| Age | Commit message (Collapse) | Author |
|
(#15)
|
|
|
|
|
|
T8943: ci: add lts-name-check advisory caller
|
|
Adds the source-side LTS-name advisory caller (mirror-pipeline). Non-blocking;
posts a generic advisory if a PR title/body references a release-train branch name.
🤖 Generated by [robots](https://vyos.io)
|
|
config (#11)
libnss-tacplus was the last consumers.yaml repo on the pre-1b custom wrapper
(choice-typed dispatch, write perms, divergent job name) AND was missing the
.github/mergify.yml that the mirror target already carries. This PR brings the
source to the full desired state so the mirror reconciles the diverged target
without losing the target-side Mergify config (preserved in backup branch
backup/pre-libnss-tacplus-reconcile-20260531).
🤖 Generated by [robots](https://vyos.io)
|
|
alignment) (#10)
|
|
Rewrites uses: pins to the three HIGH-fanout producers (vyos/.github,
vyos/vyos-cla-signatures, VyOS-Networks/vyos-reusable-workflows) from their
old default branch to the new production compat branch staged in Task 1.
No functional change; pin-ref rewrite only.
Tracking: T8943
|
|
coderabbit: T8851: add .coderabbit.yaml for central-config inheritance
|
|
|
|
T8835: added pr mirror workflow
|
|
|
|
|
|
general: T8595: add AGENTS.md
|
|
|
|
|
|
|
|
T8083: Fix NSS TACACS group buffer truncation
|
|
- Replace tabs with spaces
- Handle corner case when no of users get changed in between processing
|
|
|
|
|
|
CI: T7579: fix of the run trigger for CLA
|
|
|
|
T7579: added workflow for CLA
|
|
|
|
T6613: improve line buffer for config file from 256 -> 2048 byte
|
|
Support extensive length of exclude_users to avoid truncation in VyOS.
|
|
|
|
|
|
|
|
We weren't removing the tacplus plugin from nsswitch.conf on package remove,
now we do.
Also cleaned up a bit and use \s instead of [ \t] for whitespace.
For postinst, moved into configure case where it belonged.
Updated changelog for recent fixes and bumped version
|
|
|
|
Otherwise when reconfiguring when we detect a changed config
file, we'll double free the strdup'ed memory.
|
|
|
|
Conflicts (whitespace):
debian/copyright
nss_tacplus.c
|
|
Get setting from map on whether login was set up to use per-tacacs
user homedir, rather than the homedir from the local tacacsN users.
The mkhomedir_helper program is used in pam_tacplus to create home
directory (like pam_mkhomedir.so) when user homedir is requested, but
the home directory does not exist.
The config file setting in this code is not used when using map and the user
is found in map; we then use the setting from the map.
When mapping doesn't exist, then use our own config setting.
user_homedirs is ignored if shell is a restricted shell (as set up by
tacplus-restrict) because we need to honor the per-command
authorization setup in that case.
Updated changelog
Also fixed up the spelling of dev-support
|
|
Fixed attribute memory leak, and also don't force the *attr to NULL
as part of that, use the normal mechanisms.
Added more info to authorization failure message, and made clearer.
Only print "local lookup" part of message if debug > 1, since
it's mostly useful for developers.
|
|
This is done to handle the case where nss_tacplus.so is included in
a long-lived daemon. It's desirable to have long-lived daemons reflect
changes to the configuration, both to enable/disable debugging, and
particularly if the server list or key changes. Clear all read config
variables to defaults when re-parsing.
This is complicated by nested configuration files via the include
directive. At top level, we need to check all the previously used
configuration files to see if any have changed.
This also adds a limitation to no more than 8 deep include nesting. In
practice, > 2 is going to be very rare, so it should be OK.
Log a message when we re-initialize (without using debug qualifier).
|
|
The hack is to run getpeername on fd 0, because during ssh connections,
it is a socket from the remote host. This is a bit fragile...
Normally fd 0 interactively will be a pty or tty, so getpeername() will fail.
