1 files changed, 141 insertions, 37 deletions

diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index 1f71434b..ad33412a 100755
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -57,18 +57,48 @@ my %level_map = (
     'operator' => [ 'quaggavty', 'operator',  'adm', 'dip', ],
 );
 
+# Construct a map from existing users to group membership
+# Use space seperated format
+my %group_map;
+while (my ($name, undef, undef, $members) = getgrent()) {
+    foreach my $user (split / /,$members) {
+	my $g = $group_map{$user};
+	if ($g) {
+	    my @l = split / /, $g;
+	    push @l, $name;
+	    $group_map{$user} = join(' ', sort @l);
+	} else {
+	    $group_map{$user} = $name;
+	}
+
+    }
+}
+
 # we have some users
 for my $user (@user_keys) {
     if ( $users{$user} eq 'deleted' ) {
-        system("sudo userdel -r '$user'");
-        die "userdel failed\n" if ( $? >> 8 );
+        system("sudo userdel -r '$user'") == 0
+	    or die "userdel failed: $?\n"
     }
     elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) {
         $uconfig->setLevel("system login user $user");
+        my $pwd  = $uconfig->returnValue('authentication encrypted-password');
+	$pwd or die "Encrypted password not in configuration for $user";
+
+        my $level  = $uconfig->returnValue('level');
+	$level or die "Level not defined for $user";
 
-        # See if this is a modification of existing account
-        my (undef, undef, $uid,  undef,  undef,
-            undef, undef, undef, $shell, undef) = getpwnam($user);
+	# map level to group membership
+        my @groups = @{$level_map{$level}};
+	# add any additional groups from configuration
+        push( @groups, $uconfig->returnValues('group') );
+
+        my $fname = $uconfig->returnValue('full-name');
+        my $home = $uconfig->returnValue('home-directory');
+
+        # Read existing settings
+        my (undef, $opwd, $uid,  $gid, undef, $comment, 
+	    undef, $dir, $shell, undef) = getpwnam($user);
 
         my $cmd;
 	# not found in existing passwd, must be new
@@ -77,48 +107,124 @@ for my $user (@user_keys) {
 	    #  and make home directory (-m)
             #  and with default group of 100 (users)
             $cmd = 'useradd -s /bin/vbash -m -N';
-        }
-	# TODO Add checks for attempts to put system users
- 	# in configuration file 
+        } else {
+	    # If no part of password or group file changed
+	    # then there is nothing to do here.
+	    next if ( $opwd eq $pwd &&
+		      (!$fname || $fname eq $comment) &&
+		      (!$home  || $home eq $dir)  &&
+		      join(' ',  sort @groups) eq $group_map{$user} );
 
-	# TODO Check if nothing changed and just skip
-        else {
             $cmd = "usermod";
         }
 
-        my $pwd   = $uconfig->returnValue('authentication encrypted-password');
-        $pwd or die 'encrypted password not set';
         $cmd .= " -p '$pwd'";
-
-        my $fname = $uconfig->returnValue('full-name');
         $cmd .= " -c \"$fname\"" if ( defined $fname );
-
-        my $home = $uconfig->returnValue('home-directory');
         $cmd .= " -d \"$home\"" if ( defined $home );
+        $cmd .= ' -G ' . join( ',', @groups );
+        system("sudo $cmd $user") == 0
+	    or die "sudo $cmd $user failed: $?";
+    }
+}
 
-	# map level to group membership
-        my $level  = $uconfig->returnValue('level');
-        my $gref   = $level_map{$level};
-        my @groups = @{$gref};
+## setup tacacs+ server info
+# add tacacs to PAM file
+sub add_tacacs {
+    my $param_string = shift;
+    my $pam = shift;
 
