Common Authentication Template fix #16593
Conversation
…en only tacacs+ is configured for login authentication Root-Cause: Authentication of tacacs and tacacs,local was being handled in the same way in the template file common-auth-sonic.j2 What i did:Seperated the condition such that tacacs+,local is handled differently from tacacs+ configuration
|
|
|
@qiluo-msft to review |
| @@ -22,11 +22,16 @@ auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not | |||
| auth [success=1 default=ignore] pam_tacplus.so server={{ last_server.ip }}:{{ last_server.tcp_port }} secret={{ last_server.passkey }} login={{ last_server.auth_type }} timeout={{ last_server.timeout }} {% if last_server.vrf %} vrf={{ last_server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass | |||
|
|
|||
| {% endif %} | |||
| {% elif auth['login'] == 'tacacs+' or auth['login'] == 'tacacs+,local' %} | |||
| {% elif auth['login'] == 'tacacs+' %} | |||
| {% for server in servers %} | |||
There was a problem hiding this comment.
The TACACS sever loop code are same.
2 place changed:
For TACACS+ only scenario, following line removed:
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
For TACACS+, LOCAL scenario, following line added:
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass
I will verify this again
There was a problem hiding this comment.
The TACACS authorization code be there for long time, and in practice local user can't login when TACACS+ only enabled and remote server reachable.
So, need reproduce and verify this issue.
|
/azpw run Azure.sonic-buildimage |
|
Commenter does not have sufficient privileges for PR 16593 in repo sonic-net/sonic-buildimage |
|
@Vignesh1405 , I can't reproduce the issue in description with following steps:
Can you share me how to produce the issue you trying to fix? Also, SONiC has following feature: When authentication set to 'tacacs+' and TACACS server not reachable, local user can login to device with local authorization. |
Issue Description: Local authentication succeeds (admin user) even when only tacacs+ is configured for login authentication Root-Cause: Authentication of Tacacs and tacacs,local was being handled in the same way in the template file common-auth-sonic.j2
What i did: Separated the condition such that tacacs+,local is handled differently from tacacs+ configuration
Why I did it
Local authentication succeeds (admin user) even when only TACACS+ is configured for login authentication
How I did it
Separated the condition such that tacacs+,local is handled differently from tacacs+ configuration
How to verify it
Configure aaa authentication login as tacacs+. open a new ssh session, and try to login using local user credentials. The authentication should not succeed.
Description for the changelog
Separated the condition such that tacacs+,local is handled differently from tacacs+ configuration in common-auth-sonic.j2 file.