diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2016-11-26 16:02:10 -0800 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2016-11-28 15:16:21 -0800 |
| commit | cc571f7356bb42c5360e0e40b786b5c9b75c3d95 (patch) | |
| tree | 6a2714373e6e62e4f2d10839b445deedf8003c22 /debian/source/format | |
| parent | 50884445bbe311a630c4cc899bd79a39ecf81e3b (diff) | |
| download | libnss-tacplus-cc571f7356bb42c5360e0e40b786b5c9b75c3d95.tar.gz libnss-tacplus-cc571f7356bb42c5360e0e40b786b5c9b75c3d95.zip | |
Fixed bug in exclude handling. Added sshd and "*" to exclusion list
It turns out that I broke the exclusion handling early on. It
was only looking up the first entry in the list.
In debugging this, it turns out that user sshd is also looked up quite
frequently for ssh logins, so added it to the list, so that a round
trip to the tacacs server isn't needed when logging in as a local user.
There also isn't a need to look the exclusion list user up in the
/etc/passwd file, just skip the tacacs lookup.
Finally, it turns out that bash filename completion can lookup
username "*" (a single asterisk). Add that to the exclusion
list as well.
The reason for these fixes is primarily for TACACS servers that
are down or otherwise unreachable. With these fixes and additions,
logging in over ssh with a username in the exclusion list is only
slightly affected by unreachable TACACS servers.
Finally, added a warning to not add TACACS+ secrets to the
tacplus_nss.conf config file, since it is world readable.
Diffstat (limited to 'debian/source/format')
0 files changed, 0 insertions, 0 deletions