There may be some daemons where fd0 is a socket, and returns a local or
some other remote IP address, and if so, it could lead to some
confusion, but it shouldn't ever break anything.
I ran with tshark watching the packet exchange, and verified that the
remote address field is set for ssh sessions at the start of the ssh
session, and not when run in other uses. The customer ran a 3.2.1
package with this change, and it resolved their issue.
|
|
Unlike most of the other tacacs client code, we run as part of many
processes, and because of min_uid, and mapped user lookups, often
don't actually make a tacacs connection.
So don't log the debug message showing the servers, unless we are
actually going to do the tacacs lookup. This significantly reduces
noise messages in syslog from local user lookups.
Only print 'uid N < min_uid' if debug > 1, since it can occur so
frequently, and isn't as useful as some other debug messages.
Also some minor cleanup while looking for possible incorrect closes.
|
|
When management vrf is enabled and vrf is present in the tacacs config,
if we are unable to reach any configured tacacs server, try setting
vrf context on the socket.
Previously libnss-tacplus worked only with ssh@mgmt, now works with normal
ssh in mgmt vrf
Setting via the socket (rather than vrf context) is required so we don't
set the VRF context for arbitrary processes that do uid or username
lookups.
|
|
|
|
It turns out that I broke the exclusion handling early on. It
was only looking up the first entry in the list.
In debugging this, it turns out that user sshd is also looked up quite
frequently for ssh logins, so added it to the list, so that a round
trip to the tacacs server isn't needed when logging in as a local user.
There also isn't a need to look the exclusion list user up in the
/etc/passwd file, just skip the tacacs lookup.
Finally, it turns out that bash filename completion can lookup
username "*" (a single asterisk). Add that to the exclusion
list as well.
The reason for these fixes is primarily for TACACS servers that
are down or otherwise unreachable. With these fixes and additions,
logging in over ssh with a username in the exclusion list is only
slightly affected by unreachable TACACS servers.
Finally, added a warning to not add TACACS+ secrets to the
tacplus_nss.conf config file, since it is world readable.
|
|
Ticket: CM-13688
Reviewed By: nobody
Testing Done: installed, verify shorter timeouts
I hadn't implemented timeout for any of the new packages I created.
This implements it (and sets timeout=10 in /etc/tacplus_servers)
For libnss, we want a shorter timeout, so set it to 5, following
the include of tacplus_servers.
|
|
secret=key1
secret=key2
server=server1
server=server2
Should result in pairing server1/key1 server2/key2. That case didn't
work
|
|
It turns out that I broke the exclusion handling early on. It
was only looking up the first entry in the list.
In debugging this, it turns out that user sshd is also looked up quite
frequently for ssh logins, so added it to the list, so that a round
trip to the tacacs server isn't needed when logging in as a local user.
There also isn't a need to look the exclusion list user up in the
/etc/passwd file, just skip the tacacs lookup.
Finally, it turns out that bash filename completion can lookup
username "*" (a single asterisk). Add that to the exclusion
list as well.
The reason for these fixes is primarily for TACACS servers that
are down or otherwise unreachable. With these fixes and additions,
logging in over ssh with a username in the exclusion list is only
slightly affected by unreachable TACACS servers.
Finally, added a warning to not add TACACS+ secrets to the
tacplus_nss.conf config file, since it is world readable.
|
|
Ticket: CM-13688
Reviewed By: nobody
Testing Done: installed, verify shorter timeouts
I hadn't implemented timeout for any of the new packages I created.
This implements it (and sets timeout=10 in /etc/tacplus_servers)
For libnss, we want a shorter timeout, so set it to 5, following
the include of tacplus_servers.
|
|
secret=key1
secret=key2
server=server1
server=server2
Should result in pairing server1/key1 server2/key2. That case didn't
work
|
|
Fixed this case:
server=a.b.c.d
server=b.d.e.f
secret=stuff
libpam-tacplus handled, but my code didn't.
|
|
|