summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-05-23Merge with ongoing developmentDave Olson
Conflicts (whitespace): debian/copyright nss_tacplus.c
2017-05-23Support using and returning per-tacacs user homedirDave Olson
Get setting from map on whether login was set up to use per-tacacs user homedir, rather than the homedir from the local tacacsN users. The mkhomedir_helper program is used in pam_tacplus to create home directory (like pam_mkhomedir.so) when user homedir is requested, but the home directory does not exist. The config file setting in this code is not used when using map and the user is found in map; we then use the setting from the map. When mapping doesn't exist, then use our own config setting. user_homedirs is ignored if shell is a restricted shell (as set up by tacplus-restrict) because we need to honor the per-command authorization setup in that case. Updated changelog Also fixed up the spelling of dev-support
2017-05-23Fix attribute memory leak, clarified authorization messageDave Olson
Fixed attribute memory leak, and also don't force the *attr to NULL as part of that, use the normal mechanisms. Added more info to authorization failure message, and made clearer. Only print "local lookup" part of message if debug > 1, since it's mostly useful for developers.
2017-05-23Track changes to config files, and reparse if any changeDave Olson
This is done to handle the case where nss_tacplus.so is included in a long-lived daemon. It's desirable to have long-lived daemons reflect changes to the configuration, both to enable/disable debugging, and particularly if the server list or key changes. Clear all read config variables to defaults when re-parsing. This is complicated by nested configuration files via the include directive. At top level, we need to check all the previously used configuration files to see if any have changed. This also adds a limitation to no more than 8 deep include nesting. In practice, > 2 is going to be very rare, so it should be OK. Log a message when we re-initialize (without using debug qualifier).
2017-05-23During login from ssh, send remote host IP address in AUTH requestDave Olson
The hack is to run getpeername on fd 0, because during ssh connections, it is a socket from the remote host. This is a bit fragile... Normally fd 0 interactively will be a pty or tty, so getpeername() will fail. There may be some daemons where fd0 is a socket, and returns a local or some other remote IP address, and if so, it could lead to some confusion, but it shouldn't ever break anything. I ran with tshark watching the packet exchange, and verified that the remote address field is set for ssh sessions at the start of the ssh session, and not when run in other uses. The customer ran a 3.2.1 package with this change, and it resolved their issue.
2017-05-23Don't print debug servers list unless we do tacacs lookupDave Olson
Unlike most of the other tacacs client code, we run as part of many processes, and because of min_uid, and mapped user lookups, often don't actually make a tacacs connection. So don't log the debug message showing the servers, unless we are actually going to do the tacacs lookup. This significantly reduces noise messages in syslog from local user lookups. Only print 'uid N < min_uid' if debug > 1, since it can occur so frequently, and isn't as useful as some other debug messages. Also some minor cleanup while looking for possible incorrect closes.
2017-05-23Add support for mgmt vrfDave Olson
When management vrf is enabled and vrf is present in the tacacs config, if we are unable to reach any configured tacacs server, try setting vrf context on the socket. Previously libnss-tacplus worked only with ssh@mgmt, now works with normal ssh in mgmt vrf Setting via the socket (rather than vrf context) is required so we don't set the VRF context for arbitrary processes that do uid or username lookups.
2017-05-23Updated changelogDave Olson
2016-11-28Fixed bug in exclude handling. Added sshd and "*" to exclusion listDave Olson
It turns out that I broke the exclusion handling early on. It was only looking up the first entry in the list. In debugging this, it turns out that user sshd is also looked up quite frequently for ssh logins, so added it to the list, so that a round trip to the tacacs server isn't needed when logging in as a local user. There also isn't a need to look the exclusion list user up in the /etc/passwd file, just skip the tacacs lookup. Finally, it turns out that bash filename completion can lookup username "*" (a single asterisk). Add that to the exclusion list as well. The reason for these fixes is primarily for TACACS servers that are down or otherwise unreachable. With these fixes and additions, logging in over ssh with a username in the exclusion list is only slightly affected by unreachable TACACS servers. Finally, added a warning to not add TACACS+ secrets to the tacplus_nss.conf config file, since it is world readable.
2016-11-28Allow timeout parameter to be setDave Olson
Ticket: CM-13688 Reviewed By: nobody Testing Done: installed, verify shorter timeouts I hadn't implemented timeout for any of the new packages I created. This implements it (and sets timeout=10 in /etc/tacplus_servers) For libnss, we want a shorter timeout, so set it to 5, following the include of tacplus_servers.
