1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#!/usr/bin/perl
# **** License ****
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# This code was originally developed by Vyatta, Inc.
# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
# All Rights Reserved.
#
# **** End License ****
use strict;
use warnings;
use lib "/opt/vyatta/share/perl5";
use Vyatta::Config;
## setup tacacs+ server info
# add tacacs to PAM file
sub add_tacacs {
my $param_string = shift;
my $pam = shift;
my $cmd =
'sudo sh -c "'
. 'sed -i \'s/^\(' . "$pam"
. '\trequired\tpam_unix\.so.*\)$/' . "$pam"
. '\tsufficient\tpam_tacplus.so\t'
. "$param_string # Vyatta"
. '\n\1/\' '
. "/etc/pam.d/common-$pam\"";
system($cmd);
return 0 if ( $? >> 8 );
return 1;
}
# remove tacacs from PAM files
sub remove_tacacs {
my $cmd =
'sudo sh -c "'
. 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' '
. '/etc/pam.d/common-auth '
. '/etc/pam.d/common-account '
. '/etc/pam.d/common-session "';
system($cmd);
return 0 if ( $? >> 8 );
return 1;
}
# main tacacs
# There is a race condition in here betwen radius and tacacs currently.
# Also should probably add a chack to see if we ned to actually reconfig
# PAM rather than jusy doing it each commit.
# Finally, service and protocol will need to be removed. They are just
# in there for troubleshootig purposes right now.
#
my $tconfig = new Vyatta::Config;
if ( $tconfig->isDeleted("system login tacacs-plus") ) { remove_tacacs; }
$tconfig->setLevel("system login tacacs-plus");
my @tacacs_params = $tconfig->listNodes();
if ( scalar(@tacacs_params) > 0 ) {
remove_tacacs;
my ( $acctall, $debug, $firsthit, $noencrypt );
if ( $tconfig->exists("acct-all") ) { $acctall = 1; }
if ( $tconfig->exists("debug") ) { $debug = 1; }
if ( $tconfig->exists("first-hit") ) { $firsthit = 1; }
if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; }
my $protocol = $tconfig->returnValue("protocol");
my $secret = $tconfig->returnValue("secret");
my $server = $tconfig->returnValue("server");
my $service = $tconfig->returnValue("service");
if ( $server ne '' && $secret ne '' ) {
my ( $authstr, $accountstr, $sessionstr, $ip );
my @servers = split /\s/, $server;
## 3 common options
# encrypt this session
if ( !$noencrypt ) { $authstr = "encrypt "; }
# single secret
$authstr .= "secret=$secret ";
# and debug
if ($debug) { $authstr .= "debug "; }
## now they get specific
$accountstr = $sessionstr = $authstr;
# can be multiple servers for auth and session
foreach my $ip (@servers) {
$authstr .= "server=$ip ";
$sessionstr .= "server=$ip ";
}
# first hit for auth
if ($firsthit) { $authstr .= "firsthit "; }
# acctall for session
if ($acctall) { $sessionstr .= "acctall "; }
# service and protocol for account and session
if ($service) {
$accountstr .= "service=$service ";
$sessionstr .= "service=$service ";
}
if ($protocol) {
$accountstr .= "protocol=$protocol ";
$sessionstr .= "protocol=$protocol ";
}
add_tacacs( "$authstr", "auth" );
add_tacacs( "$accountstr", "account" );
add_tacacs( "$sessionstr", "session" );
}
else { exit 1; }
}
exit 0;
|
