diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-12-16 19:51:17 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-12-16 19:51:17 +0100 |
| commit | 86b528863585e62fd398d05aa1a2e1a64dae0e45 (patch) | |
| tree | 9d182af90526a7611a19ebdc4c5cf87047d80434 | |
| parent | 4e5c65dd40fb34e501b9345f98a4541d12e70b16 (diff) | |
| parent | a1332024816b66174a96559b0be94dc9452a5ad8 (diff) | |
| download | vyos-1x-86b528863585e62fd398d05aa1a2e1a64dae0e45.tar.gz vyos-1x-86b528863585e62fd398d05aa1a2e1a64dae0e45.zip | |
Merge pull request #4238 from c-po/T6613-tacacs
tacacs: T6613: dynamically build exclude_users list to avoid TACACS traffic
| -rw-r--r-- | data/templates/login/tacplus_nss.conf.j2 | 5 | ||||
| -rwxr-xr-x | src/conf_mode/system_login.py | 15 |
2 files changed, 13 insertions, 7 deletions
diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2 index 2a30b1710..1c5402233 100644 --- a/data/templates/login/tacplus_nss.conf.j2 +++ b/data/templates/login/tacplus_nss.conf.j2 @@ -21,7 +21,7 @@ # Cumulus Linux ships with it set to 1001, so we never lookup our standard # local users, including the cumulus uid of 1000. Should not be greater # than the local tacacs{0..15} uids -min_uid=900 +min_uid={{ tacacs_min_uid }} # This is a comma separated list of usernames that are never sent to # a tacacs server, they cause an early not found return. @@ -30,7 +30,7 @@ min_uid=900 # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. -exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} +exclude_users=*{{ ',' + exclude_users | join(',') if exclude_users is vyos_defined }} # The include keyword allows centralizing the tacacs+ server information # including the IP address and shared secret @@ -71,4 +71,3 @@ source_ip={{ tacacs.source_address }} # as in tacplus_servers, since tacplus_servers should not be readable # by users other than root. timeout={{ tacacs.timeout }} - diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 439fa645b..d3a969d9b 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -58,20 +58,21 @@ MAX_RADIUS_TIMEOUT: int = 50 MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 - +# Minimum USER id for TACACS users +MIN_TACACS_UID = 900 # List of local user accounts that must be preserved SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'tacacs1', 'tacacs2', 'tacacs3', 'tacacs4', 'tacacs5', 'tacacs6', 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] -def get_local_users(): +def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] for s_user in getpwall(): - if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID: + if getpwnam(s_user.pw_name).pw_uid < min_uid: continue - if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID: + if getpwnam(s_user.pw_name).pw_uid > max_uid: continue if s_user.pw_name in SYSTEM_USER_SKIP_LIST: continue @@ -119,6 +120,12 @@ def get_config(config=None): rm_users = [tmp for tmp in all_users if tmp not in cli_users] if rm_users: login.update({'rm_users' : rm_users}) + # Build TACACS user mapping + if 'tacacs' in login: + login['exclude_users'] = get_local_users(min_uid=0, + max_uid=MIN_TACACS_UID) + cli_users + login['tacacs_min_uid'] = MIN_TACACS_UID + return login def verify(login): |