[TACACS+]: Add TACACS+ Authentication#746
Closed
liuqu wants to merge 9 commits intosonic-net:masterfrom
Closed
Conversation
added 4 commits
June 23, 2017 00:25
Summary: * Add pam-tacplus module * Add nss-tacplus module * Add TACACS+ make rules and install script * Add TACACS+ build dependence packages * Add remote_user and remote_user_su * Add AAA configuration file
lguohan
reviewed
Jun 24, 2017
.gitmodules
Outdated
| url = https://github.com/edge-core/sonic-platform-modules-accton.git | ||
| [submodule "src/tacacs/sonic-pam-tacplus"] | ||
| path = src/tacacs/sonic-pam-tacplus | ||
| url = https://github.com/liuqu/sonic-pam-tacplus.git |
Collaborator
There was a problem hiding this comment.
I can see only one patch is made. It is better maintian it as a patch, like what we did for libteam.
Can you follow that as an example?
https://github.com/Azure/sonic-buildimage/tree/master/src/libteam
ttps://github.com/liuqu/sonic-pam-tacplus/commit/6aab5b6cafb65763e297f99e889418677528cd35
lguohan
reviewed
Jun 24, 2017
.gitmodules
Outdated
| url = https://github.com/liuqu/sonic-pam-tacplus.git | ||
| [submodule "src/tacacs/sonic-nss-tacplus"] | ||
| path = src/tacacs/sonic-nss-tacplus | ||
| url = https://github.com/liuqu/sonic-nss-tacplus.git |
Collaborator
There was a problem hiding this comment.
can you maintain this as a patch?
Author
There was a problem hiding this comment.
This is a NSS plugin for TACACS+. Do you mean to maintain it as a patch for pam-tacplus?
Author
There was a problem hiding this comment.
I will think about how to change it as a patch to make.
Collaborator
There was a problem hiding this comment.
Take https://github.com/Azure/sonic-buildimage/tree/master/src/initramfs-tools as an example. The patching method is recommended if your changes is small.
lguohan
reviewed
Jun 24, 2017
build_debian.sh
Outdated
| ## Create password for the default user | ||
| echo $USERNAME:$PASSWORD_ENCRYPTED | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd -e | ||
|
|
||
| ## Create remote user |
Collaborator
There was a problem hiding this comment.
can you explain why we need this remote user?
Author
There was a problem hiding this comment.
It's used for user role map. If an authenticated user only exists in TACACS+ server database, not exists in local, it can't get passwd info without user role map. So I create remote user for TACACS+ user.
Collaborator
There was a problem hiding this comment.
- It is confusing for all other users not using TACACS+.
- Do we need to install rbash on SONiC host?
- The username, uid, gid are hard-coded. Are they wellknown in TACACS+?
Author
There was a problem hiding this comment.
Thanks for your review.
- You're right. I will integrate the users' creation for TACACS+ Authentication into TACACS+ command. When the user enable TACACS+ by command, the remote users will be created.
- We don't need to install rbash. It's used for limit the TACACS+ user who only have show privilege. We will replace it with the CLI shell.
- The nss plugin for TACACS+ provides the getpwnam_r() entry point. It parses the privilege level of TACACS+ user by connecting with TACACS+ server, and maps to the pre-added user. If a use's priv-level is 15, the nss plugin will return the passwd info of remote_user_su in /etc/passwd.
qiluo-msft
reviewed
Jul 1, 2017
| sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/sonic-device-data_*.deb || \ | ||
| sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f | ||
|
|
||
| # Install pam-tacplus |
Collaborator
There was a problem hiding this comment.
Is it possible to capsulate the TACACS+ functionality into a docker container like docker-vas? It is not an easy job but technically feasible.
Author
There was a problem hiding this comment.
The pam_tacplus is only a dynamic library for Linux PAM module, and nss-tacplus is a dynamic library for Linux NSS module. I think there's no need to capsulate them into a docker container.
added 4 commits
July 26, 2017 11:54
* Delete sonic-nss-tacplus and sonic-pam-tacplus submodule * The nss-tacplus plugin is applied as patch for pam-tacplus * Create remote user in aaa_config when TACACS+ enable, not default in build image * Remove TACACS+ default config file, load default config by aaa config
* Modify the default user mapping policy, create local user for each TACACS+ user. * Add configuration to change the default gid, group and shell of the local user to be created.
