From c89b7b895b523d97755dd9b7f01f99636845c00b Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 7 Oct 2016 16:08:20 -0700 Subject: Updated the README to not include PAM protocols, and add new variables Documented the min_uid and exclude_users config file variables. --- README | 67 +++++++++++++++++++++++++++++++++++------------------------------- 1 file changed, 36 insertions(+), 31 deletions(-) diff --git a/README b/README index 4226ad7..c1d1954 100644 --- a/README +++ b/README @@ -45,40 +45,50 @@ be built and installed (my modified version, not the stock version) to build, and to function. All are performed using TACACS+ protocol [1], designed by Cisco Systems. -This is remote AAA protocol, supported by most Cisco hardware. +This is remote AAA protocol, supported by most Cisco hardware. ~~~~~~~~~~~~~~~~~~~ Recognized options in the configuration file are the same as the command line arguments for libpam_tacplus, but not all pam_tacplus options are supported. -Option Management group Description ---------------- ----------------------- ---------------------------------- -debug ALL output debugging information via - syslog(3); note, that the debugging - is heavy, including passwords! - -secret=STRING ALL can be specified more than once; - secret key used to encrypt/decrypt - packets sent/received from the server +Option Description +--------------- ---------------------------------- +debug output debugging information via + syslog(3); note, that the debugging + is heavy, including passwords! -server=HOSTNAME auth, session can be specified more than once; -server=IP_ADDR adds a TACACS+ server to the servers - list - default is 5 seconds +secret=STRING can be specified more than once; + secret key used to encrypt/decrypt + packets sent/received from the server -login=STRING auth TACACS+ authentication service, - this can be "pap", "chap" or "login" - at the moment. Default is pap. +server=HOSTNAME can be specified more than once; +server=IP_ADDR adds a TACACS+ server to the servers + list + default is 5 seconds -service account, session TACACS+ service for authorization - and accounting +login=STRING TACACS+ authentication service, + this can be "pap", "chap" or "login" + at the moment. Default is pap. -protocol account, session TACACS+ protocol for authorization - and accounting +service TACACS+ service for authorization + and accounting -The last two items are widely described in TACACS+ draft [1]. They are -required by the server, but it will work if they don't match the real -service authorized :) +protocol TACACS+ protocol for authorization + and accounting + +min_uid min_uid is the minimum uid to lookup via tacacs. + Setting this to 0 means uid 0 (root) is never looked up, + good for robustness and performance. + Should not be greater than the local tacacs{0..15} uids + +exclude_users This is a comma separated list of usernames that are never + looked up via tacacs. Should include system users such as + root. + + +The service and protocol items are widely described in TACACS+ draft [1]. +They are required by the server, but it will work if they don't match the +real service authorized :) See tacplus_nss.conf for an example configuration file. @@ -86,7 +96,7 @@ See the libpam_tacplus README for more information on the tacacs protocol, server_lists, etc. On first call, we parse the configuration file (we only try once, -unless it can't be opened, in which case we'll keep trying on +unless it can't be opened, in which case we'll keep trying on every call). We then try to connect to a tacacs server. After connecting we ask if the user is known (we send an authorization @@ -111,18 +121,13 @@ get SIGPIPE. Limitations: ~~~~~~~~~~~~ -Many of them for now :) - - * only subset of TACACS+ protocol is supported; it's enough for - most need, though - This libnss_tacplus plugin has only been compiled and tested on debian wheezy and jessie at this writing. The FreeBSD NSS interface is somewhat different, and will require porting. This plugin has only been tested with the unmodified linux tacacs+ server so far (using the debian wheezy package) - + References: ~~~~~~~~~~~ -- cgit v1.2.3 From 2f51096c0765e52afd109ea81f6fa0fe1b35cb61 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 21 Oct 2016 16:01:03 -0700 Subject: Updated COPYING, corrected copyrights --- COPYING | 548 +++++++++++++++++++++++-------------------------------- debian/copyright | 5 +- nss_tacplus.c | 2 +- nss_tacplus.h | 2 +- 4 files changed, 236 insertions(+), 321 deletions(-) diff --git a/COPYING b/COPYING index 86cf81a..a6e2fea 100644 --- a/COPYING +++ b/COPYING @@ -1,341 +1,255 @@ - - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 675 Mass Ave, Cambridge, MA 02139, USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium +GNU GENERAL PUBLIC LICENSE + +Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + +Everyone is permitted to copy and distribute verbatim copies +of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to share and +change it. By contrast, the GNU General Public License is intended to guarantee your +freedom to share and change free software--to make sure the software is free for all +its users. This General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to using it. +(Some other Free Software Foundation software is covered by the GNU Lesser General +Public License instead.) You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General +Public Licenses are designed to make sure that you have the freedom to distribute +copies of free software (and charge for this service if you wish), that you receive +source code or can get it if you want it, that you can change the software or use +pieces of it in new free programs; and that you know you can do these things. + +To protect your rights, we need to make restrictions that forbid anyone to deny you +these rights or to ask you to surrender the rights. These restrictions translate to +certain responsibilities for you if you distribute copies of the software, or if you +modify it. + +For example, if you distribute copies of such a program, whether gratis or for a +fee, you must give the recipients all the rights that you have. You must make sure +that they, too, receive or can get the source code. And you must show them these +terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and (2) offer you +this license which gives you legal permission to copy, distribute and/or modify the +software. + +Also, for each author's protection and ours, we want to make certain that everyone +understands that there is no warranty for this free software. If the software is +modified by someone else and passed on, we want its recipients to know that what +they have is not the original, so that any problems introduced by others will not +reflect on the original authors' reputations. + +Finally, any free program is threatened constantly by software patents. We wish to +avoid the danger that redistributors of a free program will individually obtain +patent licenses, in effect making the program proprietary. To prevent this, we have +made it clear that any patent must be licensed for everyone's free use or not +licensed at all. + +The precise terms and conditions for copying, distribution and modification follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a notice placed +by the copyright holder saying it may be distributed under the terms of this General +Public License. The "Program", below, refers to any such program or work, and a +"work based on the Program" means either the Program or any derivative work under +copyright law: that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another language. +(Hereinafter, translation is included without limitation in the term +"modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not covered by this +License; they are outside its scope. The act of running the Program is not +restricted, and the output from