summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Bays <rbays@cartagena.vyatta.com>2008-11-12 17:43:53 -0800
committerRobert Bays <rbays@cartagena.vyatta.com>2008-11-12 17:43:53 -0800
commit0d632760079f1b7ad9e18079f9c0c4aed06466c7 (patch)
treefcdf7b6190f7bd21b0c4631aac76d79e2338a720
parent336ac34391efd20648ef710b953fa94d0551f299 (diff)
downloadvyatta-cfg-system-0d632760079f1b7ad9e18079f9c0c4aed06466c7.tar.gz
vyatta-cfg-system-0d632760079f1b7ad9e18079f9c0c4aed06466c7.zip
add basic tacacs+ support
-rw-r--r--debian/control3
-rwxr-xr-xscripts/system/vyatta_update_login.pl99
-rw-r--r--templates/system/login/tacacs-plus/acct-all/node.def1
-rw-r--r--templates/system/login/tacacs-plus/debug/node.def1
-rw-r--r--templates/system/login/tacacs-plus/first-hit/node.def1
-rw-r--r--templates/system/login/tacacs-plus/no-encrypt/node.def1
-rw-r--r--templates/system/login/tacacs-plus/node.def3
-rw-r--r--templates/system/login/tacacs-plus/protocol/node.def2
-rw-r--r--templates/system/login/tacacs-plus/secret/node.def2
-rw-r--r--templates/system/login/tacacs-plus/server/node.def3
-rw-r--r--templates/system/login/tacacs-plus/service/node.def2
11 files changed, 117 insertions, 1 deletions
diff --git a/debian/control b/debian/control
index b8128287..8b05318a 100644
--- a/debian/control
+++ b/debian/control
@@ -39,7 +39,8 @@ Depends: sed (>= 4.1.5),
dnsmasq,
mdadm,
ddclient,
- libio-socket-ssl-perl
+ libio-socket-ssl-perl,
+ pam-tacplus
Pre-Depends: bash-completion
Suggests: util-linux (>= 2.13-5),
net-tools,
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index 1f71434b..a5611f6b 100755
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -120,6 +120,105 @@ for my $user (@user_keys) {
}
}
+## setup tacacs+ server info
+# add tacacs to PAM file
+sub add_tacacs {
+ my $param_string = shift;
+ my $pam = shift;
+
+ my $cmd =
+ 'sudo sh -c "'
+ . 'sed -i \'s/^\('
+ . "$pam"
+ . '\trequired\tpam_unix\.so.*\)$/'
+ . "$pam"
+ . '\tsufficient\tpam_tacplus.so\t'
+ . "$param_string # Vyatta"
+ . '\n\1/\' '
+ . "/etc/pam.d/common-$pam\"";
+
+ system($cmd);
+ return 0 if ( $? >> 8 );
+ return 1;
+}
+
+# remove tacacs from PAM files
+sub remove_tacacs {
+ my $cmd =
+ 'sudo sh -c "'
+ . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' '
+ . '/etc/pam.d/common-auth '
+ . '/etc/pam.d/common-account '
+ . '/etc/pam.d/common-session "';
+
+ system($cmd);
+ return 0 if ($? >> 8);
+ return 1;
+}
+
+# main tacacs
+# There is a race confition in here betwen radius and tacacs currently.
+# Also should probably add a chack to see if we ned to actually reconfig
+# PAM rather than jusy doing it each commit.
+# Finally, service and protocol will need to be removed. They are just
+# in there for troubleshootig purposes right now.