0203d7f to
c5765f9
Compare
* Delete build dependence 'autoconf-archive'
lguohan
pushed a commit
that referenced
this pull request
Dec 3, 2019
3 tasks
lguohan
pushed a commit
to Sabareesh-Kumar-Anandan/sonic-buildimage
that referenced
this pull request
Dec 19, 2020
[vs] Skip MACsec clean up if /sbin/ip is not accessible (sonic-net#750) Configure enable -Wcast-align=strict when supported by compiler (sonic-net#749) [syncd] Translate depreacated attr enum values to new ones (sonic-net#746) [sairedis]vs SAI support for voq neighbor (sonic-net#725) Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
lguohan
pushed a commit
that referenced
this pull request
Dec 19, 2020
[vs] Add workaround for clean up macsec ports (#752) [logfile]: Add handling of Sairedis rec filename (#747) Update README.md [meta] Fix stat_mode enums to sai_bulk_op_error_mode_t (#753) [syncd][tests] Add syncd deprecated attribute value test (#751) [vs] Skip MACsec clean up if /sbin/ip is not accessible (#750) Configure enable -Wcast-align=strict when supported by compiler (#749) [syncd] Translate depreacated attr enum values to new ones (#746) [sairedis]vs SAI support for voq neighbor (#725) [syncd] Translate removed RIDs in fdb notification (#734) [syncd] Move syncd classes to syncd namespace (#742) [vs] Use /sbin/ip absolute path for ip command in MACsecManager (#744) [saidiscovery] Update saidiscovery to use VendorSai object and metadata (#736) Remove Winline warning since it depends on external headers (#741) [meta] Enable strict cast-align warning (#738) [vs] Use meta class instead info when using unittests (#740) [vs] Support flush entry type all on virtual switch (#735) [vslib]: Add MACsec state to state base (#722) [README.md] Update installation steps (#730) Switch Capability support (#728) [vs] Fail switch create when warm boot requested and no warm boot state (#739) Dynamic Port breakout fix the crash, port down event processing after<80> (#727) Code clean (#721) Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
stepanblyschak
pushed a commit
to stepanblyschak/sonic-buildimage
that referenced
this pull request
May 10, 2021
AidanCopeland
pushed a commit
to Metaswitch/sonic-buildimage
that referenced
this pull request
Apr 14, 2022
…#746) If attribute is enum, and we are loading some older SAI values it may happen that we get deprecated/ignored value string and we need to update it to current one to not cause attribute compare confusion since they are compared by string value. This fixes issues when warm shutdown on 201811 branch, and warm boot on master branch.
Junchao-Mellanox
pushed a commit
to Junchao-Mellanox/sonic-buildimage
that referenced
this pull request
Mar 7, 2025
…tomatically (sonic-net#746) #### Why I did it src/sonic-linux-kernel ``` * ef476a4 - (HEAD -> 202412, origin/HEAD, origin/202412) [code sync] Merge code from sonic-net/sonic-linux-kernel:202411 to 202412 (#23) (26 seconds ago) [mssonicbld] ``` #### How I did it #### How to verify it #### Description for the changelog
mssonicbld
added a commit
that referenced
this pull request
Feb 13, 2026
…D automatically (#25434) #### Why I did it src/sonic-platform-daemons ``` * bba725e - (HEAD -> master, origin/master, origin/HEAD) Add .github/copilot-instructions.md for AI-assisted development (#746) (28 hours ago) [rustiqly] * a04598b - Remove the SFP thermal data retrieval in thermalctld (#739) (2 days ago) [judyjoseph] ``` #### How I did it #### How to verify it #### Description for the changelog
FengPan-Frank
pushed a commit
to FengPan-Frank/sonic-buildimage
that referenced
this pull request
Mar 6, 2026
…D automatically (sonic-net#25434) #### Why I did it src/sonic-platform-daemons ``` * bba725e - (HEAD -> master, origin/master, origin/HEAD) Add .github/copilot-instructions.md for AI-assisted development (sonic-net#746) (28 hours ago) [rustiqly] * a04598b - Remove the SFP thermal data retrieval in thermalctld (sonic-net#739) (2 days ago) [judyjoseph] ``` #### How I did it #### How to verify it #### Description for the changelog Signed-off-by: Feng Pan <fenpan@microsoft.com>
dprital
pushed a commit
that referenced
this pull request
Mar 19, 2026
…D automatically (#25434) #### Why I did it src/sonic-platform-daemons ``` * bba725e - (HEAD -> master, origin/master, origin/HEAD) Add .github/copilot-instructions.md for AI-assisted development (#746) (28 hours ago) [rustiqly] * a04598b - Remove the SFP thermal data retrieval in thermalctld (#739) (2 days ago) [judyjoseph] ``` #### How I did it #### How to verify it #### Description for the changelog Signed-off-by: dprital <drorp@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Liuqu chenchen.qcc@alibaba-inc.com