diff options
Diffstat (limited to 'scripts/system/vyatta_update_tacacs.pl')
| -rwxr-xr-x | scripts/system/vyatta_update_tacacs.pl | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/scripts/system/vyatta_update_tacacs.pl b/scripts/system/vyatta_update_tacacs.pl new file mode 100755 index 00000000..c4684efe --- /dev/null +++ b/scripts/system/vyatta_update_tacacs.pl @@ -0,0 +1,129 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; + +## setup tacacs+ server info +# add tacacs to PAM file +sub add_tacacs { + my $param_string = shift; + my $pam = shift; + + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(' . "$pam" + . '\trequired\tpam_unix\.so.*\)$/' . "$pam" + . '\tsufficient\tpam_tacplus.so\t' + . "$param_string # Vyatta" + . '\n\1/\' ' + . "/etc/pam.d/common-$pam\""; + + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +# remove tacacs from PAM files +sub remove_tacacs { + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' + . '/etc/pam.d/common-auth ' + . '/etc/pam.d/common-account ' + . '/etc/pam.d/common-session "'; + + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +# main tacacs +# There is a race condition in here betwen radius and tacacs currently. +# Also should probably add a chack to see if we ned to actually reconfig +# PAM rather than jusy doing it each commit. +# Finally, service and protocol will need to be removed. They are just +# in there for troubleshootig purposes right now. +# +my $tconfig = new Vyatta::Config; +if ( $tconfig->isDeleted("system login tacacs-plus") ) { remove_tacacs; } +$tconfig->setLevel("system login tacacs-plus"); +my @tacacs_params = $tconfig->listNodes(); + +if ( scalar(@tacacs_params) > 0 ) { + remove_tacacs; + my ( $acctall, $debug, $firsthit, $noencrypt ); + if ( $tconfig->exists("acct-all") ) { $acctall = 1; } + if ( $tconfig->exists("debug") ) { $debug = 1; } + if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } + if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } + my $protocol = $tconfig->returnValue("protocol"); + my $secret = $tconfig->returnValue("secret"); + my $server = $tconfig->returnValue("server"); + my $service = $tconfig->returnValue("service"); + + if ( $server ne '' && $secret ne '' ) { + my ( $authstr, $accountstr, $sessionstr, $ip ); + my @servers = split /\s/, $server; + + ## 3 common options + # encrypt this session + if ( !$noencrypt ) { $authstr = "encrypt "; } + + # single secret + $authstr .= "secret=$secret "; + + # and debug + if ($debug) { $authstr .= "debug "; } + + ## now they get specific + $accountstr = $sessionstr = $authstr; + + # can be multiple servers for auth and session + foreach my $ip (@servers) { + $authstr .= "server=$ip "; + $sessionstr .= "server=$ip "; + } + + # first hit for auth + if ($firsthit) { $authstr .= "firsthit "; } + + # acctall for session + if ($acctall) { $sessionstr .= "acctall "; } + + # service and protocol for account and session + if ($service) { + $accountstr .= "service=$service "; + $sessionstr .= "service=$service "; + } + if ($protocol) { + $accountstr .= "protocol=$protocol "; + $sessionstr .= "protocol=$protocol "; + } + + add_tacacs( "$authstr", "auth" ); + add_tacacs( "$accountstr", "account" ); + add_tacacs( "$sessionstr", "session" ); + } + else { exit 1; } +} + +exit 0; |