libnss-tacplus.git - NSS plugin to lookup tacacs client username, and match mapped user after login (mirror of https://github.com/vyos/libnss-tacplus.git)

Age	Commit message (Collapse)	Author
2024-04-29	Import version 1.0.4-cl5.1.0u11 from Cumulus Linux	Christian Breunig

2017-05-23	Removed trailing whitespace	Dave Olson

2016-11-28	Fixed bug in exclude handling. Added sshd and "*" to exclusion list	Dave Olson
	It turns out that I broke the exclusion handling early on. It was only looking up the first entry in the list. In debugging this, it turns out that user sshd is also looked up quite frequently for ssh logins, so added it to the list, so that a round trip to the tacacs server isn't needed when logging in as a local user. There also isn't a need to look the exclusion list user up in the /etc/passwd file, just skip the tacacs lookup. Finally, it turns out that bash filename completion can lookup username "*" (a single asterisk). Add that to the exclusion list as well. The reason for these fixes is primarily for TACACS servers that are down or otherwise unreachable. With these fixes and additions, logging in over ssh with a username in the exclusion list is only slightly affected by unreachable TACACS servers. Finally, added a warning to not add TACACS+ secrets to the tacplus_nss.conf config file, since it is world readable.
2016-11-28	Allow timeout parameter to be set	Dave Olson
	Ticket: CM-13688 Reviewed By: nobody Testing Done: installed, verify shorter timeouts I hadn't implemented timeout for any of the new packages I created. This implements it (and sets timeout=10 in /etc/tacplus_servers) For libnss, we want a shorter timeout, so set it to 5, following the include of tacplus_servers.
2016-10-06	Add ability to skip lookups on list of account names, and minimum UID	Dave Olson
	Ticket: CM-13109 This is both for performance and robustness. It also avoids warnings during bootup when networking isn't yet up. Also minor improvements to debug messages
2016-06-28	Provide getpwnam_r entry point to lookup mapped TACACS+ users	Dave Olson
	Initial version with NSS lookups for tacacs users using mapping Works with modified libpam-tacplus to authenticate TACACS+ users without local passwd entries, mapping them to tacacs0..15 based on TACACS privilege level. When the /etc/tacplus_servers tacacs config file is mode 600 (normally the case since it has the server "secret" key), lookups will only work for tacacs users that are logged in, via the local mapping. For root, getpwnam lookups will work for any TACACS user known to the servers. Most syslog's enabled only if debug is set in the config file.