diff options
| author | zsdc <taras@vyos.io> | 2023-09-13 13:16:20 +0300 |
|---|---|---|
| committer | zsdc <taras@vyos.io> | 2023-09-13 21:02:32 +0300 |
| commit | 1c804685d05ad639bcb1a9ebce68a7a14268500f (patch) | |
| tree | b42c8e4ec1e0fa06699966ff6b72ba8b9f3415dd | |
| parent | 5181ab60bb6d936505967d6667adc12c5ecb9b64 (diff) | |
| download | vyos-1x-1c804685d05ad639bcb1a9ebce68a7a14268500f.tar.gz vyos-1x-1c804685d05ad639bcb1a9ebce68a7a14268500f.zip | |
TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
| -rw-r--r-- | debian/vyos-1x.postinst | 6 | ||||
| -rw-r--r-- | debian/vyos-1x.preinst | 1 | ||||
| -rw-r--r-- | interface-definitions/system-login.xml.in | 20 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 11 | ||||
| -rw-r--r-- | src/pam-configs/tacplus | 17 | ||||
| -rw-r--r-- | src/pam-configs/tacplus-mandatory | 19 | ||||
| -rw-r--r-- | src/pam-configs/tacplus-optional | 19 |
7 files changed, 70 insertions, 23 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index a3c308e5f..860319edf 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -48,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -66,7 +71,6 @@ if ! grep -q '^tacacs' /etc/passwd; then adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index 75fa5e7f1..861c5ec88 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd -dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 71db8b1d6..30fea91b0 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -259,6 +259,26 @@ </constraint> </properties> </leafNode> + <leafNode name="security-mode"> + <properties> + <help>Security mode for TACACS+ authentication</help> + <completionHelp> + <list>mandatory optional</list> + </completionHelp> + <valueHelp> + <format>mandatory</format> + <description>Deny access immediately if TACACS+ answers with REJECT</description> + </valueHelp> + <valueHelp> + <format>optional</format> + <description>Pass to the next authentication method if TACACS+ answers with REJECT</description> + </valueHelp> + <constraint> + <regex>(mandatory|optional)</regex> + </constraint> + </properties> + <defaultValue>optional</defaultValue> + </leafNode> #include <include/radius-timeout.xml.i> #include <include/interface/vrf.xml.i> </children> diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index be5ff2d4c..87a269499 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -389,11 +389,14 @@ def apply(login): pam_profile = 'radius-optional' cmd(f'pam-auth-update --enable {pam_profile}') - # Enable/Disable TACACS in PAM configuration - pam_cmd = '--remove' + # Enable/disable TACACS+ in PAM configuration + cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional') if 'tacacs' in login: - pam_cmd = '--enable' - cmd(f'pam-auth-update --package {pam_cmd} tacplus') + if login['tacacs'].get('security_mode', '') == 'mandatory': + pam_profile = 'tacplus-mandatory' + else: + pam_profile = 'tacplus-optional' + cmd(f'pam-auth-update --enable {pam_profile}') return None diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus deleted file mode 100644 index 66a1eaa4c..000000000 --- a/src/pam-configs/tacplus +++ /dev/null @@ -1,17 +0,0 @@ -Name: TACACS+ authentication -Default: no -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login - -Account-Type: Primary -Account: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login - -Session-Type: Additional -Session: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory new file mode 100644 index 000000000..92da02327 --- /dev/null +++ b/src/pam-configs/tacplus-mandatory @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional new file mode 100644 index 000000000..deed537d3 --- /dev/null +++ b/src/pam-configs/tacplus-optional @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login |