Skip to content

Commit

Permalink
RADIUS Management User Authentication Feature (#7284)
Browse files Browse the repository at this point in the history
Why I did it
HLD: https://github.com/Azure/SONiC/blob/master/doc/aaa/radius_authentication.md
CLI: In a separate PR.

How I did it
How to verify it
UT: src/sonic-host-services/tests/hostcfgd/hostcfgd_radius_test.py
  • Loading branch information
a-barboza authored Apr 24, 2021
1 parent 990b112 commit ec9101f
Show file tree
Hide file tree
Showing 70 changed files with 11,309 additions and 19 deletions.
10 changes: 10 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,16 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-tacplus_*.deb || \
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf

# Install pam-radius-auth and nss-radius
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-radius-auth_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-radius_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
# Disable radius by default
# radius does not have any profiles
#sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove radius tacplus
sudo sed -i -e '/^passwd/s/ radius//' $FILESYSTEM_ROOT/etc/nsswitch.conf

# Install a custom version of kdump-tools (and its dependencies via 'apt-get -y install -f')
if [[ $CONFIGURED_ARCH == amd64 ]]; then
sudo DEBIAN_FRONTEND=noninteractive dpkg --root=$FILESYSTEM_ROOT -i $debs_path/kdump-tools_*.deb || \
Expand Down
13 changes: 13 additions & 0 deletions rules/radius.dep
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@

SPATH := $($(LIBPAM_RADIUS)_SRC_PATH)
DEP_FILES := $(SONIC_COMMON_FILES_LIST) rules/radius.mk rules/radius.dep
DEP_FILES += $(SONIC_COMMON_BASE_FILES_LIST)
DEP_FILES += $(shell git ls-files $(SPATH))

$(LIBPAM_RADIUS)_CACHE_MODE := GIT_CONTENT_SHA
$(LIBPAM_RADIUS)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
$(LIBPAM_RADIUS)_DEP_FILES := $(DEP_FILES)

$(LIBNSS_RADIUS)_CACHE_MODE := GIT_CONTENT_SHA
$(LIBNSS_RADIUS)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
$(LIBNSS_RADIUS)_DEP_FILES := $(DEP_FILES)
24 changes: 24 additions & 0 deletions rules/radius.mk
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# libpam-radius-auth packages

PAM_RADIUS_VERSION = 1.4.1-1

export PAM_RADIUS_VERSION

LIBPAM_RADIUS = libpam-radius-auth_$(PAM_RADIUS_VERSION)_amd64.deb
$(LIBPAM_RADIUS)_SRC_PATH = $(SRC_PATH)/radius/pam
SONIC_MAKE_DEBS += $(LIBPAM_RADIUS)

SONIC_STRETCH_DEBS += $(LIBPAM_RADIUS)

# libnss-radius packages

NSS_RADIUS_VERSION = 1.0.1-1

export NSS_RADIUS_VERSION

LIBNSS_RADIUS = libnss-radius_$(NSS_RADIUS_VERSION)_amd64.deb
$(LIBNSS_RADIUS)_SRC_PATH = $(SRC_PATH)/radius/nss
SONIC_MAKE_DEBS += $(LIBNSS_RADIUS)

SONIC_STRETCH_DEBS += $(LIBNSS_RADIUS)

2 changes: 2 additions & 0 deletions slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -858,6 +858,8 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
$(IFUPDOWN2) \
$(KDUMP_TOOLS) \
$(NTP) \
$(LIBPAM_RADIUS) \
$(LIBNSS_RADIUS) \
$(LIBPAM_TACPLUS) \
$(LIBNSS_TACPLUS) \
$(MONIT) \
Expand Down
23 changes: 23 additions & 0 deletions src/radius/nss/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
.ONESHELL:
SHELL = /bin/bash
.SHELLFLAGS += -e

MAIN_TARGET = libnss-radius_$(NSS_RADIUS_VERSION)_amd64.deb

$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
pushd ./libnss-radius

make clean
-rm -rf debian
-rm -rf patches
cp -r ../debian .
cp -r ../patches .

# Apply patch (if any)

dpkg-buildpackage -rfakeroot -b -us -uc
popd

mv $(DERIVED_TARGETS) $* $(DEST)/

$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
5 changes: 5 additions & 0 deletions src/radius/nss/debian/README.Debian
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
libnss-radius for Debian

The Debian version of the libnss-radius package.

-- Arun Barboza <29963827+a-barboza@users.noreply.github.com> Tue, 24 Sep 2019 00:20:55 +0000
6 changes: 6 additions & 0 deletions src/radius/nss/debian/changelog
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
libnss-radius (1.0.1-1) unstable; urgency=low

* Initial release. NSS lookups for RADIUS users with cached Management
Privilege Level (MPL) attribute.

