From 5181ab60bb6d936505967d6667adc12c5ecb9b64 Mon Sep 17 00:00:00 2001 From: zsdc Date: Wed, 13 Sep 2023 12:41:04 +0300 Subject: RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- .../include/radius-server-ipv4-ipv6.xml.i | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i index efd418bb2..a0cdcd7c3 100644 --- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i +++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i @@ -46,6 +46,26 @@ + + + Security mode for RADIUS authentication + + mandatory optional + + + mandatory + Deny access immediately if RADIUS answers with Access-Reject + + + optional + Pass to the next authentication method if RADIUS answers with Access-Reject + + + (mandatory|optional) + + + optional + -- cgit v1.2.3 From 1c804685d05ad639bcb1a9ebce68a7a14268500f Mon Sep 17 00:00:00 2001 From: zsdc Date: Wed, 13 Sep 2023 13:16:20 +0300 Subject: TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+ In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- debian/vyos-1x.postinst | 6 +++++- debian/vyos-1x.preinst | 1 - interface-definitions/system-login.xml.in | 20 ++++++++++++++++++++ src/conf_mode/system-login.py | 11 +++++++---- src/pam-configs/tacplus | 17 ----------------- src/pam-configs/tacplus-mandatory | 19 +++++++++++++++++++ src/pam-configs/tacplus-optional | 19 +++++++++++++++++++ 7 files changed, 70 insertions(+), 23 deletions(-) delete mode 100644 src/pam-configs/tacplus create mode 100644 src/pam-configs/tacplus-mandatory create mode 100644 src/pam-configs/tacplus-optional (limited to 'interface-definitions') diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index a3c308e5f..860319edf 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -48,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -66,7 +71,6 @@ if ! grep -q '^tacacs' /etc/passwd; then adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index 75fa5e7f1..861c5ec88 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd -dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 71db8b1d6..30fea91b0 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -259,6 +259,26 @@ + + + Security mode for TACACS+ authentication + + mandatory optional + + + mandatory + Deny access immediately if TACACS+ answers with REJECT + + + optional + Pass to the next authentication method if TACACS+ answers with REJECT + + + (mandatory|optional) + + + optional + #include #include diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index be5ff2d4c..87a269499 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -389,11 +389,14 @@ def apply(login): pam_profile = 'radius-optional' cmd(f'pam-auth-update --enable {pam_profile}') - # Enable/Disable TACACS in PAM configuration - pam_cmd = '--remove' + # Enable/disable TACACS+ in PAM configuration + cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional') if 'tacacs' in login: - pam_cmd = '--enable' - cmd(f'pam-auth-update --package {pam_cmd} tacplus') + if login['tacacs'].get('security_mode', '') == 'mandatory': + pam_profile = 'tacplus-mandatory' + else: + pam_profile = 'tacplus-optional' + cmd(f'pam-auth-update --enable {pam_profile}') return None diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus deleted file mode 100644 index 66a1eaa4c..000000000 --- a/src/pam-configs/tacplus +++ /dev/null @@ -1,17 +0,0 @@ -Name: TACACS+ authentication -Default: no -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login - -Account-Type: Primary -Account: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login - -Session-Type: Additional -Session: - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory new file mode 100644 index 000000000..92da02327 --- /dev/null +++ b/src/pam-configs/tacplus-mandatory @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional new file mode 100644 index 000000000..deed537d3 --- /dev/null +++ b/src/pam-configs/tacplus-optional @@ -0,0 +1,19 @@ +Name: TACACS+ authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login +Auth: + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login -- cgit v1.2.3