-	# add any additional groups from configuration
-        push( @groups, $uconfig->returnValues('group') );
+    my $cmd =
+        'sudo sh -c "'
+      . 'sed -i \'s/^\('
+      . "$pam"
+      . '\trequired\tpam_unix\.so.*\)$/'
+      . "$pam"
+      . '\tsufficient\tpam_tacplus.so\t'
+      . "$param_string # Vyatta"
+      . '\n\1/\' '
+      . "/etc/pam.d/common-$pam\"";
 
-        $cmd .= ' -G ' . join( ',', @groups );
+    system($cmd);
+    return 0 if ( $? >> 8 );
+    return 1;
+}
 
-        system("sudo $cmd $user");
-        if ( $? == -1 ) {
-            die "failed to exec $cmd";
-        }
-        elsif ( $? & 127 ) {
-            die "$cmd died with signal" . ( $? & 127 );
-        }
-        elsif ( $? != 0 ) {
-            my $reason = $reasons{ $? >> 8 };
-            die "$cmd failed: $reason\n";
-        }
+# remove tacacs from PAM files
+sub remove_tacacs {
+    my $cmd =
+        'sudo sh -c "'
+      . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' '
+      . '/etc/pam.d/common-auth '
+      . '/etc/pam.d/common-account '
+      . '/etc/pam.d/common-session "';
+
+    system($cmd);
+    return 0 if ($? >> 8);
+    return 1;
+}
+
+# main tacacs
+# There is a race confition in here betwen radius and tacacs currently.
+# Also should probably add a chack to see if we ned to actually reconfig 
+# PAM rather than jusy doing it each commit.
+# Finally, service and protocol will need to be removed.  They are just 
+# in there for troubleshootig purposes right now.
+#
+my $tconfig = new VyattaConfig;
+if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; }
+$tconfig->setLevel("system login tacacs-plus");
+my @tacacs_params = $tconfig->listNodes();
+
+if ( scalar(@tacacs_params) > 0 ) {
+    remove_tacacs;
+    my ($acctall, $debug, $firsthit, $noencrypt);
+    if ( $tconfig->exists("acct-all") ) { $acctall = 1; }
+    if ( $tconfig->exists("debug") ) { $debug = 1; }
+    if ( $tconfig->exists("first-hit") ) { $firsthit = 1; }
+    if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; }
+    my $protocol = $tconfig->returnValue("protocol");
+    my $secret = $tconfig->returnValue("secret");
+    my $server = $tconfig->returnValue("server");
+    my $service = $tconfig->returnValue("service");
+
+    if ( $server ne '' && $secret ne '') {
+      my ($authstr, $accountstr, $sessionstr, $ip);
+      my @servers = split /\s/, $server;
+
+      ## 3 common options
+      # encrypt this session
+      if (! $noencrypt ) { $authstr = "encrypt "; }
+      # single secret
+      $authstr .= "secret=$secret ";
+      # and debug
+      if ($debug) { $authstr .= "debug "; }
+
+      ## now they get specific
+      $accountstr = $sessionstr = $authstr;
+
+      # can be multiple servers for auth and session
+      foreach $ip (@servers) {
+        $authstr    .= "server=$ip ";
+        $sessionstr .= "server=$ip ";
+      }
+
+      # first hit for auth
+      if ($firsthit) { $authstr .= "firsthit "; }
+
+      # acctall for session
+      if ($acctall) { $sessionstr .= "acctall "; }
+
+      # service and protocol for account and session
+      if ($service)  { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; }
+      if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; }
+
+      add_tacacs("$authstr", "auth");
+      add_tacacs("$accountstr", "account");
+      add_tacacs("$sessionstr", "session");
     }
+    else { exit 1; }
 }
+## end tacacs
 
 my $PAM_RAD_CFG   = '/etc/pam_radius_auth.conf';
 my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
@@ -214,11 +320,9 @@ if ($all_deleted) {
 
     # all radius servers deleted
     exit 1 if ( !remove_pam_radius() );
-}
-else {
+} else {
     exit 1 if ( !add_radius_servers($server_str) );
     exit 1 if ( !add_pam_radius() );
 }
 
 exit 0;
-