From 1c804685d05ad639bcb1a9ebce68a7a14268500f Mon Sep 17 00:00:00 2001 From: zsdc Date: Wed, 13 Sep 2023 13:16:20 +0300 Subject: TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+ In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- debian/vyos-1x.postinst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'debian/vyos-1x.postinst') diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index a3c308e5f..860319edf 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -48,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -66,7 +71,6 @@ if ! grep -q '^tacacs' /etc/passwd; then adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator -- cgit v1.2.3