the Program is covered only if its contents +constitute a work based on the Program (independent of having been made by running +the Program). Whether that is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and appropriately publish +on each copy an appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any warranty; and +give any other recipients of the Program a copy of this License along with the +Program. + +You may charge a fee for the physical act of transferring a copy, and you may at +your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of it, thus +forming a work based on the Program, and copy and distribute such modifications or +work under the terms of Section 1 above, provided that you also meet all of these +conditions: + + a) You must cause the modified files to carry prominent notices stating that you + changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in whole or in + part contains or is derived from the Program or any part thereof, to be licensed + as a whole at no charge to all third parties under the terms of this License. + + c) If the modified program normally reads commands interactively when run, you + must cause it, when started running for such interactive use in the most + ordinary way, to print or display an announcement including an appropriate + copyright notice and a notice that there is no warranty (or else, saying that + you provide a warranty) and that users may redistribute the program under these + conditions, and telling the user how to view a copy of this License. (Exception: + if the Program itself is interactive but does not normally print such an + announcement, your work based on the Program is not required to print an + announcement.) + +These requirements apply to the modified work as a whole. If identifiable sections +of that work are not derived from the Program, and can be reasonably considered +independent and separate works in themselves, then this License, and its terms, do +not apply to those sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based on the +Program, the distribution of the whole must be on the terms of this License, whose +permissions for other licensees extend to the entire whole, and thus to each and +every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your rights to +work written entirely by you; rather, the intent is to exercise the right to control +the distribution of derivative or collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program with the +Program (or with a work based on the Program) on a volume of a storage or +distribution medium does not bring the other work under the scope of this License. + +3. You may copy and distribute the Program (or a work based on it, under Section 2) +in object code or executable form under the terms of Sections 1 and 2 above provided +that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable source code, + which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent + b) Accompany it with a written offer, valid for at least three years, to give + any third party, for a charge no more than your cost of physically performing + source distribution, a complete machine-readable copy of the corresponding + source code, to be distributed under the terms of Sections 1 and 2 above on a + medium customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to distribute + corresponding source code. (This alternative is allowed only for noncommercial + distribution and only if you received the program in object code or executable + form with such an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for making +modifications to it. For an executable work, complete source code means all the +source code for all modules it contains, plus any associated interface definition +files, plus the scripts used to control compilation and installation of the +executable. However, as a special exception, the source code distributed need not +include anything that is normally distributed (in either source or binary form) with +the major components (compiler, kernel, and so on) of the operating system on which +the executable runs, unless that component itself accompanies the executable. + +If distribution of executable or object code is made by offering access to copy from +a designated place, then offering equivalent access to copy the source code from the +same place counts as distribution of the source code, even though third parties are +not compelled to copy the source along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program except as +expressly provided under this License. Any attempt otherwise to copy, +modify, sublicense or distribute the Program is void, and will automatically +terminate your rights under this License. However, parties who have received +copies, or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + +5. You are not required to accept this License, since you have not signed +it. However, nothing else grants you permission to modify or distribute the +Program or its derivative works. These actions are prohibited by law if you +do not accept this License. Therefore, by modifying or distributing the +Program (or any work based on the Program), you indicate your acceptance of +this License to do so, and all its terms and conditions for copying, +distributing or modifying the Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the original +licensor to copy, distribute or modify the Program subject to these terms +and conditions. You may not impose any further restrictions on the +recipients' exercise of the rights granted herein. You are not responsible +for enforcing compliance by third parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to +excuse you from the conditions of this License. If you cannot distribute so +as to satisfy simultaneously your obligations under this License and any +other pertinent obligations, then as a consequence you may not distribute +the Program at all. For example, if a patent license would not permit +royalty-free redistribution of the Program by all those who receive copies +directly or indirectly through you, then the only way you could satisfy both +it and this License would be to refrain entirely from distribution of the +Program. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply and +the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents +or other property right claims or to contest validity of any such claims; +this section has the sole purpose of protecting the integrity of the free +software distribution system, which is implemented by public license +practices. Many people have made generous contributions to the wide range of +software distributed through that system in reliance on consistent +application of that system; it is up to the author/donor to decide if he or +she is willing to distribute software through any other system and a +licensee cannot impose that choice. + +This section is intended to make thoroughly clear what is believed to be a +consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in certain +countries either by patents or by copyrighted interfaces, the original +copyright holder who places the Program under this License may add an +explicit geographical distribution limitation excluding those countries, so +that distribution is permitted only in or among countries not thus excluded. +In such case, this License incorporates the limitation as if written in the +body of this License. + +9. The Free Software Foundation may publish revised and/or new versions of +the General Public License from time to time. Such new versions will be +similar in spirit to the present version, but may differ in detail to address new problems or concerns. -Each version is given a distinguishing version number. If the Program +Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of +Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. +10. If you wish to incorporate