diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-02-27 19:07:33 -0800 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-02 12:22:31 -0700 |
| commit | 55011d779684c0e34a60768ede7967c36f2753ff (patch) | |
| tree | 2d24bc865a04ebfa1a4236dc64be9d782c2967dd /config.sub | |
| parent | 96df95a2e72bf260bdc294e77276452229e13cf1 (diff) | |
| download | libpam-radius-auth-55011d779684c0e34a60768ede7967c36f2753ff.tar.gz libpam-radius-auth-55011d779684c0e34a60768ede7967c36f2753ff.zip | |
Add limited support for privileges (VSA shell:priv-lvl=15)
Ticket: CM-19457
Reviewed By:
Testing Done:
As with the tacplus client, we'll support priv-lvl=15 as a privileged
user, able to run config commands and sudo (when used with
libnss-mapuser).
Added new code to decode VSA attributes, and search for
shell:priv-lvl=#. A new config item is added "priv-lvl" in the
configuration file to specify the minimum value to be considered
privileged. The default is 15.
Writing mapping session file in the plugin now, because it needs to
be present for the final getpw* calls from ssh, login, etc.
Dropped the homedir in the mapfile, we not ready to get it via NSS when
we write the mapfile, and it wasn't ever used.
Also added same pam condition as tacplus, don't invoke pam_radius_auth
unless uid > 1000, to avoid overhead on system users and cumulus
account, although that won't help as much as with tacplus, given the
mappings.
Also added copyrights to the pam header file
Fixed a bunch of issues, which meant some significant restructuring.
src_ip (as noted in some comments) really should have been in the
server struct. Having done that, we don't need to open both v4 and
v6 sockets, we only open the one we need after moving host2server()
call into the initialization code.
Only parse the pam_radius_auth.conf config file once (unless the
PAM line specifies a different config file from previous pam mode,
or the config file has changed).
As part of that, do all the host name resolution up front, and
store ip_acct for accounting port, as well as the previous ip
for auth port.
While doing that, set it up so initialization and the config file
parsing are only done once in the common case. If the config file
is specified on the pam command line, and it's different, then we'll
re-open and re-initialize.
That also means we normally only open the socket and bind once.
Cleanup is now done via registering a pam_set_data() handler for
the server list. Since the _pam_end() call may happen late, also
ensure that all the sockets are marked close on exec.
Fixed some white space and line length issues. Really should have
been a separate commit, but...
Document how port for accounting is derived, and changed it to use
radacct if a named port was specified that isn't "radius" while
warning about it.
Diffstat (limited to 'config.sub')
0 files changed, 0 insertions, 0 deletions