From 2a023b878471500bd78962ca94d9174a328ce5c9 Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Wed, 13 Sep 2023 12:41:04 +0300
Subject: RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS

In CLI we can choose authentication logic:

  - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
  be stopped and access denied immediately.
  - `optional` (default) - if RADIUS answers with `Access-Reject`,
  authentication continues using the next module.

In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
---
 debian/vyos-1x.preinst | 1 -
 1 file changed, 1 deletion(-)

(limited to 'debian/vyos-1x.preinst')

diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index 12866cd55..df99661b1 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
 dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
 dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
 dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius
 dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
 dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
-- 
cgit v1.2.3


From 5d712700d6b8db43e36ad5f2a9f8792203bb12d0 Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Wed, 13 Sep 2023 13:16:20 +0300
Subject: TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+

In CLI we can choose authentication logic:

  - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
  stopped and access denied immediately.
  - `optional` (default) - if TACACS+ answers with `REJECT`, authentication
  continues using the next module.

In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
---
 debian/vyos-1x.postinst                   |  6 +++++-
 debian/vyos-1x.preinst                    |  1 -
 interface-definitions/system-login.xml.in | 20 ++++++++++++++++++++
 src/conf_mode/system-login.py             | 11 +++++++----
 src/pam-configs/tacplus                   | 17 -----------------
 src/pam-configs/tacplus-mandatory         | 19 +++++++++++++++++++
 src/pam-configs/tacplus-optional          | 19 +++++++++++++++++++
 7 files changed, 70 insertions(+), 23 deletions(-)
 delete mode 100644 src/pam-configs/tacplus
 create mode 100644 src/pam-configs/tacplus-mandatory
 create mode 100644 src/pam-configs/tacplus-optional

(limited to 'debian/vyos-1x.preinst')

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 837fcf995..22b50ce2a 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -48,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then
     fi
 fi
 
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+    rm /usr/share/pam-configs/tacplus
+fi
+
 # Add TACACS system users required for TACACS based system authentication
 if ! grep -q '^tacacs' /etc/passwd; then
     # Add the tacacs group and all 16 possible tacacs privilege-level users to
@@ -66,7 +71,6 @@ if ! grep -q '^tacacs' /etc/passwd; then
         adduser --quiet tacacs${level} adm
         adduser --quiet tacacs${level} dip
         adduser --quiet tacacs${level} users
-        adduser --quiet tacacs${level} aaa
         if [ $level -lt 15 ]; then
             adduser --quiet tacacs${level} vyattaop
             adduser --quiet tacacs${level} operator
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index df99661b1..fbfc85566 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
 dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
 dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
 dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
 dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
index a0eda9045..be0145b4f 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system-login.xml.in
@@ -244,6 +244,26 @@
                   </leafNode>
                 </children>
               </tagNode>
+              <leafNode name="security-mode">
+                <properties>
+                  <help>Security mode for TACACS+ authentication</help>
+                  <completionHelp>
+                    <list>mandatory optional</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>mandatory</format>
+                    <description>Deny access immediately if TACACS+ answers with REJECT</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>optional</format>
+                    <description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(mandatory|optional)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>optional</defaultValue>
+              </leafNode>
               #include <include/source-address-ipv4.xml.i>
               #include <include/radius-timeout.xml.i>
               #include <include/interface/vrf.xml.i>
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index be5ff2d4c..87a269499 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -389,11 +389,14 @@ def apply(login):
             pam_profile = 'radius-optional'
         cmd(f'pam-auth-update --enable {pam_profile}')
 
-    # Enable/Disable TACACS in PAM configuration
-    pam_cmd = '--remove'
+    # Enable/disable TACACS+ in PAM configuration
+    cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional')
     if 'tacacs' in login:
-        pam_cmd = '--enable'
-    cmd(f'pam-auth-update --package {pam_cmd} tacplus')
+        if login['tacacs'].get('security_mode', '') == 'mandatory':
+            pam_profile = 'tacplus-mandatory'
+        else:
+            pam_profile = 'tacplus-optional'
+        cmd(f'pam-auth-update --enable {pam_profile}')
 
     return None
 
diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus
deleted file mode 100644
index 66a1eaa4c..000000000
--- a/src/pam-configs/tacplus
+++ /dev/null
@@ -1,17 +0,0 @@
-Name: TACACS+ authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Account-Type: Primary
-Account:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Session-Type: Additional
-Session:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory
new file mode 100644
index 000000000..92da02327
--- /dev/null
+++ b/src/pam-configs/tacplus-mandatory
@@ -0,0 +1,19 @@
+Name: TACACS+ authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+Auth:
+    [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
new file mode 100644
index 000000000..deed537d3
--- /dev/null
+++ b/src/pam-configs/tacplus-optional
@@ -0,0 +1,19 @@
+Name: TACACS+ authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+Auth:
+    [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
-- 
cgit v1.2.3