diff options
author | Robert Bays <rbays@cartagena.vyatta.com> | 2008-11-12 17:43:53 -0800 |
---|---|---|
committer | Robert Bays <rbays@cartagena.vyatta.com> | 2008-11-12 17:43:53 -0800 |
commit | 0d632760079f1b7ad9e18079f9c0c4aed06466c7 (patch) | |
tree | fcdf7b6190f7bd21b0c4631aac76d79e2338a720 | |
parent | 336ac34391efd20648ef710b953fa94d0551f299 (diff) | |
download | vyatta-cfg-system-0d632760079f1b7ad9e18079f9c0c4aed06466c7.tar.gz vyatta-cfg-system-0d632760079f1b7ad9e18079f9c0c4aed06466c7.zip |
add basic tacacs+ support
-rw-r--r-- | debian/control | 3 | ||||
-rwxr-xr-x | scripts/system/vyatta_update_login.pl | 99 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/acct-all/node.def | 1 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/debug/node.def | 1 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/first-hit/node.def | 1 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/no-encrypt/node.def | 1 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/node.def | 3 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/protocol/node.def | 2 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/secret/node.def | 2 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/server/node.def | 3 | ||||
-rw-r--r-- | templates/system/login/tacacs-plus/service/node.def | 2 |
11 files changed, 117 insertions, 1 deletions
diff --git a/debian/control b/debian/control index b8128287..8b05318a 100644 --- a/debian/control +++ b/debian/control @@ -39,7 +39,8 @@ Depends: sed (>= 4.1.5), dnsmasq, mdadm, ddclient, - libio-socket-ssl-perl + libio-socket-ssl-perl, + pam-tacplus Pre-Depends: bash-completion Suggests: util-linux (>= 2.13-5), net-tools, diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index 1f71434b..a5611f6b 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -120,6 +120,105 @@ for my $user (@user_keys) { } } +## setup tacacs+ server info +# add tacacs to PAM file +sub add_tacacs { + my $param_string = shift; + my $pam = shift; + + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(' + . "$pam" + . '\trequired\tpam_unix\.so.*\)$/' + . "$pam" + . '\tsufficient\tpam_tacplus.so\t' + . "$param_string # Vyatta" + . '\n\1/\' ' + . "/etc/pam.d/common-$pam\""; + + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +# remove tacacs from PAM files +sub remove_tacacs { + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' + . '/etc/pam.d/common-auth ' + . '/etc/pam.d/common-account ' + . '/etc/pam.d/common-session "'; + + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +# main tacacs +# There is a race confition in here betwen radius and tacacs currently. +# Also should probably add a chack to see if we ned to actually reconfig +# PAM rather than jusy doing it each commit. +# Finally, service and protocol will need to be removed. They are just +# in there for troubleshootig purposes right now. +# +my $tconfig = new VyattaConfig; +if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; } +$tconfig->setLevel("system login tacacs-plus"); +my @tacacs_params = $tconfig->listNodes(); + +if ( scalar(@tacacs_params) > 0 ) { + remove_tacacs; + my ($acctall, $debug, $firsthit, $noencrypt); + if ( $tconfig->exists("acct-all") ) { $acctall = 1; } + if ( $tconfig->exists("debug") ) { $debug = 1; } + if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } + if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } + my $protocol = $tconfig->returnValue("protocol"); + my $secret = $tconfig->returnValue("secret"); + my $server = $tconfig->returnValue("server"); + my $service = $tconfig->returnValue("service"); + + if ( $server ne '' && $secret ne '') { + my ($authstr, $accountstr, $sessionstr, $ip); + my @servers = split /\s/, $server; + + ## 3 common options + # encrypt this session + if (! $noencrypt ) { $authstr = "encrypt "; } + # single secret + $authstr .= "secret=$secret "; + # and debug + if ($debug) { $authstr .= "debug "; } + + ## now they get specific + $accountstr = $sessionstr = $authstr; + + # can be multiple servers for auth and session + foreach $ip (@servers) { + $authstr .= "server=$ip "; + $sessionstr .= "server=$ip "; + } + + # first hit for auth + if ($firsthit) { $authstr .= "firsthit "; } + + # acctall for session + if ($acctall) { $sessionstr .= "acctall "; } + + # service and protocol for account and session + if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; } + if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; } + + add_tacacs("$authstr", "auth"); + add_tacacs("$accountstr", "account"); + add_tacacs("$sessionstr", "session"); + } + else { exit 1; } +} +## end tacacs + my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; my $PAM_RAD_END = '# END Vyatta Radius servers'; diff --git a/templates/system/login/tacacs-plus/acct-all/node.def b/templates/system/login/tacacs-plus/acct-all/node.def new file mode 100644 index 00000000..22522f17 --- /dev/null +++ b/templates/system/login/tacacs-plus/acct-all/node.def @@ -0,0 +1 @@ +help: Send TACACS+ accounting requests to all servers diff --git a/templates/system/login/tacacs-plus/debug/node.def b/templates/system/login/tacacs-plus/debug/node.def new file mode 100644 index 00000000..10aa10b1 --- /dev/null +++ b/templates/system/login/tacacs-plus/debug/node.def @@ -0,0 +1 @@ +help: Enable TACACS+ debugging diff --git a/templates/system/login/tacacs-plus/first-hit/node.def b/templates/system/login/tacacs-plus/first-hit/node.def new file mode 100644 index 00000000..18f2fdf6 --- /dev/null +++ b/templates/system/login/tacacs-plus/first-hit/node.def @@ -0,0 +1 @@ +help: Set TACACS+ to try multiple servers if a negative auth is returned diff --git a/templates/system/login/tacacs-plus/no-encrypt/node.def b/templates/system/login/tacacs-plus/no-encrypt/node.def new file mode 100644 index 00000000..7aa90dfb --- /dev/null +++ b/templates/system/login/tacacs-plus/no-encrypt/node.def @@ -0,0 +1 @@ +help: Set TACACS+ to not encrypt communications diff --git a/templates/system/login/tacacs-plus/node.def b/templates/system/login/tacacs-plus/node.def new file mode 100644 index 00000000..d8eab559 --- /dev/null +++ b/templates/system/login/tacacs-plus/node.def @@ -0,0 +1,3 @@ +help: Set TACACS+ server authentication +commit:expression: $VAR(server) != "" && $VAR(secret) != "" + ; "One server and a secret must be specified for TACACS+" diff --git a/templates/system/login/tacacs-plus/protocol/node.def b/templates/system/login/tacacs-plus/protocol/node.def new file mode 100644 index 00000000..6a5c739d --- /dev/null +++ b/templates/system/login/tacacs-plus/protocol/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set TACACS+ protocol for authentication and accounting diff --git a/templates/system/login/tacacs-plus/secret/node.def b/templates/system/login/tacacs-plus/secret/node.def new file mode 100644 index 00000000..0f673ae2 --- /dev/null +++ b/templates/system/login/tacacs-plus/secret/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set TACACS+ secret diff --git a/templates/system/login/tacacs-plus/server/node.def b/templates/system/login/tacacs-plus/server/node.def new file mode 100644 index 00000000..dc1b1e94 --- /dev/null +++ b/templates/system/login/tacacs-plus/server/node.def @@ -0,0 +1,3 @@ +multi: +type: ipv4 +help: Set TACACS+ server IP addresses diff --git a/templates/system/login/tacacs-plus/service/node.def b/templates/system/login/tacacs-plus/service/node.def new file mode 100644 index 00000000..10d1729b --- /dev/null +++ b/templates/system/login/tacacs-plus/service/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set TACACS+ service for authentication and accounting |