From 0d632760079f1b7ad9e18079f9c0c4aed06466c7 Mon Sep 17 00:00:00 2001 From: Robert Bays Date: Wed, 12 Nov 2008 17:43:53 -0800 Subject: add basic tacacs+ support --- scripts/system/vyatta_update_login.pl | 99 +++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index 1f71434b..a5611f6b 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -120,6 +120,105 @@ for my $user (@user_keys) { } } +## setup tacacs+ server info +# add tacacs to PAM file +sub add_tacacs { + my $param_string = shift; + my $pam = shift; + + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(' + . "$pam" + . '\trequired\tpam_unix\.so.*\)$/' + . "$pam" + . '\tsufficient\tpam_tacplus.so\t' + . "$param_string # Vyatta" + . '\n\1/\' ' + . "/etc/pam.d/common-$pam\""; + + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +# remove tacacs from PAM files +sub remove_tacacs { + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' + . '/etc/pam.d/common-auth ' + . '/etc/pam.d/common-account ' + . '/etc/pam.d/common-session "'; + + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +# main tacacs +# There is a race confition in here betwen radius and tacacs currently. +# Also should probably add a chack to see if we ned to actually reconfig +# PAM rather than jusy doing it each commit. +# Finally, service and protocol will need to be removed. They are just +# in there for troubleshootig purposes right now. +# +my $tconfig = new VyattaConfig; +if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; } +$tconfig->setLevel("system login tacacs-plus"); +my @tacacs_params = $tconfig->listNodes(); + +if ( scalar(@tacacs_params) > 0 ) { + remove_tacacs; + my ($acctall, $debug, $firsthit, $noencrypt); + if ( $tconfig->exists("acct-all") ) { $acctall = 1; } + if ( $tconfig->exists("debug") ) { $debug = 1; } + if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } + if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } + my $protocol = $tconfig->returnValue("protocol"); + my $secret = $tconfig->returnValue("secret"); + my $server = $tconfig->returnValue("server"); + my $service = $tconfig->returnValue("service"); + + if ( $server ne '' && $secret ne '') { + my ($authstr, $accountstr, $sessionstr, $ip); + my @servers = split /\s/, $server; + + ## 3 common options + # encrypt this session + if (! $noencrypt ) { $authstr = "encrypt "; } + # single secret + $authstr .= "secret=$secret "; + # and debug + if ($debug) { $authstr .= "debug "; } + + ## now they get specific + $accountstr = $sessionstr = $authstr; + + # can be multiple servers for auth and session + foreach $ip (@servers) { + $authstr .= "server=$ip "; + $sessionstr .= "server=$ip "; + } + + # first hit for auth + if ($firsthit) { $authstr .= "firsthit "; } + + # acctall for session + if ($acctall) { $sessionstr .= "acctall "; } + + # service and protocol for account and session + if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; } + if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; } + + add_tacacs("$authstr", "auth"); + add_tacacs("$accountstr", "account"); + add_tacacs("$sessionstr", "session"); + } + else { exit 1; } +} +## end tacacs + my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; my $PAM_RAD_END = '# END Vyatta Radius servers'; -- cgit v1.2.3