done: lots of logins, and login combinations Validate that the mapuser database files are valid by using kill 0 on the pids. If not valid, try to unlink, and if we do, report it as a DEBUG. If we can't unlink (not root) report that we are skipping at INFO. As part of that, don't count valid fields and read entire file. Document in man page and config file that the mapped_priv_user account is known to libpam-radius-auth as well, and must be updated in both places if it changes. Updated the public symbols (the getgr additions) from previous commit Fixed some white space and line length issues. 2018-04-06T22:47:08+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-06T22:06:27+00:00 urn:sha1:4b24261d4a28ed1cd994939d6fa658b44c30a0ac Needed to add sed code to remove mapname from nsswitch.conf group search line, similar to passwd line. Somehow forgot that when I added the code to add it in postinst I also somehow forgot to checkin the adduser line to add the radius_priv_user to the sudo group, so fixed that too. 2018-04-03T07:23:16+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-03T07:23:16+00:00 urn:sha1:19e1c2b3cfd99d7ea62e4e8a827febcd7ec15e19 2018-04-03T03:40:02+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-02T18:01:09+00:00 urn:sha1:1e5742369aedc8708d5dbe4411ffd5bf4b10537a Ticket: CM-19457 Reviewed By: roopa Testing Done: lots of variations of login, su, sudo, automated radius tests Now we always read the map files. If session is set, we try that file first, so that a user always sees their name, same as tacplus. If that's the wrong file, read through all of the map files, look for the correct match based on either name+session or auid+session, depending on getpwnam or getpwuid entry point Ignore same set of users as tacacs, including new radius_priv_user account for the privileged RADIUS user. create and delete the mapuser files from libpam-radius-auth now; we need to have the mapping file written early enough for the pam interfaces to get the correct info. Using the pam_script is too limiting, and since we are creating the database in libpam-radius-auth now, we'll delete it there as well to keep things symmetric, so delete the script and the references to the scripts A significant part of this effort was adding getgrent, getgrgid, and getgrnam support, so that the radius users are put into the netshow (unprivileged) and netedit and sudo (privileged) groups at login. A lot of restructuring went in as part of that, and cleaned up some longstanding bugs, including return values for the getpw* routines. Also cleaned up some whitespace issues. Also renamed some globals (debug, min_uid, init_common()) that might collide with other programs, so that when I build unstripped and normal visibility shared libs, they won't collide with programs calling the functions (saw this with "debug" and bgpd, for example). 2018-02-26T18:33:41+00:00 Dave Olson olson@cumulusnetworks.com 2018-02-26T17:52:09+00:00 urn:sha1:a8b91db168be36606391eb0b96af0ee4aaa6812f Ticket: CM-19886 Reviewed By: nobody Testing Done: Somehow exclude_users wasn't implemented (or got deleted somewhere along the line). Make list match tacplus_client, except exclude our own mapped users by matching config items, and also skip any user starting with tacacs[0-9] inline instead of listing all 16 in exclude_users field in config file. Implemened for mapped_priv_user too, since that work is ongoing. Listed change in debian/changelog If debug is set to 2 or higher, print that the name lookup was skipped due to exclusion. 2018-01-17T20:55:42+00:00 Dave Olson olson@cumulusnetworks.com 2018-01-17T20:51:06+00:00 urn:sha1:1871475c4a3101aa8136362923f0d3ecdc7bb171 Ticket: CM-19469 Reviewed By: nobody Testing Done: ran with change. Similar to the change for tacacs, but this already had snmp. Added quagga as well, for users that haven't completed the transition from quagga to frr. Bumped changelog and documented 2017-07-18T18:54:53+00:00 Dave Olson olson@cumulusnetworks.com 2017-07-18T18:54:53+00:00 urn:sha1:d80fcfbb3c55561110bf0686c87fb949f866a88c