parts of the Program into other free programs +whose distribution conditions are different, write to the author to ask for +permission. For software which is copyrighted by the Free Software +Foundation, write to the Free Software Foundation; we sometimes make +exceptions for this. Our decision will be guided by the two goals of +preserving the free status of all derivatives of our free software and of +promoting the sharing and reuse of software generally. - NO WARRANTY +NO WARRANTY - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR +THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO +THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM +PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR +CORRECTION. - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO +LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR +THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - Appendix: How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) 19yy - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. - diff --git a/debian/copyright b/debian/copyright index 0cca9f3..48bfa52 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,8 +3,9 @@ Upstream-Name: libnss-tacplus Source: http://www.cumulusnetworks.com Files: * -Copyright: 2010 Pawel Krawczyk and Jeroen Nijhof , - 2015, 2016 Cumulus Networks, Inc. +Copyright: 2015, 2016 Cumulus Networks, Inc.. All rights reserved., + 2010 Pawel Krawczyk and Jeroen Nijhof + License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/nss_tacplus.c b/nss_tacplus.c index 9359942..4d48c97 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc + * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc. All rights reserved. * Author: Dave Olson * * This program is free software; you can redistribute it and/or modify diff --git a/nss_tacplus.h b/nss_tacplus.h index 57c985f..72a1fb1 100644 --- a/nss_tacplus.h +++ b/nss_tacplus.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc + * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by -- cgit v1.2.3 From 6d7873c35aa6d738e9b9f4abb30e66b50e7652b5 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Wed, 26 Oct 2016 13:19:58 -0700 Subject: Fixed a LOG_DEBUG message to be protected by if (debug) --- nss_tacplus.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nss_tacplus.c b/nss_tacplus.c index 4d48c97..b82613e 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -506,7 +506,8 @@ lookup_tacacs_user(struct pwbuf *pb) user = strtok(list, ","); list = NULL; while (user && !strcmp(user, pb->name)) { - syslog(LOG_DEBUG, "%s: check user=(%s)", nssname, user); + if(debug) + syslog(LOG_DEBUG, "%s: check user=(%s)", nssname, user); if ((islocal = lookup_local(user, 0))) { if (debug) syslog(LOG_DEBUG, "%s: exclude_users match (%s)," -- cgit v1.2.3 From f38818cdcec8f1f4b0ded6d74d49835d10d3e24e Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Wed, 26 Oct 2016 14:51:53 -0700 Subject: Fixed trailing line whitespace issues --- debian/copyright | 1 - nss_tacplus.c | 29 ++++++++++++++--------------- nss_tacplus.h | 2 +- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/debian/copyright b/debian/copyright index 48bfa52..6d103c9 100644 --- a/debian/copyright +++ b/debian/copyright @@ -5,7 +5,6 @@ Source: http://www.cumulusnetworks.com Files: * Copyright: 2015, 2016 Cumulus Networks, Inc.. All rights reserved., 2010 Pawel Krawczyk and Jeroen Nijhof - License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/nss_tacplus.c b/nss_tacplus.c index b82613e..4c62a82 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc. All rights reserved. * Author: Dave Olson - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or @@ -85,7 +85,7 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) *errnop = errno; if(!conf_parsed && debug) /* debug because privileges may not allow */ syslog(LOG_DEBUG, "%s: can't open config file %s: %m", - nssname, cfile); + nssname, cfile); goto err; } @@ -101,7 +101,7 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) if(lbuf[8]) /* else treat as empty config, ignoring errors */ (void)nss_tacplus_config(errnop, &lbuf[8], top+1); } - else if(!strncmp(lbuf, "debug=", 6)) + else if(!strncmp(lbuf, "debug=", 6)) debug = strtoul(lbuf+6, NULL, 0); /* * This next group is here to prevent a warning in the @@ -123,7 +123,7 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) } } else if(!strncmp(lbuf, "exclude_users=", 14)) { - /* + /* * Don't lookup users in this comma-separated list for both * robustness and performnce. Typically root and other commonly * used local users. If set, we also look up the uids @@ -228,7 +228,7 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw, if(!usename) usename = srcpw->pw_name; - needlen = usename ? strlen(usename) + 1 : 1 + + needlen = usename ? strlen(usename) + 1 : 1 + srcpw->pw_dir ? strlen(srcpw->pw_dir) + 1 : 1 + srcpw->pw_gecos ? strlen(srcpw->pw_gecos) + 1 : 1 + srcpw->pw_shell ? strlen(srcpw->pw_shell) + 1 : 1 + @@ -396,7 +396,7 @@ find_pw_user(const char *logname, const char *tacuser, struct pwbuf *pb) * We could optimize this for programs that do lots of lookups by leaving * the passwd file open and rewinding, but it doesn't seem worthwhile. */ -static bool +static bool lookup_local(char *name, uid_t uid) { FILE *pwfile; @@ -504,7 +504,7 @@ lookup_tacacs_user(struct pwbuf *pb) if (list) { bool islocal = 0; user = strtok(list, ","); - list = NULL; + list = NULL; while (user && !strcmp(user, pb->name)) { if(debug) syslog(LOG_DEBUG, "%s: check user=(%s)", nssname, user); @@ -555,7 +555,7 @@ lookup_tacacs_user(struct pwbuf *pb) tac_ntop(tac_srv[srvr].addr->ai_addr), ret, pb->name); } - tac_free_attrib(&attr); + tac_free_attrib(&attr); close(tac_fd); if(ret < 0) continue; @@ -565,7 +565,7 @@ lookup_tacacs_user(struct pwbuf *pb) ret = got_tacacs_user(arep.attr, pb); if(debug) syslog(LOG_DEBUG, "%s: TACACS+ server %s successful for user %s." - " local lookup %s", nssname, + " local lookup %s", nssname, tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name, ret?"OK":"no match"); done = 1; /* break out of loop after arep cleanup */ @@ -574,7 +574,7 @@ lookup_tacacs_user(struct pwbuf *pb) ret = 1; /* in case last server */ if(debug) syslog(LOG_DEBUG, "%s: TACACS+ server %s replies user %s" - " invalid (%d)", nssname, + " invalid (%d)", nssname, tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name, arep.status); } @@ -583,7 +583,7 @@ lookup_tacacs_user(struct pwbuf *pb) if(arep.attr) /* free returned attributes */ tac_free_attrib(&arep.attr); } - + return ret < 0? 1 : ret; } @@ -601,14 +601,14 @@ lookup_mapped_uid(struct pwbuf *pb, uid_t uid, uid_t auid, int session) } /* - * This is an NSS entry point. + * This is an NSS entry point. * We implement getpwnam(), because we remap from the tacacs login * to the local tacacs0 ... tacacs15 users for all other info, and so * the normal order of "passwd tacplus" (possibly with ldap or anything * else prior to tacplus) will mean we only get used when there isn't * a local user to be found. * - * We try the lookup to the tacacs server first. If we can't make a + * We try the lookup to the tacacs server first. If we can't make a * connection to the server for some reason, we also try looking up * the account name via the mapping file, primarily to handle cases * where we aren't running with privileges to read the tacacs configuration @@ -657,14 +657,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, char *mapname = lookup_mapname(name, -1, -1, NULL); if(mapname != name && !find_pw_user(name, mapname, &pbuf)) status = NSS_STATUS_SUCCESS; - } } return status; } /* - * This is an NSS entry point. + * This is an NSS entry point. * We implement getpwuid(), for anything that wants to get the original * login name from the uid. * If it matches an entry in the map, we use that data to replace diff --git a/nss_tacplus.h b/nss_tacplus.h index 72a1fb1..25e73e7 100644 --- a/nss_tacplus.h +++ b/nss_tacplus.