Add GNMI client cert cname check support. (#18709)#1414
Closed
FengPan-Frank wants to merge 411 commits intoAzure:202412from
Closed
Add GNMI client cert cname check support. (#18709)#1414FengPan-Frank wants to merge 411 commits intoAzure:202412from
FengPan-Frank wants to merge 411 commits intoAzure:202412from
Conversation
ndk 22.9.3
ndk 22.9.12
ndk 22.9.13
ndk 22.9.14
ndk 22.9.16
ndk 22.9.21
ndk 22.9.23
Signed-off-by: Mai Bui <[email protected]>
…ability. (#15512) Why I did it #15284 fixes a case of shell escape exploit for TACACS+. This applies to RADIUS as well. RADIUS creates an unconfirmed user locally on the switch while attempting authentication. popen() is used to execute useradd,usermod and userdel commands. This exposes a vulnerability where a tactically designed username (which could contain explicit linux commands) can lead to getting executed as root. An example of such a username could be "asd";echo>remoteRCE2;#". This leads to remoteRCE2 getting created in "/". How I did it All calls to popen() used to execute useradd, usermod and userdel are replaced with fork()/execl(). How to verify it Prior to the fix, following is the behavior: [s@i vm] ssh "asd";echo>remoteRCE2;#"@1.1.1.1 asd";echo>remoteRCE2;#@1.1.1.1's password: Permission denied, please try again. On the SONiC switch, root@sonic:/# ls accton_as7816_monitor.log home lib64 remoteRCE2 sys bin host libx32 root tmp boot initrd.img media run usr cache.tgz initrd.img.old mnt sbin var dev lib opt sonic vmlinuz etc lib32 proc srv vmlinuz.old root@sonic:/# ls -l With the fix: [s@i vm] ssh "asd";echo>remoteRCE2;#"@1.1.1.1 asd";echo>remoteRCE2;#@1.1.1.1's password: Permission denied, please try again. root@sonic:/# ls accton_as7816_monitor.log etc lib mnt sbin usr bin home lib32 opt sonic var boot host lib64 proc srv vmlinuz cache.tgz initrd.img libx32 root sys vmlinuz.old dev initrd.img.old media run tmp Verified that RADIUS authentication works as expected for valid users as well.
[radius]: Use execl instead of popen in RADIUS NSS code to fix vulner…
iccpd - remove unused function
Replace char* and C string functions with C++ strings.
[ssg]: Use C++ strings for text handling (#18596)
This pr is auto merged as it contains a mandatory file and is opened for more than 10 days.
Add GNMI client cert cname list to yang model. Allow gnmi service authentication client cert by cname. Add GNMI client cert cname list to yang model. Pass all UT. Add GNMI client cert cname list to yang model.
Member
|
Is it a straightforward (clean) cherry-pick of 18709? |
Contributor
Author
#1416, use this instead. |
rameshraghupathy
pushed a commit
to rameshraghupathy/sonic-buildimage-msft
that referenced
this pull request
Dec 10, 2025
…tically (#19911) #### Why I did it src/sonic-sairedis ``` * 45ff42c3 - (HEAD -> master, origin/master, origin/HEAD) run VS tests in parallel (Azure#1414) (3 hours ago) [Lawrence Lee] ``` #### How I did it #### How to verify it #### Description for the changelog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add GNMI client cert cname list to yang model.
Allow gnmi service authentication client cert by cname.
Add GNMI client cert cname list to yang model.
Pass all UT.
Add GNMI client cert cname list to yang model.
Why I did it
Work item tracking
How I did it
How to verify it
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)