NSS plugin to lookup tacacs client username, and match mapped user after login (mirror of https://github.com/vyos/libnss-tacplus.git) https://git.amelek.net/vyos/libnss-tacplus.git/atom?h=master 2024-04-29T18:58:47+00:00 2024-04-29T18:58:47+00:00 Christian Breunig christian@breunig.cc 2024-04-29T18:58:47+00:00 urn:sha1:049d2843b521d15e2f355430d94eb9d2e83311be 2017-05-23T23:42:48+00:00 Dave Olson olson@cumulusnetworks.com 2017-05-12T18:43:01+00:00 urn:sha1:dab6c3bb9feb10b67f08b18656fe24d1f7b01d2b This is done to handle the case where nss_tacplus.so is included in a long-lived daemon. It's desirable to have long-lived daemons reflect changes to the configuration, both to enable/disable debugging, and particularly if the server list or key changes. Clear all read config variables to defaults when re-parsing. This is complicated by nested configuration files via the include directive. At top level, we need to check all the previously used configuration files to see if any have changed. This also adds a limitation to no more than 8 deep include nesting. In practice, > 2 is going to be very rare, so it should be OK. Log a message when we re-initialize (without using debug qualifier). 2016-10-31T20:05:29+00:00 Dave Olson olson@cumulusnetworks.com 2016-10-31T20:04:42+00:00 urn:sha1:b2cad0cf995560ea689be75d149e0fa030e2fe35 2016-10-26T21:53:17+00:00 Dave Olson olson@cumulusnetworks.com 2016-10-26T21:51:53+00:00 urn:sha1:f38818cdcec8f1f4b0ded6d74d49835d10d3e24e 2016-10-21T23:04:13+00:00 Dave Olson olson@cumulusnetworks.com 2016-10-21T23:01:03+00:00 urn:sha1:2f51096c0765e52afd109ea81f6fa0fe1b35cb61 2016-10-06T21:20:11+00:00 Dave Olson olson@cumulusnetworks.com 2016-08-20T06:57:42+00:00 urn:sha1:3279fbbb9e0f3744623fbb6a2d658d6ff5ab3f0d size_t is only an int on 32 bit ARM, so %ld gives an error. Add a cast. 2016-10-06T21:20:05+00:00 Dave Olson olson@cumulusnetworks.com 2016-06-23T20:39:25+00:00 urn:sha1:678de9b4ac465247ac41d7018dea883d11e97e58 Initial version with NSS lookups for tacacs users using mapping Works with modified libpam-tacplus to authenticate TACACS+ users without local passwd entries, mapping them to tacacs0..15 based on TACACS privilege level. When the /etc/tacplus_servers tacacs config file is mode 600 (normally the case since it has the server "secret" key), lookups will only work for tacacs users that are logged in, via the local mapping. For root, getpwnam lookups will work for any TACACS user known to the servers. Most syslog's enabled only if debug is set in the config file. 2016-06-28T22:45:47+00:00 Dave Olson olson@cumulusnetworks.com 2016-06-23T20:39:25+00:00 urn:sha1:ab9634da79286d2f04f40011331f2feee208e513 Initial version with NSS lookups for tacacs users using mapping Works with modified libpam-tacplus to authenticate TACACS+ users without local passwd entries, mapping them to tacacs0..15 based on TACACS privilege level. When the /etc/tacplus_servers tacacs config file is mode 600 (normally the case since it has the server "secret" key), lookups will only work for tacacs users that are logged in, via the local mapping. For root, getpwnam lookups will work for any TACACS user known to the servers. Most syslog's enabled only if debug is set in the config file.