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc. All rights reserved. - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or -- cgit v1.2.3 From b2cad0cf995560ea689be75d149e0fa030e2fe35 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Mon, 31 Oct 2016 13:04:42 -0700 Subject: Fixed copyright punctuation error --- debian/copyright | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/copyright b/debian/copyright index 6d103c9..9b1b34a 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,7 +3,7 @@ Upstream-Name: libnss-tacplus Source: http://www.cumulusnetworks.com Files: * -Copyright: 2015, 2016 Cumulus Networks, Inc.. All rights reserved., +Copyright: 2015, 2016 Cumulus Networks, Inc. All rights reserved., 2010 Pawel Krawczyk and Jeroen Nijhof License: GPL-2+ This package is free software; you can redistribute it and/or modify -- cgit v1.2.3 From 8409b03ca1a70d2f42e4c4119ff547be595c002e Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 18 Nov 2016 10:09:16 -0800 Subject: corrected the FSF zipcode --- COPYING | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COPYING b/COPYING index a6e2fea..18f56e4 100644 --- a/COPYING +++ b/COPYING @@ -3,7 +3,7 @@ GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. -51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA +51 Franklin Street, Fifth Floor, Boston, MA 02110-1355, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. -- cgit v1.2.3 From c445659773c3a257b49b123c442a53bd79a1b212 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 18 Nov 2016 15:24:43 -0800 Subject: Handle case of secret parameter listed after multiple servers Fixed this case: server=a.b.c.d server=b.d.e.f secret=stuff libpam-tacplus handled, but my code didn't. --- nss_tacplus.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nss_tacplus.c b/nss_tacplus.c index 4c62a82..5b0766a 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -113,6 +113,7 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) !strncmp(lbuf, "login=", 6)) ; else if(!strncmp(lbuf, "secret=", 7)) { + int i; /* no need to complain if too many on this one */ if(tac_key_no < TAC_PLUS_MAXSERVERS) { if((tac_srv[tac_key_no].key = strdup(lbuf+7))) @@ -121,6 +122,13 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) syslog(LOG_ERR, "%s: unable to copy server secret %s", nssname, lbuf+7); } + /* handle case where 'secret=' was given after a 'server=' + * parameter, fill in the current secret */ + for(i = tac_srv_no-1; i >= 0; i--) { + if (tac_srv[i].key) + continue; + tac_srv[i].key = strdup(lbuf+7); + } } else if(!strncmp(lbuf, "exclude_users=", 14)) { /* -- cgit v1.2.3 From 7b7527f564fc74b11b1aa30f1460dedbc1886183 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Wed, 23 Nov 2016 15:44:14 -0800 Subject: Missed handling a secret/server ordering secret=key1 secret=key2 server=server1 server=server2 Should result in pairing server1/key1 server2/key2. That case didn't work --- nss_tacplus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nss_tacplus.c b/nss_tacplus.c index 5b0766a..0119343 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -173,8 +173,8 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) tac_srv_no < TAC_PLUS_MAXSERVERS; server = server->ai_next) { tac_srv[tac_srv_no].addr = server; - if(tac_key_no && tac_srv_no != (tac_key_no-1)) - /* use current key if set, and not the same index */ + /* use current key, if our index not yet set */ + if(tac_key_no && !tac_srv[tac_srv_no].key) tac_srv[tac_srv_no].key = tac_srv[tac_key_no-1].key; tac_srv_no++; } -- cgit v1.2.3 From 7527132991d6e18e10bf1238ed05c31e2d9f2309 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Mon, 21 Nov 2016 18:14:26 -0800 Subject: Allow timeout parameter to be set Ticket: CM-13688 Reviewed By: nobody Testing Done: installed, verify shorter timeouts I hadn't implemented timeout for any of the new packages I created. This implements it (and sets timeout=10 in /etc/tacplus_servers) For libnss, we want a shorter timeout, so set it to 5, following the include of tacplus_servers. --- nss_tacplus.c | 7 +++++++ tacplus_nss.conf | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/nss_tacplus.c b/nss_tacplus.c index 0119343..cdc2c47 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -103,6 +103,13 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) } else if(!strncmp(lbuf, "debug=", 6)) debug = strtoul(lbuf+6, NULL, 0); + else if (!strncmp (lbuf, "timeout=", 8)) { + tac_timeout = (int)strtoul(lbuf+8, NULL, 0); + if (tac_timeout < 0) /* explict neg values disable poll() use */ + tac_timeout = 0; + else /* poll() only used if timeout is explictly set */ + tac_readtimeout_enable = 1; + } /* * This next group is here to prevent a warning in the * final "else" case. We don't need them, but if there diff --git a/tacplus_nss.conf b/tacplus_nss.conf index f5c5f33..50d639b 100644 --- a/tacplus_nss.conf +++ b/tacplus_nss.conf @@ -39,6 +39,16 @@ exclude_users=root,cumulus,quagga,ntp # including the IP address and shared secret include=/etc/tacplus_servers +# The connection timeout for an NSS library should be short, since it is +# invoked for many programs and daemons, and a failure is usually not +# catastrophic. Not set or set to a negative value disables use of poll(). +# This follows the include of tacplus_servers, so it can override any +# timeout value set in that file. +# It's important to have this set in this file, even if the same value +# as in tacplus_servers, since tacplus_servers should not be readable +# by users other than root. +timeout=5 + # The server IP address can be optionally followed by a ':' and a port # number (server=1.1.1.1:49). #secret=SECRET1 -- cgit v1.2.3 From 82319a93827de875b75bb1dfda9f9d995fd844f5 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Sat, 26 Nov 2016 16:02:10 -0800 Subject: Fixed bug in exclude handling. Added sshd and "*" to exclusion list It turns out that I broke the exclusion handling early on. It was only looking up the first entry in the list. In debugging this, it turns out that user sshd is also looked up quite frequently for ssh logins, so added it to the list, so that a round trip to the tacacs server isn't needed when logging in as a local user. There also isn't a need to look the exclusion list user up in the /etc/passwd file, just skip the tacacs lookup. Finally, it turns out that bash filename completion can lookup username "*" (a single asterisk). Add that to the exclusion list as well. The reason for these fixes is primarily for TACACS servers that are down or otherwise unreachable. With these fixes and additions, logging in over ssh with a username in the exclusion list is only slightly affected by unreachable TACACS servers. Finally, added a warning to not add TACACS+ secrets to the tacplus_nss.conf config file, since it is world readable. --- nss_tacplus.c | 43 ++++++------------------------------------- tacplus_nss.conf | 34 +++++++++++++++------------------- 2 files changed, 21 insertions(+), 56 deletions(-) diff --git a/nss_tacplus.c b/nss_tacplus.c index cdc2c47..75cbdb7 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -404,34 +404,6 @@ find_pw_user(const char *logname, const char *tacuser, struct pwbuf *pb) return ret; } -/* - * Similar to the functions above, but used for the exlusion list. - * to exclude explict users like root, or specific UIDs (if name == NULL) - * No warnings, since it's primarily for performance. - * We could optimize this for programs that do lots of lookups by leaving - * the passwd file open and rewinding, but it doesn't seem worthwhile. - */ -static bool -lookup_local(char *name, uid_t uid) -{ - FILE *pwfile; - struct passwd *ent; - bool ret = 0; - pwfile = fopen("/etc/passwd", "r"); - - if(!pwfile) - return 0; - - while(!ret && (ent = fgetpwent(pwfile))) { - if(!ent->pw_name) - continue; /* shouldn't happen */ - if((name && !strcmp(ent->pw_name, name)) || uid == ent->pw_uid) - ret = 