summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-08T8966: add legacy-label escape to invalid-task-id rule (commit check exempt) ↵rollingYuriy Andamasov
(#15)
2026-06-06ci: T8966: exempt bots from product T-ID (invalid-task-id) gate (#14)Yuriy Andamasov
2026-06-06ci: T8966: add product T-ID title/commit check (opt-in relocation) (#13)Yuriy Andamasov
2026-06-01Merge pull request #12 from vyos/ci/lts-name-checkYuriy Andamasov
T8943: ci: add lts-name-check advisory caller
2026-06-01T8943: ci: add lts-name-check advisory callerYuriy Andamasov
Adds the source-side LTS-name advisory caller (mirror-pipeline). Non-blocking; posts a generic advisory if a PR title/body references a release-train branch name. 🤖 Generated by [robots](https://vyos.io)
2026-06-01T8943: migrate pr-mirror wrapper to canonical stub + add extends:mergify ↵Yuriy Andamasov
config (#11) libnss-tacplus was the last consumers.yaml repo on the pre-1b custom wrapper (choice-typed dispatch, write perms, divergent job name) AND was missing the .github/mergify.yml that the mirror target already carries. This PR brings the source to the full desired state so the mirror reconciles the diverged target without losing the target-side Mergify config (preserved in backup branch backup/pre-libnss-tacplus-reconcile-20260531). 🤖 Generated by [robots](https://vyos.io)
2026-05-30ci: T8943: migrate libnss-tacplus refs master->rolling (rollout 1c ↵Yuriy Andamasov
alignment) (#10)
2026-05-30ci: T8943: sweep HIGH-producer pins to renamed branches (rollout 1c) (#9)Yuriy Andamasov
Rewrites uses: pins to the three HIGH-fanout producers (vyos/.github, vyos/vyos-cla-signatures, VyOS-Networks/vyos-reusable-workflows) from their old default branch to the new production compat branch staged in Task 1. No functional change; pin-ref rewrite only. Tracking: T8943
2026-05-26Merge pull request #8 from vyos/claude/coderabbit-yaml-t8851Daniil Baturin
coderabbit: T8851: add .coderabbit.yaml for central-config inheritance
2026-05-25coderabbit: T8851: add .coderabbit.yaml for central-config inheritanceclaude/coderabbit-yaml-t8851Yuriy Andamasov
2026-05-10Merge pull request #7 from kumvijaya/masterYevhen Bondarenko
T8835: added pr mirror workflow
2026-05-09T8835: removed extra space in workflows folderVijayakumar A
2026-05-09T8835: added pr mirror workflowVijayakumar A
2026-05-08Merge pull request #6 from vyos/T8595-add-agents-mdDaniil Baturin
general: T8595: add AGENTS.md
2026-05-07general: T8595: scrub private-org references from public AGENTS.mdT8595-add-agents-mdYuriy Andamasov
2026-05-07general: T8595: clean leaked internal referencesYuriy Andamasov
2026-05-07general: T8595: add AGENTS.mdYuriy Andamasov
2026-01-20Merge pull request #4 from ritika0313/T8083-nss-buffer-truncDaniil Baturin
T8083: Fix NSS TACACS group buffer truncation
2026-01-19T8083: Review comments incorporateRitika Chopra
- Replace tabs with spaces - Handle corner case when no of users get changed in between processing
2026-01-06T8083: Address memory leaks in the related code legRitika Chopra
2026-01-06T8083:Fix NSS TACACS group buffer truncationRitika Chopra
2025-07-15Merge pull request #3 from vyos/claChristian Breunig
CI: T7579: fix of the run trigger for CLA
2025-07-14T7579: fix of the run trigger for CLAclaYevhen Bondarenko
2025-07-06Merge pull request #2 from vyos/claHEADmasterChristian Breunig
T7579: added workflow for CLA
2025-07-04T7579: added workflow for CLAlemeshovich
2024-12-15Merge pull request #1 from vyos/T6613-tacacsViacheslav Hletenko
T6613: improve line buffer for config file from 256 -> 2048 byte
2024-12-15config: improve line buffer for config file from 256 -> 2048 byteT6613-tacacsChristian Breunig
Support extensive length of exclude_users to avoid truncation in VyOS.
2024-11-22Debian: bump compat 9 -> 11Christian Breunig
2024-11-21Define -Wno-error=address for pointer operand to fix build with recent GCCChristian Breunig
2024-04-29Import version 1.0.4-cl5.1.0u11 from Cumulus LinuxChristian Breunig
2017-06-30Fixed remove to clean up plugin entries in nsswitch.confDave Olson
We weren't removing the tacplus plugin from nsswitch.conf on package remove, now we do. Also cleaned up a bit and use \s instead of [ \t] for whitespace. For postinst, moved into configure case where it belonged. Updated changelog for recent fixes and bumped version
2017-05-30Another reset config bug if exclude_users not in config file.Dave Olson
2017-05-25When re-using a secret key for multiple servers, strdup, don't copyDave Olson
Otherwise when reconfiguring when we detect a changed config file, we'll double free the strdup'ed memory.
2017-05-23Removed trailing whitespaceDave Olson
2017-05-23Merge with ongoing developmentDave Olson
Conflicts (whitespace): debian/copyright nss_tacplus.c
2017-05-23Support using and returning per-tacacs user homedirDave Olson
Get setting from map on whether login was set up to use per-tacacs user homedir, rather than the homedir from the local tacacsN users. The mkhomedir_helper program is used in pam_tacplus to create home directory (like pam_mkhomedir.so) when user homedir is requested, but the home directory does not exist. The config file setting in this code is not used when using map and the user is found in map; we then use the setting from the map. When mapping doesn't exist, then use our own config setting. user_homedirs is ignored if shell is a restricted shell (as set up by tacplus-restrict) because we need to honor the per-command authorization setup in that case. Updated changelog Also fixed up the spelling of dev-support
2017-05-23Fix attribute memory leak, clarified authorization messageDave Olson
Fixed attribute memory leak, and also don't force the *attr to NULL as part of that, use the normal mechanisms. Added more info to authorization failure message, and made clearer. Only print "local lookup" part of message if debug > 1, since it's mostly useful for developers.
