Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TACACS+]: Add support for TACACS+ Authentication #1019

Merged
merged 5 commits into from
Dec 7, 2017
Merged

[TACACS+]: Add support for TACACS+ Authentication #1019

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d04f34f
[TACACS+]: Add support for TACACS+ Authentication
Oct 6, 2017
5130c8a
[TACACS+]: Add nss-tacplus as a separate src repo
Oct 10, 2017
241171f
Merge branch 'master' into tacacs+
lguohan Nov 1, 2017
3db34d5
[TACACS+]: Fix nss-tacplus filter some valid TACACS+ username
Dec 7, 2017
86a4391
Merge branch 'master' into tacacs+
Dec 7, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,11 @@ sudo cp -f $IMAGE_CONFIGS/bash/bash.bashrc $FILESYSTEM_ROOT/etc/
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/sonic-device-data_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

# Install pam-tacplus and nss-tacplus
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libtac2_*.deb
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libpam-tacplus_*.deb
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libnss-tacplus_*.deb

# Copy crontabs
sudo cp -f $IMAGE_CONFIGS/cron.d/* $FILESYSTEM_ROOT/etc/cron.d/

Expand Down Expand Up @@ -122,6 +127,10 @@ sudo cp $IMAGE_CONFIGS/interfaces/*.j2 $FILESYSTEM_ROOT/usr/share/sonic/template
# Copy initial interfaces configuration file, will be overwritten on first boot
sudo cp $IMAGE_CONFIGS/interfaces/init_interfaces $FILESYSTEM_ROOT/etc/network

# Copy hostcfgd files
sudo cp $IMAGE_CONFIGS/hostcfgd/hostcfgd.service $FILESYSTEM_ROOT/etc/systemd/system/
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable hostcfgd.service

# Copy updategraph script and service file
sudo cp $IMAGE_CONFIGS/updategraph/updategraph.service $FILESYSTEM_ROOT/etc/systemd/system/
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable updategraph.service
Expand Down
11 changes: 11 additions & 0 deletions files/image_config/hostcfgd/hostcfgd.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
[Unit]
Description=Host config enforcer daemon
Requires=database.service
After=database.service

[Service]
Type=simple
ExecStart=/usr/local/bin/hostcfgd
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is this hostcfgd, what is the usage of this hostcfgd? I cannot find this file in the PR. I suggest to have a separate PR for hostcfgd.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hostcfgd has been created as another PR in sonic-utilities sonic-net/sonic-utilities#125


[Install]
WantedBy=multi-user.target
19 changes: 19 additions & 0 deletions rules/tacacs.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# libpam-tacplus packages

PAM_TACPLUS_VERSION = 1.4.1-1

export PAM_TACPLUS_VERSION

LIBPAM_TACPLUS = libpam-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
$(LIBPAM_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs
SONIC_MAKE_DEBS += $(LIBPAM_TACPLUS)

LIBTAC2 = libtac2_$(PAM_TACPLUS_VERSION)_amd64.deb
$(eval $(call add_derived_package,$(LIBPAM_TACPLUS),$(LIBTAC2)))

LIBTAC_DEV = libtac-dev_$(PAM_TACPLUS_VERSION)_amd64.deb
$(eval $(call add_derived_package,$(LIBPAM_TACPLUS),$(LIBTAC_DEV)))

LIBNSS_TACPLUS = libnss-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
$(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
$(eval $(call add_derived_package,$(LIBPAM_TACPLUS),$(LIBNSS_TACPLUS)))
2 changes: 1 addition & 1 deletion slave.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,7 +380,7 @@ $(DOCKER_LOAD_TARGETS) : $(TARGET_PATH)/%.gz-load : .platform docker-start $$(TA
###############################################################################

# targets for building installers with base image
$(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : .platform onie-image.conf $$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)) $$(addprefix $(DEBS_PATH)/,$$($$*_INSTALLS)) $$(addprefix $(FILES_PATH)/,$$($$*_FILES)) $(addprefix $(DEBS_PATH)/,$(INITRAMFS_TOOLS) $(LINUX_KERNEL) $(IGB_DRIVER) $(SONIC_DEVICE_DATA)) $$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) $$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE)) $$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_UTILITIES))
$(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : .platform onie-image.conf $$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)) $$(addprefix $(DEBS_PATH)/,$$($$*_INSTALLS)) $$(addprefix $(FILES_PATH)/,$$($$*_FILES)) $(addprefix $(DEBS_PATH)/,$(INITRAMFS_TOOLS) $(LINUX_KERNEL) $(IGB_DRIVER) $(SONIC_DEVICE_DATA) $(LIBPAM_TACPLUS)) $$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) $$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE)) $$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_UTILITIES))
$(HEADER)
# Pass initramfs and linux kernel explicitly. They are used for all platforms
export initramfs_tools="$(DEBS_PATH)/$(INITRAMFS_TOOLS)"
Expand Down
51 changes: 51 additions & 0 deletions src/tacacs/0001-Don-t-enable-pam-tacplus-by-default.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
From 80c1d3c1810bf283bbe12fc927de24e48afc2991 Mon Sep 17 00:00:00 2001
From: Liuqu <chenchen.qcc@alibaba-inc.com>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest not to change the way the patch libpam-tacplus, instead, we can disable the pam-tacplus by default in our image. the idea to minimize the change to the original package as little as possible.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add some scripts to disable the pam-tacplus after install libpam-tacplus?

Date: Sat, 30 Sep 2017 02:24:36 -0700
Subject: [PATCH 1/2] Don't enable pam-tacplus by default

---
debian/libpam-tacplus.postinst | 2 +-
debian/libtac2-bin.install | 2 +-
debian/tacplus | 4 ----
3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/debian/libpam-tacplus.postinst b/debian/libpam-tacplus.postinst
index 7e37590..b008b7a 100644
--- a/debian/libpam-tacplus.postinst
+++ b/debian/libpam-tacplus.postinst
@@ -2,6 +2,6 @@

set -e

-pam-auth-update --package
+#pam-auth-update --package

#DEBHELPER#
diff --git a/debian/libtac2-bin.install b/debian/libtac2-bin.install
index 236670a..1df36c6 100644
--- a/debian/libtac2-bin.install
+++ b/debian/libtac2-bin.install
@@ -1 +1 @@
-usr/sbin
+usr/bin/*
diff --git a/debian/tacplus b/debian/tacplus
index 5296cf6..985395e 100644
--- a/debian/tacplus
+++ b/debian/tacplus
@@ -3,13 +3,9 @@ Default: yes
Priority: 257
Auth-Type: Primary
Auth:
- sufficient pam_tacplus.so
Account-Type: Primary
Account:
- sufficient pam_tacplus.so
Password-Type: Primary
Password:
- sufficient pam_tacplus.so
Session-Type: Additional
Session:
- optional pam_tacplus.so
--
2.7.4

Loading