From ab9634da79286d2f04f40011331f2feee208e513 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 23 Jun 2016 13:39:25 -0700 Subject: Provide getpwnam_r entry point to lookup mapped TACACS+ users Initial version with NSS lookups for tacacs users using mapping Works with modified libpam-tacplus to authenticate TACACS+ users without local passwd entries, mapping them to tacacs0..15 based on TACACS privilege level. When the /etc/tacplus_servers tacacs config file is mode 600 (normally the case since it has the server "secret" key), lookups will only work for tacacs users that are logged in, via the local mapping. For root, getpwnam lookups will work for any TACACS user known to the servers. Most syslog's enabled only if debug is set in the config file. --- debian/README.source | 10 ++++++++++ debian/changelog | 8 ++++++++ debian/compat | 1 + debian/control | 14 ++++++++++++++ debian/copyright | 22 ++++++++++++++++++++++ debian/libnss-tacplus.lintian-overrides | 8 ++++++++ debian/libnss-tacplus.postinst | 32 ++++++++++++++++++++++++++++++++ debian/libnss-tacplus.symbols | 3 +++ debian/lintian-overrides | 2 ++ debian/rules | 20 ++++++++++++++++++++ debian/source/format | 1 + 11 files changed, 121 insertions(+) create mode 100644 debian/README.source create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/libnss-tacplus.lintian-overrides create mode 100644 debian/libnss-tacplus.postinst create mode 100644 debian/libnss-tacplus.symbols create mode 100644 debian/lintian-overrides create mode 100755 debian/rules create mode 100644 debian/source/format (limited to 'debian') diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..a509abf --- /dev/null +++ b/debian/README.source @@ -0,0 +1,10 @@ +libnss-tacplus for Debian +------------------------- +Build this package with: +$ debian/rules binary +or +$ DEB_BUILD_PROG_OPTS="-S" debian/rules arch-build + + + -- Dave Olson Tue, 3 Nov 2015 15:58:30 -0700 + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..a9b433b --- /dev/null +++ b/debian/changelog @@ -0,0 +1,8 @@ +libnss-tacplus (1.0.1-1) unstable; urgency=low + + * Initial version with NSS lookups for tacacs users using mapping + Works with modified libpam-tacplus to authenticate TACACS+ users + without local passwd entries, mapping them to tacacs0..15 based on + TACACS privilege level. + + -- Dave Olson Thu, 23 Jun 2016 13:31:01 -0700 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..abad701 --- /dev/null +++ b/debian/control @@ -0,0 +1,14 @@ +Source: libnss-tacplus +Priority: optional +Maintainer: devsupport +Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev, libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev, dpkg-dev (>= 1.16.1) +Section: libs +Standards-Version: 3.9.6 +Homepage: http://www.cumulusnetworks.com + +Package: libnss-tacplus +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2, libtacplus-map1, libaudit1 +Description: NSS module for TACACS+ authentication without local passwd entry + Performs getpwname and getpwuid lookups via NSS for users logged in via + tacacs authentication, and mapping done with libtacplus_map diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..6c70b2e --- /dev/null +++ b/debian/copyright @@ -0,0 +1,22 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libnss-tacplus +Homepage: http://cumulusnetworks.com + +Files: * +Copyright: 2015, 2016 Cumulus Networks, Inc +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". diff --git a/debian/libnss-tacplus.lintian-overrides b/debian/libnss-tacplus.lintian-overrides new file mode 100644 index 0000000..4ac1cba --- /dev/null +++ b/debian/libnss-tacplus.lintian-overrides @@ -0,0 +1,8 @@ +libnss-tacplus binary package-name-doesnt-match-sonames libnss-tacplus2 +libnss-tacplus package-name-doesnt-match-sonames libnss-tacplus2 +libnss-tacplus source native-package-with-dash-version +libnss-tacplus source diff-contains-git-control-dir .git +libnss-tacplus source unsupported-source-format 3.0 (git) +libnss-tacplus source changelog-should-mention-nmu +libnss-tacplus source source-nmu-has-incorrect-version-number 1.0.1-1 +libnss-tacplus new-package-should-close-itp-bu diff --git a/debian/libnss-tacplus.postinst b/debian/libnss-tacplus.postinst new file mode 100644 index 0000000..9541608 --- /dev/null +++ b/debian/libnss-tacplus.postinst @@ -0,0 +1,32 @@ +#!/bin/sh +# postinst script for libnss-tacplus +# +# see: dh_installdeb(1) + +set -e + +case "$1" in + configure) + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# Add tacplus to /etc/nsswitch.conf, since it's necessary +# for this package, and won't break anything else. Do nothing +# if tacplus is already present in the passwd line +if [ -e "/etc/nsswitch.conf" ]; then + sed -i -e '/tacplus/b' \ + -e '/^passwd/s/compat/tacplus &/' /etc/nsswitch.conf +fi + + +#DEBHELPER# + +exit 0 diff --git a/debian/libnss-tacplus.symbols b/debian/libnss-tacplus.symbols new file mode 100644 index 0000000..2bf9b88 --- /dev/null +++ b/debian/libnss-tacplus.symbols @@ -0,0 +1,3 @@ +libnss_tacplus.so.2 libnss-tacplus #MINVER# + _nss_tacplus_getpwnam_r@Base 1.0.1 + _nss_tacplus_getpwuid_r@Base 1.0.1 diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000..c2a52cc --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,2 @@ +libnss-tacplus binary package-name-doesnt-match-sonames libnss-tacplus2 +libnss-tacplus package-name-doesnt-match-sonames libnss-tacplus2 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..b37d726 --- /dev/null +++ b/debian/rules @@ -0,0 +1,20 @@ +#!/usr/bin/make -f +# See debhelper(7) (uncomment to enable) +# output every command that modifies files on the build system. +DH_VERBOSE = 1 + +# see EXAMPLES in dpkg-buildflags(1) and read /usr/share/dpkg/* +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/default.mk + +# see FEATURE AREAS in dpkg-buildflags(1) +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# main packaging script based on dh7 syntax +%: + dh $@ --with autotools-dev + +# this library installs into /lib, not /usr/lib; I don't see any other +# way to do this, although there must be a way... +override_dh_auto_configure: + dh_auto_configure -- --prefix="" diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..af745b3 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (git) -- cgit v1.2.3