2016-11-28Missed handling a secret/server orderingDave Olson
secret=key1 secret=key2 server=server1 server=server2 Should result in pairing server1/key1 server2/key2. That case didn't work
2016-11-27Fixed bug in exclude handling. Added sshd and "*" to exclusion listDave Olson
It turns out that I broke the exclusion handling early on. It was only looking up the first entry in the list. In debugging this, it turns out that user sshd is also looked up quite frequently for ssh logins, so added it to the list, so that a round trip to the tacacs server isn't needed when logging in as a local user. There also isn't a need to look the exclusion list user up in the /etc/passwd file, just skip the tacacs lookup. Finally, it turns out that bash filename completion can lookup username "*" (a single asterisk). Add that to the exclusion list as well. The reason for these fixes is primarily for TACACS servers that are down or otherwise unreachable. With these fixes and additions, logging in over ssh with a username in the exclusion list is only slightly affected by unreachable TACACS servers. Finally, added a warning to not add TACACS+ secrets to the tacplus_nss.conf config file, since it is world readable.
2016-11-26Allow timeout parameter to be setDave Olson
Ticket: CM-13688 Reviewed By: nobody Testing Done: installed, verify shorter timeouts I hadn't implemented timeout for any of the new packages I created. This implements it (and sets timeout=10 in /etc/tacplus_servers) For libnss, we want a shorter timeout, so set it to 5, following the include of tacplus_servers.
2016-11-23Missed handling a secret/server orderingDave Olson
secret=key1 secret=key2 server=server1 server=server2 Should result in pairing server1/key1 server2/key2. That case didn't work
2016-11-22Handle case of secret parameter listed after multiple serversDave Olson
Fixed this case: server=a.b.c.d server=b.d.e.f secret=stuff libpam-tacplus handled, but my code didn't.
2016-11-22corrected the FSF zipcodeDave Olson
2016-11-18Handle case of secret parameter listed after multiple serversDave Olson
Fixed this case: server=a.b.c.d server=b.d.e.f secret=stuff libpam-tacplus handled, but my code didn't.
2016-11-18corrected the FSF zipcodeDave Olson
2016-10-31Fixed copyright punctuation errorDave Olson
2016-10-26Fixed trailing line whitespace issuesDave Olson
2016-10-26Updated COPYING, corrected copyrightsDave Olson
Also fixed some whitespace at end of lines
2016-10-26Fixed a LOG_DEBUG message to be protected by if (debug)Dave Olson
2016-10-26Fixed a LOG_DEBUG message to be protected by if (debug)Dave Olson
2016-10-21Updated COPYING, corrected copyrightsDave Olson
2016-10-07Updated the README to not include PAM protocols, and add new variablesDave Olson
Documented the min_uid and exclude_users config file variables.
2016-10-07Updated the README to not include PAM protocols, and add new variablesDave Olson
Documented the min_uid and exclude_users config file variables.
2016-10-06Add ability to skip lookups on list of account names, and minimum UIDDave Olson
Ticket: CM-13109 This is both for performance and robustness. It also avoids warnings during bootup when networking isn't yet up. Also minor improvements to debug messages
2016-10-06Better debugs for server, and try all servers in listDave Olson
Ticket: CM-13049 Reviewed By: olson Testing Done: tried multiple servers. Debugging a customer issue was harder than it should be, so add more debugging on success and invalid user returns from server. Also try all servers in the list until success, because different servers can have different databases, so an invalid user return from one server should not be considered definitive.
2016-10-06When recursing into an included config, don't reset secret key indexDave Olson
Ticket: CM-12880 Reviewed By: olson Testing Done: built, ran through test case. When recursing do to an included config file, the tac_key_no index into the server array was always starting at zero, so if there were server/key pairs in both the main config file and the included file, the secret from the 0th entry was being used for each, and we weren't adding the servers from the origianl config file. Make tac_key_no global like tac_srv_no
2016-10-06Fix 32-bit system build errorDave Olson
size_t is only an int on 32 bit ARM, so %ld gives an error. Add a cast.
2016-10-06Provide getpwnam_r entry point to lookup mapped TACACS+ usersDave Olson
Initial version with NSS lookups for tacacs users using mapping Works with modified libpam-tacplus to authenticate TACACS+ users without local passwd entries, mapping them to tacacs0..15 based on TACACS privilege level. When the /etc/tacplus_servers tacacs config file is mode 600 (normally the case since it has the server "secret" key), lookups will only work for tacacs users that are logged in, via the local mapping. For root, getpwnam lookups will work for any TACACS user known to the servers. Most syslog's enabled only if debug is set in the config file.
2016-06-28Provide getpwnam_r entry point to lookup mapped TACACS+ usersDave Olson
Initial version with NSS lookups for tacacs users using mapping Works with modified libpam-tacplus to authenticate TACACS+ users without local passwd entries, mapping them to tacacs0..15 based on TACACS privilege level. When the /etc/tacplus_servers tacacs config file is mode 600 (normally the case since it has the server "secret" key), lookups will only work for tacacs users that are logged in, via the local mapping. For root, getpwnam lookups will work for any TACACS user known to the servers. Most syslog's enabled only if debug is set in the config file.