1; - } - fclose(pwfile); - return ret; -} - /* * we got the user back. Go through the attributes, find their privilege * level, map to the local user, fill in the data, etc. @@ -517,19 +489,16 @@ lookup_tacacs_user(struct pwbuf *pb) char *user, *list; list = strdup(exclude_users); if (list) { + static const char *delim = ", \t\n"; bool islocal = 0; - user = strtok(list, ","); + user = strtok(list, delim); list = NULL; - while (user && !strcmp(user, pb->name)) { - if(debug) - syslog(LOG_DEBUG, "%s: check user=(%s)", nssname, user); - if ((islocal = lookup_local(user, 0))) { - if (debug) - syslog(LOG_DEBUG, "%s: exclude_users match (%s)," - " no lookup", nssname, user); + while (user) { + if(!strcmp(user, pb->name)) { + islocal = 1; break; } - user = strtok(list, ","); + user = strtok(NULL, delim); } free(list); if (islocal) diff --git a/tacplus_nss.conf b/tacplus_nss.conf index 50d639b..502a037 100644 --- a/tacplus_nss.conf +++ b/tacplus_nss.conf @@ -4,15 +4,7 @@ # where tacplus precede compat (or files), and depending on local policy can # follow or precede ldap, nis, etc. # passwd: tacplus compat -# The server keyword should follow the secret keyword, and may be -# given fewer times than the server keyword, if all servers have the same -# shared secret. -# is matched up with first secret line, etc. You can use any of the -# following orders, or most other orders you can think of. There must be at -# least as many secret lines as there are server lines. This file should be -# kept as permisions 644, owned by root, since it must be readable by arbitrary -# processes, even though the secret for the TACACS+ server is present as clear -# text. +# # Servers are tried in the order listed, and once a server # replies, no other servers are attempted in a given process instantiation # @@ -31,14 +23,25 @@ # than the local tacacs{0..15} uids min_uid=1001 -# This is a comma separated list of usernames that we never lookup via tacacs -# Cumulus Linux ships with our standard users in the list. -exclude_users=root,cumulus,quagga,ntp +# This is a comma separated list of usernames that are never sent to +# a tacacs server, they cause an early not found return. +# +# "*" is not a wild card. While it's not a legal username, it turns out +# that during pathname completion, bash can do an NSS lookup on "*" +# To avoid server round trip delays, or worse, unreachable server delays +# on filename completion, we include "*" in the exclusion list. +exclude_users=root,cumulus,quagga,sshd,ntp,* # The include keyword allows centralizing the tacacs+ server information # including the IP address and shared secret include=/etc/tacplus_servers +# The server IP address can be optionally followed by a ':' and a port +# number (server=1.1.1.1:49). It is strongly recommended that you NOT +# add secret keys to this file, because it is world readable. +#secret=SECRET1 +#server=1.1.1.1 + # The connection timeout for an NSS library should be short, since it is # invoked for many programs and daemons, and a failure is usually not # catastrophic. Not set or set to a negative value disables use of poll(). @@ -48,10 +51,3 @@ include=/etc/tacplus_servers # as in tacplus_servers, since tacplus_servers should not be readable # by users other than root. timeout=5 - -# The server IP address can be optionally followed by a ':' and a port -# number (server=1.1.1.1:49). -#secret=SECRET1 -#server=1.1.1.1 -#secret=SECRET2 -#server=1.1.1.2 -- cgit v1.2.3 From 490882de7069623f427663340b27c77b97fecd40 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Tue, 29 Nov 2016 17:01:03 -0800 Subject: Updated changelog --- debian/changelog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/debian/changelog b/debian/changelog index d6199b2..ad8a1e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +libnss-tacplus (1.0.2) unstable; urgency=low + * added config variable "timeout" to limit time attempting to + connect to non-responding TACACS server. + * added config variable "exclude_users" in /etc/tacplus_nss + to avoid looking up "local" user accounts via TACACS servers. This + improves overall system performance for local users, and avoids significant + delays when a TACACS server is unreachable. + * Fixed issues with ordering of multiple servers and secrets in config files. + libraries can connect to a TACACS+ server without being tacacs aware. + * Improved debugging messages. + * Minor corrections to Copyright and licensing + + -- Dave Olson Tue, 29 Nov 2016 16:55:16 -0800 + libnss-tacplus (1.0.2-1) unstable; urgency=low * Improve debugging on server connections, and always try all -- cgit v1.2.3 From 52aa2d434ed03f0a386eb3bb6a12cb83b0c005c6 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Tue, 7 Mar 2017 12:59:42 -0800 Subject: Add support for mgmt vrf When management vrf is enabled and vrf is present in the tacacs config, if we are unable to reach any configured tacacs server, try setting vrf context on the socket. Previously libnss-tacplus worked only with ssh@mgmt, now works with normal ssh in mgmt vrf Setting via the socket (rather than vrf context) is required so we don't set the VRF context for arbitrary processes that do uid or username lookups. --- debian/changelog | 3 ++- debian/control | 7 +++++-- nss_tacplus.c | 7 +++++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index ad8a1e1..fefa524 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,8 +9,9 @@ libnss-tacplus (1.0.2) unstable; urgency=low libraries can connect to a TACACS+ server without being tacacs aware. * Improved debugging messages. * Minor corrections to Copyright and licensing + * Added vrf config variable, so NSS lookups work correctly$ - -- Dave Olson Tue, 29 Nov 2016 16:55:16 -0800 + -- Dave Olson Tue, 07 Mar 2017 12:58:03 -0800 libnss-tacplus (1.0.2-1) unstable; urgency=low diff --git a/debian/control b/debian/control index 3d95156..ea65d0b 100644 --- a/debian/control +++ b/debian/control @@ -1,14 +1,17 @@ Source: libnss-tacplus Priority: optional Maintainer: Dave Olson -Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev, libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev, dpkg-dev (>= 1.16.1) +Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev (>= 1.4.1~), + libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev, + dpkg-dev (>= 1.16.1), git Section: libs Standards-Version: 3.9.6 Homepage: http://www.cumulusnetworks.com Package: libnss-tacplus Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2, libtacplus-map1, libaudit1 +Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2 (>= 1.4.1~), + libtacplus-map1, libaudit1 Description: NSS module for TACACS+ authentication without local passwd entry Performs getpwname and getpwuid lookups via NSS for users logged in via tacacs authentication, and mapping done with libtacplus_map diff --git a/nss_tacplus.c b/nss_tacplus.c index 75cbdb7..635327a 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -67,6 +67,7 @@ static tacplus_server_t tac_srv[TAC_PLUS_MAXSERVERS]; static int tac_srv_no, tac_key_no; static char tac_service[] = "shell"; static char tac_protocol[] = "ssh"; +static char vrfname[64]; static char *exclude_users; static uid_t min_uid = ~0U; /* largest possible */ static int debug; @@ -157,6 +158,8 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) if (valid > (lbuf+8)) min_uid = (uid_t)uid; } + else if(!strncmp(lbuf, "vrf=", 4)) + strncpy(vrfname, lbuf + 4, sizeof(vrfname)); else if(!strncmp(lbuf, "server=", 7)) { if(tac_srv_no < TAC_PLUS_MAXSERVERS) { struct addrinfo hints, *servers, *server; @@ -454,7 +457,8 @@ connect_tacacs(struct tac_attrib **attr, int srvr) if(!