NSS plugin to lookup tacacs client username, and match mapped user after login (mirror of https://github.com/vyos/libnss-tacplus.git) https://git.amelek.net/vyos/libnss-tacplus.git/atom?h=master 2024-12-15T09:41:23+00:00 2024-12-15T09:41:23+00:00 Christian Breunig christian@breunig.cc 2024-12-15T08:37:51+00:00 urn:sha1:9a80c753dc698405e427f413851981694c9db7d8 Support extensive length of exclude_users to avoid truncation in VyOS. 2024-04-29T18:58:47+00:00 Christian Breunig christian@breunig.cc 2024-04-29T18:58:47+00:00 urn:sha1:049d2843b521d15e2f355430d94eb9d2e83311be 2017-06-30T20:46:36+00:00 Dave Olson olson@cumulusnetworks.com 2017-06-23T21:07:35+00:00 urn:sha1:19008ab68d9d504aa58eb34d5f564755a1613b8b We weren't removing the tacplus plugin from nsswitch.conf on package remove, now we do. Also cleaned up a bit and use \s instead of [ \t] for whitespace. For postinst, moved into configure case where it belonged. Updated changelog for recent fixes and bumped version 2017-05-24T00:05:52+00:00 Dave Olson olson@cumulusnetworks.com 2017-03-24T05:42:24+00:00 urn:sha1:9b056a2a66ec7006d86121509ef1049c7f6f0725 Get setting from map on whether login was set up to use per-tacacs user homedir, rather than the homedir from the local tacacsN users. The mkhomedir_helper program is used in pam_tacplus to create home directory (like pam_mkhomedir.so) when user homedir is requested, but the home directory does not exist. The config file setting in this code is not used when using map and the user is found in map; we then use the setting from the map. When mapping doesn't exist, then use our own config setting. user_homedirs is ignored if shell is a restricted shell (as set up by tacplus-restrict) because we need to honor the per-command authorization setup in that case. Updated changelog Also fixed up the spelling of dev-support 2017-05-23T23:42:48+00:00 Dave Olson olson@cumulusnetworks.com 2017-05-12T18:43:01+00:00 urn:sha1:dab6c3bb9feb10b67f08b18656fe24d1f7b01d2b This is done to handle the case where nss_tacplus.so is included in a long-lived daemon. It's desirable to have long-lived daemons reflect changes to the configuration, both to enable/disable debugging, and particularly if the server list or key changes. Clear all read config variables to defaults when re-parsing. This is complicated by nested configuration files via the include directive. At top level, we need to check all the previously used configuration files to see if any have changed. This also adds a limitation to no more than 8 deep include nesting. In practice, > 2 is going to be very rare, so it should be OK. Log a message when we re-initialize (without using debug qualifier). 2017-05-23T23:39:52+00:00 Dave Olson olson@cumulusnetworks.com 2017-03-30T16:42:45+00:00 urn:sha1:f9f714b3b7b9f77c0165c0850bd816cac0d46292 The hack is to run getpeername on fd 0, because during ssh connections, it is a socket from the remote host. This is a bit fragile... Normally fd 0 interactively will be a pty or tty, so getpeername() will fail. There may be some daemons where fd0 is a socket, and returns a local or some other remote IP address, and if so, it could lead to some confusion, but it shouldn't ever break anything. I ran with tshark watching the packet exchange, and verified that the remote address field is set for ssh sessions at the start of the ssh session, and not when run in other uses. The customer ran a 3.2.1 package with this change, and it resolved their issue. 2017-05-23T23:34:57+00:00 Dave Olson olson@cumulusnetworks.com 2017-03-07T20:59:42+00:00 urn:sha1:52aa2d434ed03f0a386eb3bb6a12cb83b0c005c6 When management vrf is enabled and vrf is present in the tacacs config, if we are unable to reach any configured tacacs server, try setting vrf context on the socket. Previously libnss-tacplus worked only with ssh@mgmt, now works with normal ssh in mgmt vrf Setting via the socket (rather than vrf context) is required so we don't set the VRF context for arbitrary processes that do uid or username lookups. 2017-05-23T23:24:14+00:00 Dave Olson olson@cumulusnetworks.com 2016-11-30T01:01:03+00:00 urn:sha1:490882de7069623f427663340b27c77b97fecd40 2016-10-06T21:20:28+00:00 Dave Olson olson@cumulusnetworks.com 2016-10-05T23:17:52+00:00 urn:sha1:ca230d1e31a093669bf1dd3179d853eab96dffdc Ticket: CM-13109 This is both for performance and robustness. It also avoids warnings during bootup when networking isn't yet up. Also minor improvements to debug messages 2016-10-06T21:20:11+00:00 Dave Olson olson@cumulusnetworks.com 2016-09-30T20:53:33+00:00 urn:sha1:600f2be7da9c70fa416888c6d29fe94e5276a477 Ticket: CM-13049 Reviewed By: olson Testing Done: tried multiple servers. Debugging a customer issue was harder than it should be, so add more debugging on success and invalid user returns from server. Also try all servers in the list until success, because different servers can have different databases, so an invalid user return from one server should not be considered definitive.