2017-05-23Track changes to config files, and reparse if any changeDave Olson
This is done to handle the case where nss_tacplus.so is included in a long-lived daemon. It's desirable to have long-lived daemons reflect changes to the configuration, both to enable/disable debugging, and particularly if the server list or key changes. Clear all read config variables to defaults when re-parsing. This is complicated by nested configuration files via the include directive. At top level, we need to check all the previously used configuration files to see if any have changed. This also adds a limitation to no more than 8 deep include nesting. In practice, > 2 is going to be very rare, so it should be OK. Log a message when we re-initialize (without using debug qualifier).
2017-05-23During login from ssh, send remote host IP address in AUTH requestDave Olson
The hack is to run getpeername on fd 0, because during ssh connections, it is a socket from the remote host. This is a bit fragile... Normally fd 0 interactively will be a pty or tty, so getpeername() will fail. There may be some daemons where fd0 is a socket, and returns a local or some other remote IP address, and if so, it could lead to some confusion, but it shouldn't ever break anything. I ran with tshark watching the packet exchange, and verified that the remote address field is set for ssh sessions at the start of the ssh session, and not when run in other uses. The customer ran a 3.2.1 package with this change, and it resolved their issue.
2017-05-23Don't print debug servers list unless we do tacacs lookupDave Olson
Unlike most of the other tacacs client code, we run as part of many processes, and because of min_uid, and mapped user lookups, often don't actually make a tacacs connection. So don't log the debug message showing the servers, unless we are actually going to do the tacacs lookup. This significantly reduces noise messages in syslog from local user lookups. Only print 'uid N < min_uid' if debug > 1, since it can occur so frequently, and isn't as useful as some other debug messages. Also some minor cleanup while looking for possible incorrect closes.
2017-05-23Add support for mgmt vrfDave Olson
When management vrf is enabled and vrf is present in the tacacs config, if we are unable to reach any configured tacacs server, try setting vrf context on the socket. Previously libnss-tacplus worked only with ssh@mgmt, now works with normal ssh in mgmt vrf Setting via the socket (rather than vrf context) is required so we don't set the VRF context for arbitrary processes that do uid or username lookups.
2017-05-23Updated changelogDave Olson
2016-11-28Fixed bug in exclude handling. Added sshd and "*" to exclusion listDave Olson
It turns out that I broke the exclusion handling early on. It was only looking up the first entry in the list. In debugging this, it turns out that user sshd is also looked up quite frequently for ssh logins, so added it to the list, so that a round trip to the tacacs server isn't needed when logging in as a local user. There also isn't a need to look the exclusion list user up in the /etc/passwd file, just skip the tacacs lookup. Finally, it turns out that bash filename completion can lookup username "*" (a single asterisk). Add that to the exclusion list as well. The reason for these fixes is primarily for TACACS servers that are down or otherwise unreachable. With these fixes and additions, logging in over ssh with a username in the exclusion list is only slightly affected by unreachable TACACS servers. Finally, added a warning to not add TACACS+ secrets to the tacplus_nss.conf config file, since it is world readable.
2016-11-28Allow timeout parameter to be setDave Olson
Ticket: CM-13688 Reviewed By: nobody Testing Done: installed, verify shorter timeouts I hadn't implemented timeout for any of the new packages I created. This implements it (and sets timeout=10 in /etc/tacplus_servers) For libnss, we want a shorter timeout, so set it to 5, following the include of tacplus_servers.
2016-11-28Missed handling a secret/server orderingDave Olson
secret=key1 secret=key2 server=server1 server=server2 Should result in pairing server1/key1 server2/key2. That case didn't work
2016-11-27Fixed bug in exclude handling. Added sshd and "*" to exclusion listDave Olson
It turns out that I broke the exclusion handling early on. It was only looking up the first entry in the list. In debugging this, it turns out that user sshd is also looked up quite frequently for ssh logins, so added it to the list, so that a round trip to the tacacs server isn't needed when logging in as a local user. There also isn't a need to look the exclusion list user up in the /etc/passwd file, just skip the tacacs lookup. Finally, it turns out that bash filename completion can lookup username "*" (a single asterisk). Add that to the exclusion list as well. The reason for these fixes is primarily for TACACS servers that are down or otherwise unreachable. With these fixes and additions, logging in over ssh with a username in the exclusion list is only slightly affected by unreachable TACACS servers. Finally, added a warning to not add TACACS+ secrets to the tacplus_nss.conf config file, since it is world readable.
2016-11-26Allow timeout parameter to be setDave Olson
Ticket: CM-13688 Reviewed By: nobody Testing Done: installed, verify shorter timeouts I hadn't implemented timeout for any of the new packages I created. This implements it (and sets timeout=10 in /etc/tacplus_servers) For libnss, we want a shorter timeout, so set it to 5, following the include of tacplus_servers.
2016-11-23Missed handling a secret/server orderingDave Olson
secret=key1 secret=key2 server=server1 server=server2 Should result in pairing server1/key1 server2/key2. That case didn't work
2016-11-22Handle case of secret parameter listed after multiple serversDave Olson
Fixed this case: server=a.b.c.d server=b.d.e.f secret=stuff libpam-tacplus handled, but my code didn't.
2016-11-22corrected the FSF zipcodeDave Olson