| Age | Commit message (Collapse) | Author |
|---|
|
|
|
We weren't removing the tacplus plugin from nsswitch.conf on package remove,
now we do.
Also cleaned up a bit and use \s instead of [ \t] for whitespace.
For postinst, moved into configure case where it belonged.
Updated changelog for recent fixes and bumped version
|
|
Get setting from map on whether login was set up to use per-tacacs
user homedir, rather than the homedir from the local tacacsN users.
The mkhomedir_helper program is used in pam_tacplus to create home
directory (like pam_mkhomedir.so) when user homedir is requested, but
the home directory does not exist.
The config file setting in this code is not used when using map and the user
is found in map; we then use the setting from the map.
When mapping doesn't exist, then use our own config setting.
user_homedirs is ignored if shell is a restricted shell (as set up by
tacplus-restrict) because we need to honor the per-command
authorization setup in that case.
Updated changelog
Also fixed up the spelling of dev-support
|
|
This is done to handle the case where nss_tacplus.so is included in
a long-lived daemon. It's desirable to have long-lived daemons reflect
changes to the configuration, both to enable/disable debugging, and
particularly if the server list or key changes. Clear all read config
variables to defaults when re-parsing.
This is complicated by nested configuration files via the include
directive. At top level, we need to check all the previously used
configuration files to see if any have changed.
This also adds a limitation to no more than 8 deep include nesting. In
practice, > 2 is going to be very rare, so it should be OK.
Log a message when we re-initialize (without using debug qualifier).
|
|
The hack is to run getpeername on fd 0, because during ssh connections,
it is a socket from the remote host. This is a bit fragile...
Normally fd 0 interactively will be a pty or tty, so getpeername() will fail.
There may be some daemons where fd0 is a socket, and returns a local or
some other remote IP address, and if so, it could lead to some
confusion, but it shouldn't ever break anything.
I ran with tshark watching the packet exchange, and verified that the
remote address field is set for ssh sessions at the start of the ssh
session, and not when run in other uses. The customer ran a 3.2.1
package with this change, and it resolved their issue.
|
|
When management vrf is enabled and vrf is present in the tacacs config,
if we are unable to reach any configured tacacs server, try setting
vrf context on the socket.
Previously libnss-tacplus worked only with ssh@mgmt, now works with normal
ssh in mgmt vrf
Setting via the socket (rather than vrf context) is required so we don't
set the VRF context for arbitrary processes that do uid or username
lookups.
|
|
|
|
|
|
|
|
|
|
Ticket: CM-13109
This is both for performance and robustness. It also avoids warnings
during bootup when networking isn't yet up.
Also minor improvements to debug messages
|
|
Ticket: CM-13049
Reviewed By: olson
Testing Done: tried multiple servers.
Debugging a customer issue was harder than it should be, so add
more debugging on success and invalid user returns from server.
Also try all servers in the list until success, because different
servers can have different databases, so an invalid user return
from one server should not be considered definitive.
|
|
size_t is only an int on 32 bit ARM, so %ld gives an error. Add a cast.
|
|
Initial version with NSS lookups for tacacs users using mapping
Works with modified libpam-tacplus to authenticate TACACS+ users
without local passwd entries, mapping them to tacacs0..15 based on
TACACS privilege level.
When the /etc/tacplus_servers tacacs config file is mode 600 (normally
the case since it has the server "secret" key), lookups will only work
for tacacs users that are logged in, via the local mapping. For root,
getpwnam lookups will work for any TACACS user known to the servers.
Most syslog's enabled only if debug is set in the config file.
|
|
Initial version with NSS lookups for tacacs users using mapping
Works with modified libpam-tacplus to authenticate TACACS+ users
without local passwd entries, mapping them to tacacs0..15 based on
TACACS privilege level.
When the /etc/tacplus_servers tacacs config file is mode 600 (normally
the case since it has the server "secret" key), lookups will only work
for tacacs users that are logged in, via the local mapping. For root,
getpwnam lookups will work for any TACACS user known to the servers.
Most syslog's enabled only if debug is set in the config file.
|
