Age | Commit message (Collapse) | Author |
|
Conflicts (whitespace):
debian/copyright
nss_tacplus.c
|
|
Get setting from map on whether login was set up to use per-tacacs
user homedir, rather than the homedir from the local tacacsN users.
The mkhomedir_helper program is used in pam_tacplus to create home
directory (like pam_mkhomedir.so) when user homedir is requested, but
the home directory does not exist.
The config file setting in this code is not used when using map and the user
is found in map; we then use the setting from the map.
When mapping doesn't exist, then use our own config setting.
user_homedirs is ignored if shell is a restricted shell (as set up by
tacplus-restrict) because we need to honor the per-command
authorization setup in that case.
Updated changelog
Also fixed up the spelling of dev-support
|
|
Fixed attribute memory leak, and also don't force the *attr to NULL
as part of that, use the normal mechanisms.
Added more info to authorization failure message, and made clearer.
Only print "local lookup" part of message if debug > 1, since
it's mostly useful for developers.
|
|
This is done to handle the case where nss_tacplus.so is included in
a long-lived daemon. It's desirable to have long-lived daemons reflect
changes to the configuration, both to enable/disable debugging, and
particularly if the server list or key changes. Clear all read config
variables to defaults when re-parsing.
This is complicated by nested configuration files via the include
directive. At top level, we need to check all the previously used
configuration files to see if any have changed.
This also adds a limitation to no more than 8 deep include nesting. In
practice, > 2 is going to be very rare, so it should be OK.
Log a message when we re-initialize (without using debug qualifier).
|
|
The hack is to run getpeername on fd 0, because during ssh connections,
it is a socket from the remote host. This is a bit fragile...
Normally fd 0 interactively will be a pty or tty, so getpeername() will fail.
There may be some daemons where fd0 is a socket, and returns a local or
some other remote IP address, and if so, it could lead to some
confusion, but it shouldn't ever break anything.
I ran with tshark watching the packet exchange, and verified that the
remote address field is set for ssh sessions at the start of the ssh
session, and not when run in other uses. The customer ran a 3.2.1
package with this change, and it resolved their issue.
|
|
Unlike most of the other tacacs client code, we run as part of many
processes, and because of min_uid, and mapped user lookups, often
don't actually make a tacacs connection.
So don't log the debug message showing the servers, unless we are
actually going to do the tacacs lookup. This significantly reduces
noise messages in syslog from local user lookups.
Only print 'uid N < min_uid' if debug > 1, since it can occur so
frequently, and isn't as useful as some other debug messages.
Also some minor cleanup while looking for possible incorrect closes.
|
|
When management vrf is enabled and vrf is present in the tacacs config,
if we are unable to reach any configured tacacs server, try setting
vrf context on the socket.
Previously libnss-tacplus worked only with ssh@mgmt, now works with normal
ssh in mgmt vrf
Setting via the socket (rather than vrf context) is required so we don't
set the VRF context for arbitrary processes that do uid or username
lookups.
|
|
|
|
It turns out that I broke the exclusion handling early on. It
was only looking up the first entry in the list.
In debugging this, it turns out that user sshd is also looked up quite
frequently for ssh logins, so added it to the list, so that a round
trip to the tacacs server isn't needed when logging in as a local user.
There also isn't a need to look the exclusion list user up in the
/etc/passwd file, just skip the tacacs lookup.
Finally, it turns out that bash filename completion can lookup
username "*" (a single asterisk). Add that to the exclusion
list as well.
The reason for these fixes is primarily for TACACS servers that
are down or otherwise unreachable. With these fixes and additions,
logging in over ssh with a username in the exclusion list is only
slightly affected by unreachable TACACS servers.
Finally, added a warning to not add TACACS+ secrets to the
tacplus_nss.conf config file, since it is world readable.
|
|
Ticket: CM-13688
Reviewed By: nobody
Testing Done: installed, verify shorter timeouts
I hadn't implemented timeout for any of the new packages I created.
