From 1c804685d05ad639bcb1a9ebce68a7a14268500f Mon Sep 17 00:00:00 2001 From: zsdc Date: Wed, 13 Sep 2023 13:16:20 +0300 Subject: TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+ In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- debian/vyos-1x.postinst | 6 +++++- debian/vyos-1x.preinst | 1 - interface-definitions/system-login.xml.in | 20 ++++++++++++++++++++ src/conf_mode/system-login.py | 11 +++++++---- src/pam-configs/tacplus | 17 ----------------- src/pam-configs/tacplus-mandatory | 19 +++++++++++++++++++ src/pam-configs/tacplus-optional | 19 +++++++++++++++++++ 7 files changed, 70 insertions(+), 23 deletions(-) delete mode 100644 src/pam-configs/tacplus create mode 100644 src/pam-configs/tacplus-mandatory create mode 100644 src/pam-configs/tacplus-optional diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index a3c308e5f..860319edf 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -48,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -66,7 +71,6 @@ if ! grep -q '^tacacs' /etc/passwd; then adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index 75fa5e7f1..861c5ec88 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd -dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 71db8b1d6..30fea91b0 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -259,6 +259,26 @@ + + + Security mode for TACACS+ authentication + + mandatory optional + + + mandatory + Deny access immediately if TACACS+ answers with REJECT + + + optional + Pass to the next authentication method if TACACS+ answers with REJECT + + + (mandatory|optional) + + + optional + #include #include diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index be5ff2d4c..87a269499 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -389,11 +389,14 @@ def apply(login): pam_profile = 'radius-optional' cmd(f'pam-auth-update --enable {pam_profile}') - # Enable/Disable TACACS in PAM configuration - pam_cmd = '--remove' + # Enable/disable TACACS+ in PAM configuration + cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional') if 'tacacs' in login: - pam_cmd = '--enable' - cmd(f'pam-auth-update --package {pam_cmd} tacplus') + if login['tacacs'].get('security_mode', '') == 'mandatory': + pam_profile = 'tacplus-mandatory' + else: + pam_profile = 'tacplus-optional' + cmd(f'pam-auth-update --enable {pam_profile}') return None diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus deleted file mode 100644 index 66a1eaa4c..000000000 --- a/src/pam-configs/tacplus +++ /dev/null @@ -1,17 +0,0 @@ -Name: TACACS+ authentication -Default: no -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login - -Account-Type: Primary -Account: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login - -Session-Type: Additional -Session: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory new file mode 100644 index 000000000..92da02327 --- /dev/null +++ b/src/pam-configs/tacplus-mandatory @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional new file mode 100644 index 000000000..deed537d3 --- /dev/null +++ b/src/pam-configs/tacplus-optional @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login -- cgit v1.2.3