libnss-tacplus.git/debian, branch master

libnss-tacplus.git/debian, branch master NSS plugin to lookup tacacs client username, and match mapped user after login (mirror of https://github.com/vyos/libnss-tacplus.git) https://git.amelek.net/vyos/libnss-tacplus.git/atom?h=master 2024-12-15T09:41:23+00:00 config: improve line buffer for config file from 256 -> 2048 byte 2024-12-15T09:41:23+00:00 Christian Breunig christian@breunig.cc 2024-12-15T08:37:51+00:00 urn:sha1:9a80c753dc698405e427f413851981694c9db7d8 Support extensive length of exclude_users to avoid truncation in VyOS. Debian: bump compat 9 -> 11 2024-11-22T20:14:22+00:00 Christian Breunig christian@breunig.cc 2024-11-22T20:14:22+00:00 urn:sha1:3ead03af50c2969acef9d7c01be085e76b2f9249 Define -Wno-error=address for pointer operand to fix build with recent GCC 2024-11-21T19:10:08+00:00 Christian Breunig christian@breunig.cc 2024-11-21T19:06:14+00:00 urn:sha1:4d834fcd8f37c62a9674d9d2ed98bce291c30173 Import version 1.0.4-cl5.1.0u11 from Cumulus Linux 2024-04-29T18:58:47+00:00 Christian Breunig christian@breunig.cc 2024-04-29T18:58:47+00:00 urn:sha1:049d2843b521d15e2f355430d94eb9d2e83311be Fixed remove to clean up plugin entries in nsswitch.conf 2017-06-30T20:46:36+00:00 Dave Olson olson@cumulusnetworks.com 2017-06-23T21:07:35+00:00 urn:sha1:19008ab68d9d504aa58eb34d5f564755a1613b8b We weren't removing the tacplus plugin from nsswitch.conf on package remove, now we do. Also cleaned up a bit and use \s instead of [ \t] for whitespace. For postinst, moved into configure case where it belonged. Updated changelog for recent fixes and bumped version Support using and returning per-tacacs user homedir 2017-05-24T00:05:52+00:00 Dave Olson olson@cumulusnetworks.com 2017-03-24T05:42:24+00:00 urn:sha1:9b056a2a66ec7006d86121509ef1049c7f6f0725 Get setting from map on whether login was set up to use per-tacacs user homedir, rather than the homedir from the local tacacsN users. The mkhomedir_helper program is used in pam_tacplus to create home directory (like pam_mkhomedir.so) when user homedir is requested, but the home directory does not exist. The config file setting in this code is not used when using map and the user is found in map; we then use the setting from the map. When mapping doesn't exist, then use our own config setting. user_homedirs is ignored if shell is a restricted shell (as set up by tacplus-restrict) because we need to honor the per-command authorization setup in that case. Updated changelog Also fixed up the spelling of dev-support Track changes to config files, and reparse if any change 2017-05-23T23:42:48+00:00 Dave Olson olson@cumulusnetworks.com 2017-05-12T18:43:01+00:00 urn:sha1:dab6c3bb9feb10b67f08b18656fe24d1f7b01d2b This is done to handle the case where nss_tacplus.so is included in a long-lived daemon. It's desirable to have long-lived daemons reflect changes to the configuration, both to enable/disable debugging, and particularly if the server list or key changes. Clear all read config variables to defaults when re-parsing. This is complicated by nested configuration files via the include directive. At top level, we need to check all the previously used configuration files to see if any have changed. This also adds a limitation to no more than 8 deep include nesting. In practice, > 2 is going to be very rare, so it should be OK. Log a message when we re-initialize (without using debug qualifier). During login from ssh, send remote host IP address in AUTH request 2017-05-23T23:39:52+00:00 Dave Olson olson@cumulusnetworks.com 2017-03-30T16:42:45+00:00 urn:sha1:f9f714b3b7b9f77c0165c0850bd816cac0d46292 The hack is to run getpeername on fd 0, because during ssh connections, it is a socket from the remote host. This is a bit fragile... Normally fd 0 interactively will be a pty or tty, so getpeername() will fail. There may be some daemons where fd0 is a socket, and returns a local or some other remote IP address, and if so, it could lead to some confusion, but it shouldn't ever break anything. I ran with tshark watching the packet exchange, and verified that the remote address field is set for ssh sessions at the start of the ssh session, and not when run in other uses. The customer ran a 3.2.1 package with this change, and it resolved their issue. Add support for mgmt vrf 2017-05-23T23:34:57+00:00 Dave Olson olson@cumulusnetworks.com 2017-03-07T20:59:42+00:00 urn:sha1:52aa2d434ed03f0a386eb3bb6a12cb83b0c005c6 When management vrf is enabled and vrf is present in the tacacs config, if we are unable to reach any configured tacacs server, try setting vrf context on the socket. Previously libnss-tacplus worked only with ssh@mgmt, now works with normal ssh in mgmt vrf Setting via the socket (rather than vrf context) is required so we don't set the VRF context for arbitrary processes that do uid or username lookups. Updated changelog 2017-05-23T23:24:14+00:00 Dave Olson olson@cumulusnetworks.com 2016-11-30T01:01:03+00:00 urn:sha1:490882de7069623f427663340b27c77b97fecd40