summaryrefslogtreecommitdiff
path: root/src/pam-configs/tacplus-optional
diff options
context:
space:
mode:
authorzsdc <taras@vyos.io>2023-09-19 21:03:51 +0300
committerzsdc <taras@vyos.io>2023-09-19 21:03:51 +0300
commit784fb7dc2ccc63789ed85d803e3ae41eef0e0253 (patch)
tree39406e6df65ca07b431ac41605a47ce6c786186f /src/pam-configs/tacplus-optional
parent1c804685d05ad639bcb1a9ebce68a7a14268500f (diff)
downloadvyos-1x-784fb7dc2ccc63789ed85d803e3ae41eef0e0253.tar.gz
vyos-1x-784fb7dc2ccc63789ed85d803e3ae41eef0e0253.zip
pam: T5577: Improved PAM configs for RADIUS and TACACS+
After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account.
Diffstat (limited to 'src/pam-configs/tacplus-optional')
-rw-r--r--src/pam-configs/tacplus-optional8
1 files changed, 3 insertions, 5 deletions
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
index deed537d3..095c3a164 100644
--- a/src/pam-configs/tacplus-optional
+++ b/src/pam-configs/tacplus-optional
@@ -3,17 +3,15 @@ Default: no
Priority: 576
Auth-Type: Primary
-Auth-Initial:
- [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
Auth:
- [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+ [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
Account-Type: Primary
Account:
[default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
- [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+ [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
Session-Type: Additional
Session:
[default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
- [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+ [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login