This implements it (and sets timeout=10 in /etc/tacplus_servers)
For libnss, we want a shorter timeout, so set it to 5, following
the include of tacplus_servers.
|
|
secret=key1
secret=key2
server=server1
server=server2
Should result in pairing server1/key1 server2/key2. That case didn't
work
|
|
It turns out that I broke the exclusion handling early on. It
was only looking up the first entry in the list.
In debugging this, it turns out that user sshd is also looked up quite
frequently for ssh logins, so added it to the list, so that a round
trip to the tacacs server isn't needed when logging in as a local user.
There also isn't a need to look the exclusion list user up in the
/etc/passwd file, just skip the tacacs lookup.
Finally, it turns out that bash filename completion can lookup
username "*" (a single asterisk). Add that to the exclusion
list as well.
The reason for these fixes is primarily for TACACS servers that
are down or otherwise unreachable. With these fixes and additions,
logging in over ssh with a username in the exclusion list is only
slightly affected by unreachable TACACS servers.
Finally, added a warning to not add TACACS+ secrets to the
tacplus_nss.conf config file, since it is world readable.
|
|
Ticket: CM-13688
Reviewed By: nobody
Testing Done: installed, verify shorter timeouts
I hadn't implemented timeout for any of the new packages I created.
This implements it (and sets timeout=10 in /etc/tacplus_servers)
For libnss, we want a shorter timeout, so set it to 5, following
the include of tacplus_servers.
|
|
secret=key1
secret=key2
server=server1
server=server2
Should result in pairing server1/key1 server2/key2. That case didn't
work
|
|
Fixed this case:
server=a.b.c.d
server=b.d.e.f
secret=stuff
libpam-tacplus handled, but my code didn't.
|
|
|
|
Fixed this case:
server=a.b.c.d
server=b.d.e.f
secret=stuff
libpam-tacplus handled, but my code didn't.
|
|
|
|
|
|
|
|
Also fixed some whitespace at end of lines
|
|
|
|
|
|
|
|
Documented the min_uid and exclude_users config file variables.
|
|
Documented the min_uid and exclude_users config file variables.
|
|
Ticket: CM-13109
This is both for performance and robustness. It also avoids warnings
during bootup when networking isn't yet up.
Also minor improvements to debug messages
|
|
Ticket: CM-13049
Reviewed By: olson
Testing Done: tried multiple servers.
Debugging a customer issue was harder than it should be, so add
more debugging on success and invalid user returns from server.
Also try all servers in the list until success, because different
servers can have different databases, so an invalid user return
from one server should not be considered definitive.
|
|
Ticket: CM-12880
Reviewed By: olson
Testing Done: built, ran through test case.
When recursing do to an included config file, the tac_key_no
index into the server array was always starting at zero, so
if there were server/key pairs in both the main config file
and the included file, the secret from the 0th entry was being
used for each, and we weren't adding the servers from the origianl
config file.
Make tac_key_no global like tac_srv_no
|
|
size_t is only an int on 32 bit ARM, so %ld gives an error. Add a cast.
|
|
Initial version with NSS lookups for tacacs users using mapping
Works with modified libpam-tacplus to authenticate TACACS+ users
without local passwd entries, mapping them to tacacs0..15 based on
TACACS privilege level.
When the /etc/tacplus_servers tacacs config file is mode 600 (normally
the case since it has the server "secret" key), lookups will only work
for tacacs users that are logged in, via the local mapping. For root,
getpwnam lookups will work for any TACACS user known to the servers.
Most syslog's enabled only if debug is set in the config file.
|
|
Initial version with NSS lookups for tacacs users using mapping
Works with modified libpam-tacplus to authenticate TACACS+ users
without local passwd entries, mapping them to tacacs0..15 based on
TACACS privilege level.
When the /etc/tacplus_servers tacacs config file is mode 600 (normally
the case since it has the server "secret" key), lookups will only work
for tacacs users that are logged in, via the local mapping. For root,
getpwnam lookups will work for any TACACS user known to the servers.
Most syslog's enabled only if debug is set in the config file.
|