*tac_service) /* reported at config file processing */ return -1; - fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL); + fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL, + vrfname[0]?vrfname:NULL); if(fd >= 0) { *attr = NULL; /* so tac_add_attr() allocates memory */ tac_add_attrib(attr, "service", tac_service); @@ -505,7 +509,6 @@ lookup_tacacs_user(struct pwbuf *pb) return 2; } } - for(srvr=0; srvr < tac_srv_no && !done; srvr++) { arep.msg = NULL; arep.attr = NULL; -- cgit v1.2.3 From 1e18c99eada15bb8efa0ecf0c6600d358f11b48e Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 10 Mar 2017 10:23:19 -0800 Subject: Don't print debug servers list unless we do tacacs lookup Unlike most of the other tacacs client code, we run as part of many processes, and because of min_uid, and mapped user lookups, often don't actually make a tacacs connection. So don't log the debug message showing the servers, unless we are actually going to do the tacacs lookup. This significantly reduces noise messages in syslog from local user lookups. Only print 'uid N < min_uid' if debug > 1, since it can occur so frequently, and isn't as useful as some other debug messages. Also some minor cleanup while looking for possible incorrect closes. --- nss_tacplus.c | 56 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/nss_tacplus.c b/nss_tacplus.c index 635327a..4fa652e 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -87,7 +87,7 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) if(!conf_parsed && debug) /* debug because privileges may not allow */ syslog(LOG_DEBUG, "%s: can't open config file %s: %m", nssname, cfile); - goto err; + return 1; } while(fgets(lbuf, sizeof lbuf, conf)) { @@ -206,28 +206,36 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) } fclose(conf); - if(top == 1) { - int n; - if(tac_srv_no == 0 && debug) - syslog(LOG_DEBUG, "%s:%s: no TACACS %s in config (or no perm)," - " giving up", - nssname, __FUNCTION__, tac_srv_no ? "service" : - (*tac_service ? "server" : "service and no server")); - - for(n = 0; debug && n < tac_srv_no; n++) - syslog(LOG_DEBUG, "%s: server[%d] { addr=%s, key='%s' }", nssname, - n, tac_srv[n].addr ? tac_ntop(tac_srv[n].addr->ai_addr) - : "unknown", tac_srv[n].key); - } return 0; - -err: - if(conf) - fclose(conf); - return 1; } +/* + * Separate function so we can print first time we try to connect, + * rather than during config. + * Don't print at config, because often the uid lookup is one we + * skip due to min_uid, so no reason to clutter the log. + */ +static void print_servers(void) +{ + static int printed = 0; + int n; + + if (printed || !debug) + return; + printed = 1; + + if(tac_srv_no == 0) + syslog(LOG_DEBUG, "%s:%s: no TACACS %s in config (or no perm)," + " giving up", + nssname, __FUNCTION__, tac_srv_no ? "service" : + (*tac_service ? "server" : "service and no server")); + + for(n = 0; n < tac_srv_no; n++) + syslog(LOG_DEBUG, "%s: server[%d] { addr=%s, key='%s' }", nssname, + n, tac_srv[n].addr ? tac_ntop(tac_srv[n].addr->ai_addr) + : "unknown", tac_srv[n].key); +} /* * copy a passwd structure and it's strings, using the provided buffer @@ -454,9 +462,6 @@ connect_tacacs(struct tac_attrib **attr, int srvr) { int fd; - if(!*tac_service) /* reported at config file processing */ - return -1; - fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL, vrfname[0]?vrfname:NULL); if(fd >= 0) { @@ -509,6 +514,11 @@ lookup_tacacs_user(struct pwbuf *pb) return 2; } } + + if(!*tac_service) /* reported at config file processing */ + return ret; + print_servers(); + for(srvr=0; srvr < tac_srv_no && !done; srvr++) { arep.msg = NULL; arep.attr = NULL; @@ -692,7 +702,7 @@ enum nss_status _nss_tacplus_getpwuid_r(uid_t uid, struct passwd *pw, conf_parsed = ret == 0 ? 2 : 1; if (min_uid != ~0U && uid < min_uid) { - if(debug) + if(debug > 1) syslog(LOG_DEBUG, "%s: uid %u < min_uid %u, don't lookup", nssname, uid, min_uid); return status; -- cgit v1.2.3 From f9f714b3b7b9f77c0165c0850bd816cac0d46292 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 30 Mar 2017 09:42:45 -0700 Subject: During login from ssh, send remote host IP address in AUTH request The hack is to run getpeername on fd 0, because during ssh connections, it is a socket from the remote host. This is a bit fragile... Normally fd 0 interactively will be a pty or tty, so getpeername() will fail. There may be some daemons where fd0 is a socket, and returns a local or some other remote IP address, and if so, it could lead to some confusion, but it shouldn't ever break anything. I ran with tshark watching the packet exchange, and verified that the remote address field is set for ssh sessions at the start of the ssh session, and not when run in other uses. The customer ran a 3.2.1 package with this change, and it resolved their issue. --- debian/changelog | 3 ++- nss_tacplus.c | 36 +++++++++++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index fefa524..43d371e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,5 @@ libnss-tacplus (1.0.2) unstable; urgency=low * added config variable "timeout" to limit time attempting to - connect to non-responding TACACS server. * added config variable "exclude_users" in /etc/tacplus_nss to avoid looking up "local" user accounts via TACACS servers. This improves overall system performance for local users, and avoids significant @@ -10,6 +9,8 @@ libnss-tacplus (1.0.2) unstable; urgency=low * Improved debugging messages. * Minor corrections to Copyright and licensing * Added vrf config variable, so NSS lookups work correctly$ + * During login, send remote add IP address in AUTH request + connect to non-responding TACACS server. -- Dave Olson Tue, 07 Mar 2017 12:58:03 -0800 diff --git a/nss_tacplus.c b/nss_tacplus.c index 4fa652e..2d4f193 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include @@ -67,12 +68,15 @@ static tacplus_server_t tac_srv[TAC_PLUS_MAXSERVERS]; static int tac_srv_no, tac_key_no; static char tac_service[] = "shell"; static char tac_protocol[] = "ssh"; +static char tac_rhost[INET6_ADDRSTRLEN]; static char vrfname[64]; static char *exclude_users; static uid_t min_uid = ~0U; /* largest possible */ static int debug; static int conf_parsed = 0; +static void get_remote_addr(void); + static int nss_tacplus_config(int *errnop, const char *cfile, int top) { FILE *conf; @@ -531,7 +535,7 @@ lookup_tacacs_user(struct pwbuf *pb) tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd); continue; } - ret = tac_author_send(tac_fd, pb->name, "", "", attr); + ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr); if(ret < 0) { if(debug) syslog(LOG_WARNING, "%s: TACACS+ server %s send failed (%d) for" @@ -621,6 +625,8 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, result = nss_tacplus_config(errnop, config_file, 1); conf_parsed = result == 0 ? 2 : 1; + get_remote_addr(); + if(result) { /* no config file, no servers, etc. */ /* this is a debug because privileges may not allow access */ if(debug) @@ -730,3 +736,31 @@ enum nss_status _nss_tacplus_getpwuid_r(uid_t uid, struct passwd *pw, status = NSS_STATUS_SUCCESS; return status; } + +static void get_remote_addr(void) +{ + struct sockaddr_storage addr; + socklen_t len = sizeof addr; + char ipstr[INET6_ADDRSTRLEN]; + + /* This is so we can fill in the rhost field when we talk to the + * TACACS+ server, when it's an ssh connection, so sites that refuse + * authorization unless from specific IP addresses will get that + * information. It's pretty much of a hack, but it works. + */ + if (getpeername(0, (struct sockaddr*)&addr, &len) == -1) + return; + + *ipstr = 0; + if (addr.ss_family == AF_INET) { + struct sockaddr_in *s = (struct sockaddr_in *)&addr; + inet_ntop(AF_INET, &s->sin_addr, ipstr, sizeof ipstr); + } else { + struct sockaddr_in6 *s = (struct sockaddr_in6 *)&addr; + inet_ntop(AF_INET6, &s->sin6_addr, ipstr, sizeof ipstr); + } + + snprintf(tac_rhost, sizeof tac_rhost, "%s", ipstr); + if(debug > 1 && tac_rhost[0]) + syslog(LOG_DEBUG, "%s: rhost=%s", nssname, tac_rhost); +} -- cgit v1.2.3 From dab6c3bb9feb10b67f08b18656fe24d1f7b01d2b Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 12 May 2017 11:43:01 -0700 Subject: Track changes to config files, and reparse if any change This is done to handle the case where nss_tacplus.so is included in a long-lived daemon. It's desirable to have long-lived daemons reflect changes to the configuration, both to enable/disable debugging, and particularly if the server list or key changes. Clear all read config variables to defaults when re-parsing. This is complicated by nested configuration files via the include directive. At top level, we need to check all the previously used configuration files to see if any have changed. This also adds a limitation to no more than 8 deep include nesting. In practice, > 2 is going to be very rare, so it should be OK. Log a message when we re-initialize (without using debug qualifier). --- debian/changelog | 4 ++- debian/copyright | 5 ++-- nss_tacplus.