diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-12-15 09:33:28 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-12-15 11:03:26 +0100 |
| commit | a1332024816b66174a96559b0be94dc9452a5ad8 (patch) | |
| tree | b71ba89f0bc5708daffdd5d1f884491481c7dccc /src | |
| parent | eecf5daea2c24505f1b9112580577211e383cb89 (diff) | |
| download | vyos-1x-a1332024816b66174a96559b0be94dc9452a5ad8.tar.gz vyos-1x-a1332024816b66174a96559b0be94dc9452a5ad8.zip | |
tacacs: T6613: dynamically build exclude_users list to avoid TACACS traffic
There is no need to send local base OS accounts like root or daemon to the
tacacs server. This will only make the CLI experience sluggish.
Build up a dynamic list of user accounts to exclude from TACACS lookup.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/system_login.py | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 439fa645b..d3a969d9b 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -58,20 +58,21 @@ MAX_RADIUS_TIMEOUT: int = 50 MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 - +# Minimum USER id for TACACS users +MIN_TACACS_UID = 900 # List of local user accounts that must be preserved SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'tacacs1', 'tacacs2', 'tacacs3', 'tacacs4', 'tacacs5', 'tacacs6', 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] -def get_local_users(): +def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] for s_user in getpwall(): - if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID: + if getpwnam(s_user.pw_name).pw_uid < min_uid: continue - if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID: + if getpwnam(s_user.pw_name).pw_uid > max_uid: continue if s_user.pw_name in SYSTEM_USER_SKIP_LIST: continue @@ -119,6 +120,12 @@ def get_config(config=None): rm_users = [tmp for tmp in all_users if tmp not in cli_users] if rm_users: login.update({'rm_users' : rm_users}) + # Build TACACS user mapping + if 'tacacs' in login: + login['exclude_users'] = get_local_users(min_uid=0, + max_uid=MIN_TACACS_UID) + cli_users + login['tacacs_min_uid'] = MIN_TACACS_UID + return login def verify(login): |