-- Arun Barboza <29963827+a-barboza@users.noreply.github.com> Tue, 24 Sep 2019 00:20:55 +0000
1 change: 1 addition & 0 deletions src/radius/nss/debian/compat
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
9
17 changes: 17 additions & 0 deletions src/radius/nss/debian/control
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
Source: libnss-radius
Section: libs
Priority: optional
Maintainer: Arun Barboza <29963827+a-barboza@users.noreply.github.com>
Build-Depends: debhelper (>=9)
Standards-Version: 3.9.6
Homepage: http://www.broadcom.com

Package: libnss-radius
Section: libs
Architecture: any
Multi-Arch: same
Pre-Depends: ${misc:Pre-Depends}
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: NSS module for RADIUS authentication absent local account.
NSS lookups for RADIUS authenticated users using the Management Privilege
Level (MPL) cached attribute.
21 changes: 21 additions & 0 deletions src/radius/nss/debian/copyright
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: libnss-radius
Source: http://www.broadcom.com

Files: *
Copyright: 2019 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
License: Apache
Copyright 2019 Broadcom. All rights reserved.
The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
15 changes: 15 additions & 0 deletions src/radius/nss/debian/rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/make -f
# You must remove unused comment lines for the released package.
#export DH_VERBOSE = 1
#export DEB_BUILD_MAINT_OPTIONS = hardening=+all
#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic
#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed

%:
dh $@

#override_dh_auto_install:
# dh_auto_install -- prefix=/usr

#override_dh_install:
# dh_install --list-missing -X.pyc -X.pyo
2 changes: 2 additions & 0 deletions src/radius/nss/debian/watch
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# You must remove unused comment lines for the released package.
version=3
6 changes: 6 additions & 0 deletions src/radius/nss/libnss-radius/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
cache_radius
libnss_radius.so.2
test_cache_radius
test_nss_radius
debian
patches
14 changes: 14 additions & 0 deletions src/radius/nss/libnss-radius/LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Copyright 2019 Broadcom. All rights reserved.
The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
59 changes: 59 additions & 0 deletions src/radius/nss/libnss-radius/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
#######################################################################
#
# Copyright 2019 Broadcom. All rights reserved.
# The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
#
#######################################################################

#
# Makefile for libnss-radius
#

TARGETS = libnss_radius.so.2 cache_radius
COMMON_INCLUDE = nss_radius_common.h
COMMON_SOURCE = nss_radius_common.c
LIBNSS_SOURCE = nss_radius.c $(COMMON_SOURCE)
CACHE_SOURCE = cache_radius.c $(COMMON_SOURCE)

# For now place the multiarch flag here
# Eventually this needs to be move to the debian packaging
#moduledir = $(prefix)/lib/x86_64-linux-gnu
moduledir = $(prefix)/lib/$(DEB_HOST_MULTIARCH)


all: $(TARGETS)

libnss_radius.so.2: $(LIBNSS_SOURCE) $(COMMON_INCLUDE)
$(CC) $(CFLAGS) $(LDFLAGS) -fPIC -Wall -shared -o libnss_radius.so.2 \
-Wl,-soname,libnss_radius.so.2 -Wl,--version-script=libnss_radius_vs.txt $(LIBNSS_SOURCE)

cache_radius: $(CACHE_SOURCE) $(COMMON_INCLUDE)
$(CC) $(CFLAGS) $(LDFLAGS) -o cache_radius $(CACHE_SOURCE)

clean:
-rm -f $(TARGETS)
-rm -f test_nss_radius test_cache_radius

install: libnss_radius.so.2 cache_radius
install -m 0644 -D libnss_radius.so.2 \
$(DESTDIR)$(moduledir)/libnss_radius.so.2
install -m 0755 -D cache_radius \
$(DESTDIR)$(prefix)/usr/sbin/cache_radius
install -m 0755 -d $(DESTDIR)$(prefix)/etc/pam_radius_auth.d/

distclean: clean

uninstall:
-rm -f $(DESTDIR)$(moduledir)/libnss_radius.so.2
-rm -f $(DESTDIR)$(prefix)/usr/sbin/cache_radius

test: test_nss_radius.c $(LIBNSS_SOURCE) $(CACHE_SOURCE) \
$(COMMON_SOURCE) $(COMMON_INCLUDE)
$(CC) $(CFLAGS) $(LDFLAGS) -g -DTEST_RADIUS_NSS -o test_nss_radius \
$(LIBNSS_SOURCE) test_nss_radius.c
$(CC) $(CFLAGS) $(LDFLAGS) -g -DTEST_RADIUS_NSS -o test_cache_radius \
$(CACHE_SOURCE)


.PHONY: all install clean distclean uninstall test

Loading

0 comments on commit ec9101f

Please sign in to comment.