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 3 files changed, 80 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index 43d371e..cf33b24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -libnss-tacplus (1.0.2) unstable; urgency=low +libnss-tacplus (1.0.3-1) unstable; urgency=low * added config variable "timeout" to limit time attempting to * added config variable "exclude_users" in /etc/tacplus_nss to avoid looking up "local" user accounts via TACACS servers. This @@ -11,6 +11,8 @@ libnss-tacplus (1.0.2) unstable; urgency=low * Added vrf config variable, so NSS lookups work correctly$ * During login, send remote add IP address in AUTH request connect to non-responding TACACS server. + * configuration files should automatically be reparsed + if they change, for long-lived programs and daemons that use NSS. -- Dave Olson Tue, 07 Mar 2017 12:58:03 -0800 diff --git a/debian/copyright b/debian/copyright index 9b1b34a..710851e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,8 +3,9 @@ Upstream-Name: libnss-tacplus Source: http://www.cumulusnetworks.com Files: * -Copyright: 2015, 2016 Cumulus Networks, Inc. All rights reserved., - 2010 Pawel Krawczyk and Jeroen Nijhof +Copyright: 2015, 2016, 2017 Cumulus Networks, Inc. All rights reserved., + 2010 Pawel Krawczyk and + Jeroen Nijhof License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/nss_tacplus.c b/nss_tacplus.c index 2d4f193..1cf99c5 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2014, 2015, 2016 Cumulus Networks, Inc. All rights reserved. + * Copyright (C) 2014, 2015, 2016, 2017 Cumulus Networks, Inc. + * All rights reserved. * Author: Dave Olson * * This program is free software; you can redistribute it and/or modify @@ -37,6 +38,7 @@ #include #include #include +#include #include #include @@ -60,7 +62,7 @@ struct pwbuf { typedef struct { struct addrinfo *addr; - const char *key; + char *key; } tacplus_server_t; /* set from configuration file parsing */ @@ -77,14 +79,77 @@ static int conf_parsed = 0; static void get_remote_addr(void); +#define MAX_INCL 8 /* max config level nesting */ + +/* reset all config variables when we are going to re-parse */ +static void +reset_config(void) +{ + int i, nservers; + + /* reset the config variables that we use, freeing memory where needed */ + nservers = tac_srv_no; + tac_srv_no = 0; + tac_key_no = 0; + vrfname[0] = '\0'; + if(exclude_users[0]) + (void)free(exclude_users); + exclude_users = NULL; + debug = 0; + use_tachome = 0; + tac_timeout = 0; + min_uid = ~0U; + + for(i = 0; i < nservers; i++) { + if(tac_srv[i].key) { + free(tac_srv[i].key); + tac_srv[i].key = NULL; + } + tac_srv[i].addr = NULL; + } +} + static int nss_tacplus_config(int *errnop, const char *cfile, int top) { FILE *conf; char lbuf[256]; + static struct stat lastconf[MAX_INCL]; + static char *cfilelist[MAX_INCL]; + struct stat st, *lst; + + if(top > MAX_INCL) { + syslog(LOG_NOTICE, "%s: Config file include depth > %d, ignoring %s", + nssname, MAX_INCL, cfile); + return 1; + } - if(conf_parsed > 1) /* 1: we've tried and thrown errors, 2, OK */ - return 0; + lst = &lastconf[top-1]; + if(conf_parsed && top == 1) { + /* + * check to see if the config file(s) have changed since last time, + * in case we are part of a long-lived daemon. If any changed, + * reparse. If not, return the appropriate status (err or OK) + * This is somewhat complicated by the include file mechanism. + * When we have nested includes, we have to check all the config + * files we saw previously, not just the top level config file. + */ + int i; + for(i=0; i < MAX_INCL; i++) { + struct stat *cst; + cst = &lastconf[i]; + if(!cst->st_ino || !cfilelist[i]) /* end of files */ + return conf_parsed == 2 ? 0 : 1; + if (stat(cfilelist[i], &st) || st.st_ino != cst->st_ino || + st.st_mtime != cst->st_mtime || st.st_ctime != cst->st_ctime) + break; /* found removed or different file, so re-parse */ + } + reset_config(); + syslog(LOG_NOTICE, "%s: Configuration file(s) have changed, re-initializing", + nssname); + } + /* don't check for failures, we'll just skip, don't want to error out */ + cfilelist[top-1] = strdup(cfile); conf = fopen(cfile, "r"); if(conf == NULL) { *errnop = errno; @@ -93,6 +158,8 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) nssname, cfile); return 1; } + if (fstat(fileno(conf), lst) != 0) + memset(lst, 0, sizeof *lst); /* avoid stale data, no warning */ while(fgets(lbuf, sizeof lbuf, conf)) { if(*lbuf == '#' || isspace(*lbuf)) @@ -101,9 +168,10 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) if(!strncmp(lbuf, "include=", 8)) { /* * allow include files, useful for centralizing tacacs - * server IP address and secret. + * server IP address and secret. When running non-privileged, + * may not be able to read one or more config files. */ - if(lbuf[8]) /* else treat as empty config, ignoring errors */ + if(lbuf[8]) (void)nss_tacplus_config(errnop, &lbuf[8], top+1); } else if(!strncmp(lbuf, "debug=", 6)) -- cgit v1.2.3 From 1e79d33bc397c0a9f30512a624ce51153e981f89 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Fri, 19 May 2017 15:48:43 -0700 Subject: Fix attribute memory leak, clarified authorization message Fixed attribute memory leak, and also don't force the *attr to NULL as part of that, use the normal mechanisms. Added more info to authorization failure message, and made clearer. Only print "local lookup" part of message if debug > 1, since it's mostly useful for developers. --- nss_tacplus.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/nss_tacplus.c b/nss_tacplus.c index 1cf99c5..60a221f 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -537,7 +537,6 @@ connect_tacacs(struct tac_attrib **attr, int srvr) fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL, vrfname[0]?vrfname:NULL); if(fd >= 0) { - *attr = NULL; /* so tac_add_attr() allocates memory */ tac_add_attrib(attr, "service", tac_service); if(tac_protocol[0]) tac_add_attrib(attr, "protocol", tac_protocol); @@ -563,7 +562,7 @@ lookup_tacacs_user(struct pwbuf *pb) { struct areply arep; int ret = 1, done = 0; - struct tac_attrib *attr; + struct tac_attrib *attr = NULL; int tac_fd, srvr; if (exclude_users) { @@ -601,13 +600,14 @@ lookup_tacacs_user(struct pwbuf *pb) syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s," " ret=%d: %m", nssname, tac_srv[srvr].addr ? tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd); + tac_free_attrib(&attr); continue; } ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr); if(ret < 0) { if(debug) - syslog(LOG_WARNING, "%s: TACACS+ server %s send failed (%d) for" - " user %s: %m", nssname, tac_srv[srvr].addr ? + syslog(LOG_WARNING, "%s: TACACS+ server %s authorization failed (%d) " + " user (%s)", nssname, tac_srv[srvr].addr ? tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret, pb->name); } @@ -632,11 +632,14 @@ lookup_tacacs_user(struct pwbuf *pb) if(arep.status == AUTHOR_STATUS_PASS_ADD || arep.status == AUTHOR_STATUS_PASS_REPL) { ret = got_tacacs_user(arep.attr, pb); - if(debug) + if(debug>1) syslog(LOG_DEBUG, "%s: TACACS+ server %s successful for user %s." " local lookup %s", nssname, tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name, ret?"OK":"no