summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzsdc <taras@vyos.io>2023-09-13 13:16:20 +0300
committerzsdc <taras@vyos.io>2023-11-20 18:46:24 +0200
commit5d712700d6b8db43e36ad5f2a9f8792203bb12d0 (patch)
tree57ca0315aaa64984a0bded43e22b3d0f53e3e2e1
parent2a023b878471500bd78962ca94d9174a328ce5c9 (diff)
downloadvyos-1x-5d712700d6b8db43e36ad5f2a9f8792203bb12d0.tar.gz
vyos-1x-5d712700d6b8db43e36ad5f2a9f8792203bb12d0.zip
TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
-rw-r--r--debian/vyos-1x.postinst6
-rw-r--r--debian/vyos-1x.preinst1
-rw-r--r--interface-definitions/system-login.xml.in20
-rwxr-xr-xsrc/conf_mode/system-login.py11
-rw-r--r--src/pam-configs/tacplus17
-rw-r--r--src/pam-configs/tacplus-mandatory19
-rw-r--r--src/pam-configs/tacplus-optional19
7 files changed, 70 insertions, 23 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 837fcf995..22b50ce2a 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -48,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then
fi
fi
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+ rm /usr/share/pam-configs/tacplus
+fi
+
# Add TACACS system users required for TACACS based system authentication
if ! grep -q '^tacacs' /etc/passwd; then
# Add the tacacs group and all 16 possible tacacs privilege-level users to
@@ -66,7 +71,6 @@ if ! grep -q '^tacacs' /etc/passwd; then
adduser --quiet tacacs${level} adm
adduser --quiet tacacs${level} dip
adduser --quiet tacacs${level} users
- adduser --quiet tacacs${level} aaa
if [ $level -lt 15 ]; then
adduser --quiet tacacs${level} vyattaop
adduser --quiet tacacs${level} operator
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index df99661b1..fbfc85566 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
index a0eda9045..be0145b4f 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system-login.xml.in
@@ -244,6 +244,26 @@
</leafNode>
</children>
</tagNode>
+ <leafNode name="security-mode">
+ <properties>
+ <help>Security mode for TACACS+ authentication</help>
+ <completionHelp>
+ <list>mandatory optional</list>
+ </completionHelp>
+ <valueHelp>
+ <format>mandatory</format>
+ <description>Deny access immediately if TACACS+ answers with REJECT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>optional</format>
+ <description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(mandatory|optional)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>optional</defaultValue>
+ </leafNode>
#include <include/source-address-ipv4.xml.i>
#include <include/radius-timeout.xml.i>
#include <include/interface/vrf.xml.i>
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index be5ff2d4c..87a269499 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -389,11 +389,14 @@ def apply(login):
pam_profile = 'radius-optional'
cmd(f'pam-auth-update --enable {pam_profile}')
- # Enable/Disable TACACS in PAM configuration
- pam_cmd = '--remove'
+ # Enable/disable TACACS+ in PAM configuration
+ cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional')
if 'tacacs' in login:
- pam_cmd = '--enable'
- cmd(f'pam-auth-update --package {pam_cmd} tacplus')
+ if login['tacacs'].get('security_mode', '') == 'mandatory':
+ pam_profile = 'tacplus-mandatory'
+ else:
+ pam_profile = 'tacplus-optional'
+ cmd(f'pam-auth-update --enable {pam_profile}')
return None
diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus
deleted file mode 100644
index 66a1eaa4c..000000000
--- a/src/pam-configs/tacplus
+++ /dev/null
@@ -1,17 +0,0 @@
-Name: TACACS+ authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Account-Type: Primary
-Account:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Session-Type: Additional
-Session:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory
new file mode 100644
index 000000000..92da02327
--- /dev/null
+++ b/src/pam-configs/tacplus-mandatory
@@ -0,0 +1,19 @@
+Name: TACACS+ authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+ [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+Auth:
+ [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
new file mode 100644
index 000000000..deed537d3
--- /dev/null
+++ b/src/pam-configs/tacplus-optional
@@ -0,0 +1,19 @@
+Name: TACACS+ authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+ [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+Auth:
+ [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login