+#
+my $tconfig = new VyattaConfig;
+if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; }
+$tconfig->setLevel("system login tacacs-plus");
+my @tacacs_params = $tconfig->listNodes();
+
+if ( scalar(@tacacs_params) > 0 ) {
+ remove_tacacs;
+ my ($acctall, $debug, $firsthit, $noencrypt);
+ if ( $tconfig->exists("acct-all") ) { $acctall = 1; }
+ if ( $tconfig->exists("debug") ) { $debug = 1; }
+ if ( $tconfig->exists("first-hit") ) { $firsthit = 1; }
+ if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; }
+ my $protocol = $tconfig->returnValue("protocol");
+ my $secret = $tconfig->returnValue("secret");
+ my $server = $tconfig->returnValue("server");
+ my $service = $tconfig->returnValue("service");
+
+ if ( $server ne '' && $secret ne '') {
+ my ($authstr, $accountstr, $sessionstr, $ip);
+ my @servers = split /\s/, $server;
+
+ ## 3 common options
+ # encrypt this session
+ if (! $noencrypt ) { $authstr = "encrypt "; }
+ # single secret
+ $authstr .= "secret=$secret ";
+ # and debug
+ if ($debug) { $authstr .= "debug "; }
+
+ ## now they get specific
+ $accountstr = $sessionstr = $authstr;
+
+ # can be multiple servers for auth and session
+ foreach $ip (@servers) {
+ $authstr .= "server=$ip ";
+ $sessionstr .= "server=$ip ";
+ }
+
+ # first hit for auth
+ if ($firsthit) { $authstr .= "firsthit "; }
+
+ # acctall for session
+ if ($acctall) { $sessionstr .= "acctall "; }
+
+ # service and protocol for account and session
+ if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; }
+ if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; }
+
+ add_tacacs("$authstr", "auth");
+ add_tacacs("$accountstr", "account");
+ add_tacacs("$sessionstr", "session");
+ }
+ else { exit 1; }
+}
+## end tacacs
+
my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf';
my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
my $PAM_RAD_END = '# END Vyatta Radius servers';
diff --git a/templates/system/login/tacacs-plus/acct-all/node.def b/templates/system/login/tacacs-plus/acct-all/node.def
new file mode 100644
index 00000000..22522f17
--- /dev/null
+++ b/templates/system/login/tacacs-plus/acct-all/node.def
@@ -0,0 +1 @@
+help: Send TACACS+ accounting requests to all servers
diff --git a/templates/system/login/tacacs-plus/debug/node.def b/templates/system/login/tacacs-plus/debug/node.def
new file mode 100644
index 00000000..10aa10b1
--- /dev/null
+++ b/templates/system/login/tacacs-plus/debug/node.def
@@ -0,0 +1 @@
+help: Enable TACACS+ debugging
diff --git a/templates/system/login/tacacs-plus/first-hit/node.def b/templates/system/login/tacacs-plus/first-hit/node.def
new file mode 100644
index 00000000..18f2fdf6
--- /dev/null
+++ b/templates/system/login/tacacs-plus/first-hit/node.def
@@ -0,0 +1 @@
+help: Set TACACS+ to try multiple servers if a negative auth is returned
diff --git a/templates/system/login/tacacs-plus/no-encrypt/node.def b/templates/system/login/tacacs-plus/no-encrypt/node.def
new file mode 100644
index 00000000..7aa90dfb
--- /dev/null
+++ b/templates/system/login/tacacs-plus/no-encrypt/node.def
@@ -0,0 +1 @@
+help: Set TACACS+ to not encrypt communications
diff --git a/templates/system/login/tacacs-plus/node.def b/templates/system/login/tacacs-plus/node.def
new file mode 100644
index 00000000..d8eab559
--- /dev/null
+++ b/templates/system/login/tacacs-plus/node.def
@@ -0,0 +1,3 @@
+help: Set TACACS+ server authentication
+commit:expression: $VAR(server) != "" && $VAR(secret) != ""
+ ; "One server and a secret must be specified for TACACS+"
diff --git a/templates/system/login/tacacs-plus/protocol/node.def b/templates/system/login/tacacs-plus/protocol/node.def
new file mode 100644
index 00000000..6a5c739d
--- /dev/null
+++ b/templates/system/login/tacacs-plus/protocol/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set TACACS+ protocol for authentication and accounting
diff --git a/templates/system/login/tacacs-plus/secret/node.def b/templates/system/login/tacacs-plus/secret/node.def
new file mode 100644
index 00000000..0f673ae2
--- /dev/null
+++ b/templates/system/login/tacacs-plus/secret/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set TACACS+ secret
diff --git a/templates/system/login/tacacs-plus/server/node.def b/templates/system/login/tacacs-plus/server/node.def
new file mode 100644
index 00000000..dc1b1e94
--- /dev/null
+++ b/templates/system/login/tacacs-plus/server/node.def
@@ -0,0 +1,3 @@
+multi:
+type: ipv4
+help: Set TACACS+ server IP addresses
diff --git a/templates/system/login/tacacs-plus/service/node.def b/templates/system/login/tacacs-plus/service/node.def
new file mode 100644
index 00000000..10d1729b
--- /dev/null
+++ b/templates/system/login/tacacs-plus/service/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set TACACS+ service for authentication and accounting