match"); + else if(debug) + syslog(LOG_DEBUG, "%s: TACACS+ server %s successful for user %s", + nssname, tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name); done = 1; /* break out of loop after arep cleanup */ } else { -- cgit v1.2.3 From 9b056a2a66ec7006d86121509ef1049c7f6f0725 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 23 Mar 2017 22:42:24 -0700 Subject: Support using and returning per-tacacs user homedir Get setting from map on whether login was set up to use per-tacacs user homedir, rather than the homedir from the local tacacsN users. The mkhomedir_helper program is used in pam_tacplus to create home directory (like pam_mkhomedir.so) when user homedir is requested, but the home directory does not exist. The config file setting in this code is not used when using map and the user is found in map; we then use the setting from the map. When mapping doesn't exist, then use our own config setting. user_homedirs is ignored if shell is a restricted shell (as set up by tacplus-restrict) because we need to honor the per-command authorization setup in that case. Updated changelog Also fixed up the spelling of dev-support --- debian/changelog | 12 ++++++----- nss_tacplus.c | 65 ++++++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 58 insertions(+), 19 deletions(-) diff --git a/debian/changelog b/debian/changelog index cf33b24..6b20592 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ libnss-tacplus (1.0.3-1) unstable; urgency=low - * added config variable "timeout" to limit time attempting to - * added config variable "exclude_users" in /etc/tacplus_nss + * Added config variable "timeout" to limit time attempting to + connect to non-responding TACACS server. + * Added config variable "exclude_users" in /etc/tacplus_nss to avoid looking up "local" user accounts via TACACS servers. This improves overall system performance for local users, and avoids significant delays when a TACACS server is unreachable. @@ -10,11 +11,12 @@ libnss-tacplus (1.0.3-1) unstable; urgency=low * Minor corrections to Copyright and licensing * Added vrf config variable, so NSS lookups work correctly$ * During login, send remote add IP address in AUTH request - connect to non-responding TACACS server. - * configuration files should automatically be reparsed + * Configuration files should automatically be reparsed if they change, for long-lived programs and daemons that use NSS. + * Added user_homedir config variable to allow per-user + home directories (unless per-command authorization is enabled) - -- Dave Olson Tue, 07 Mar 2017 12:58:03 -0800 + -- Dave Olson Thu, 23 Mar 2017 22:40:01 -0800 libnss-tacplus (1.0.2-1) unstable; urgency=low diff --git a/nss_tacplus.c b/nss_tacplus.c index 60a221f..201b329 100644 --- a/nss_tacplus.c +++ b/nss_tacplus.c @@ -75,6 +75,7 @@ static char vrfname[64]; static char *exclude_users; static uid_t min_uid = ~0U; /* largest possible */ static int debug; +uint16_t use_tachome; static int conf_parsed = 0; static void get_remote_addr(void); @@ -176,6 +177,8 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top) } else if(!strncmp(lbuf, "debug=", 6)) debug = strtoul(lbuf+6, NULL, 0); + else if (!strncmp (lbuf, "user_homedir=", 13)) + use_tachome = (uint16_t)strtoul(lbuf+13, NULL, 0); else if (!strncmp (lbuf, "timeout=", 8)) { tac_timeout = (int)strtoul(lbuf+8, NULL, 0); if (tac_timeout < 0) /* explict neg values disable poll() use */ @@ -319,12 +322,15 @@ static void print_servers(void) */ static int pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw, - const char *usename) + const char *usename, uint16_t tachome) { - int needlen, cnt; + int needlen, cnt, origlen = len; + char *shell; - if(!usename) + if(!usename) { usename = srcpw->pw_name; + tachome = 0; /* early lookups; no tachome */ + } needlen = usename ? strlen(usename) + 1 : 1 + srcpw->pw_dir ? strlen(srcpw->pw_dir) + 1 : 1 + @@ -353,6 +359,14 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw, len -= cnt; cnt = snprintf(buf, len, "%s", srcpw->pw_shell ? srcpw->pw_shell : ""); destpw->pw_shell = buf; + shell = strrchr(buf, '/'); + shell = shell ? shell+1 : buf; + if (tachome && *shell == 'r') { + tachome = 0; + if(debug > 1) + syslog(LOG_DEBUG, "%s tacacs login %s with user_homedir not allowed; " + "shell is %s", nssname, srcpw->pw_name, buf); + } cnt++; buf += cnt; len -= cnt; @@ -361,11 +375,28 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw, cnt++; buf += cnt; len -= cnt; - cnt = snprintf(buf, len, "%s", srcpw->pw_dir ? srcpw->pw_dir : ""); + if (tachome && usename) { + char *slash, dbuf[strlen(srcpw->pw_dir) + strlen(usename)]; + snprintf(dbuf, sizeof dbuf, "%s", srcpw->pw_dir ? srcpw->pw_dir : ""); + slash = strrchr(dbuf, '/'); + if (slash) { + slash++; + snprintf(slash, sizeof dbuf - (slash-dbuf), "%s", usename); + } + cnt = snprintf(buf, len, "%s", dbuf); + } + else + cnt = snprintf(buf, len, "%s", srcpw->pw_dir ? srcpw->pw_dir : ""); destpw->pw_dir = buf; cnt++; buf += cnt; len -= cnt; + if(len < 0) { + if(debug) + syslog(LOG_DEBUG, "%s provided password buffer too small (%ld<%d)", + nssname, (long)origlen, origlen-(int)len); + return 1; + } return 0; } @@ -413,11 +444,11 @@ recheck: if(!ent->pw_name) continue; /* shouldn't happen */ if(!strcmp(ent->pw_name, pb->name)) { - retu = pwcopy(ubuf, sizeof(ubuf), ent, &upw, NULL); + retu = pwcopy(ubuf, sizeof(ubuf), ent, &upw, NULL, use_tachome); matches++; } else if(!strcmp(ent->pw_name, tacuser)) { - rett = pwcopy(tbuf, sizeof(tbuf), ent, &tpw, NULL); + rett = pwcopy(tbuf, sizeof(tbuf), ent, &tpw, NULL, use_tachome); matches++; } } @@ -433,9 +464,11 @@ recheck: syslog(LOG_DEBUG, "%s: local user not found at privilege=%u," " using %s", nssname, origpriv, tacuser); if(upw.pw_name && !retu) - ret = pwcopy(pb->buf, pb->buflen, &upw, pb->pw, pb->name); + ret = pwcopy(pb->buf, pb->buflen, &upw, pb->pw, pb->name, + use_tachome); else if(tpw.pw_name && !rett) - ret = pwcopy(pb->buf, pb->buflen, &tpw, pb->pw, pb->name); + ret = pwcopy(pb->buf, pb->buflen, &tpw, pb->pw, pb->name, + use_tachome); } if(ret) *pb->errnop = ERANGE; @@ -452,7 +485,8 @@ recheck: * returns 0 on success */ static int -find_pw_user(const char *logname, const char *tacuser, struct pwbuf *pb) +find_pw_user(const char *logname, const char *tacuser, struct pwbuf *pb, + uint16_t usetachome) { FILE *pwfile; struct passwd *ent; @@ -476,7 +510,7 @@ find_pw_user(const char *logname, const char *tacuser, struct pwbuf *pb) if(!ent->pw_name) continue; /* shouldn't happen */ if(!strcmp(ent->pw_name, tacuser)) { - ret = pwcopy(pb->buf, pb->buflen, ent, pb->pw, logname); + ret = pwcopy(pb->buf, pb->buflen, ent, pb->pw, logname, usetachome); break; } } @@ -663,12 +697,13 @@ static int lookup_mapped_uid(struct pwbuf *pb, uid_t uid, uid_t auid, int session) { char *loginname, mappedname[256]; + uint16_t flag; mappedname[0] = '\0'; loginname = lookup_mapuid(uid, auid, session, - mappedname, sizeof mappedname); + mappedname, sizeof mappedname, &flag); if(loginname) - return find_pw_user(loginname, mappedname, pb); + return find_pw_user(loginname, mappedname, pb, flag & MAP_USERHOMEDIR); return 1; } @@ -718,6 +753,7 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, if(!lookup) status = NSS_STATUS_SUCCESS; else if(lookup == 1) { /* 2 means exclude_users match */ + uint16_t flag; /* * If we can't contact a tacacs server (either not configured, or * more likely, we aren't running as root and the config for the @@ -728,8 +764,9 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, * common case of wanting to use the original login name by non-root * users. */ - char *mapname = lookup_mapname(name, -1, -1, NULL); - if(mapname != name && !find_pw_user(name, mapname, &pbuf)) + char *mapname = lookup_mapname(name, -1, -1, NULL, &flag); + if(mapname != name && !find_pw_user(name, mapname, &pbuf, + flag & MAP_USERHOMEDIR)) status = NSS_STATUS_SUCCESS; } } -- cgit v1.2.3