diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-12-15 09:33:28 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-12-15 11:03:26 +0100 |
| commit | a1332024816b66174a96559b0be94dc9452a5ad8 (patch) | |
| tree | b71ba89f0bc5708daffdd5d1f884491481c7dccc | |
| parent | eecf5daea2c24505f1b9112580577211e383cb89 (diff) | |
| download | vyos-1x-a1332024816b66174a96559b0be94dc9452a5ad8.tar.gz vyos-1x-a1332024816b66174a96559b0be94dc9452a5ad8.zip | |
tacacs: T6613: dynamically build exclude_users list to avoid TACACS traffic
There is no need to send local base OS accounts like root or daemon to the
tacacs server. This will only make the CLI experience sluggish.
Build up a dynamic list of user accounts to exclude from TACACS lookup.
| -rw-r--r-- | data/templates/login/tacplus_nss.conf.j2 | 5 | ||||
| -rwxr-xr-x | src/conf_mode/system_login.py | 15 |
2 files changed, 13 insertions, 7 deletions
diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2 index 2a30b1710..1c5402233 100644 --- a/data/templates/login/tacplus_nss.conf.j2 +++ b/data/templates/login/tacplus_nss.conf.j2 @@ -21,7 +21,7 @@ # Cumulus Linux ships with it set to 1001, so we never lookup our standard # local users, including the cumulus uid of 1000. Should not be greater # than the local tacacs{0..15} uids -min_uid=900 +min_uid={{ tacacs_min_uid }} # This is a comma separated list of usernames that are never sent to # a tacacs server, they cause an early not found return. @@ -30,7 +30,7 @@ min_uid=900 # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. -exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} +exclude_users=*{{ ',' + exclude_users | join(',') if exclude_users is vyos_defined }} # The include keyword allows centralizing the tacacs+ server information # including the IP address and shared secret @@ -71,4 +71,3 @@ source_ip={{ tacacs.source_address }} # as in tacplus_servers, since tacplus_servers should not be readable # by users other than root. timeout={{ tacacs.timeout }} - diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 439fa645b..d3a969d9b 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -58,20 +58,21 @@ MAX_RADIUS_TIMEOUT: int = 50 MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 - +# Minimum USER id for TACACS users +MIN_TACACS_UID = 900 # List of local user accounts that must be preserved SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'tacacs1', 'tacacs2', 'tacacs3', 'tacacs4', 'tacacs5', 'tacacs6', 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] -def get_local_users(): +def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] for s_user in getpwall(): - if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID: + if getpwnam(s_user.pw_name).pw_uid < min_uid: continue - if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID: + if getpwnam(s_user.pw_name).pw_uid > max_uid: continue if s_user.pw_name in SYSTEM_USER_SKIP_LIST: continue @@ -119,6 +120,12 @@ def get_config(config=None): rm_users = [tmp for tmp in all_users if tmp not in cli_users] if rm_users: login.update({'rm_users' : rm_users}) + # Build TACACS user mapping + if 'tacacs' in login: + login['exclude_users'] = get_local_users(min_uid=0, + max_uid=MIN_TACACS_UID) + cli_users + login['tacacs_min_uid'] = MIN_TACACS_UID + return login def verify(login): |