diff options
| -rw-r--r-- | data/templates/login/tacplus_nss.conf.j2 | 5 | ||||
| -rwxr-xr-x | src/conf_mode/system_login.py | 15 |
2 files changed, 13 insertions, 7 deletions
diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2 index 2a30b1710..1c5402233 100644 --- a/data/templates/login/tacplus_nss.conf.j2 +++ b/data/templates/login/tacplus_nss.conf.j2 @@ -21,7 +21,7 @@ # Cumulus Linux ships with it set to 1001, so we never lookup our standard # local users, including the cumulus uid of 1000. Should not be greater # than the local tacacs{0..15} uids -min_uid=900 +min_uid={{ tacacs_min_uid }} # This is a comma separated list of usernames that are never sent to # a tacacs server, they cause an early not found return. @@ -30,7 +30,7 @@ min_uid=900 # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. -exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} +exclude_users=*{{ ',' + exclude_users | join(',') if exclude_users is vyos_defined }} # The include keyword allows centralizing the tacacs+ server information # including the IP address and shared secret @@ -71,4 +71,3 @@ source_ip={{ tacacs.source_address }} # as in tacplus_servers, since tacplus_servers should not be readable # by users other than root. timeout={{ tacacs.timeout }} - diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 439fa645b..d3a969d9b 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -58,20 +58,21 @@ MAX_RADIUS_TIMEOUT: int = 50 MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 - +# Minimum USER id for TACACS users +MIN_TACACS_UID = 900 # List of local user accounts that must be preserved SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'tacacs1', 'tacacs2', 'tacacs3', 'tacacs4', 'tacacs5', 'tacacs6', 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] -def get_local_users(): +def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] for s_user in getpwall(): - if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID: + if getpwnam(s_user.pw_name).pw_uid < min_uid: continue - if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID: + if getpwnam(s_user.pw_name).pw_uid > max_uid: continue if s_user.pw_name in SYSTEM_USER_SKIP_LIST: continue @@ -119,6 +120,12 @@ def get_config(config=None): rm_users = [tmp for tmp in all_users if tmp not in cli_users] if rm_users: login.update({'rm_users' : rm_users}) + # Build TACACS user mapping + if 'tacacs' in login: + login['exclude_users'] = get_local_users(min_uid=0, + max_uid=MIN_TACACS_UID) + cli_users + login['tacacs_min_uid'] = MIN_TACACS_UID + return login def verify(login): |