[TACACS+]: Add configDB enforcer for TACACS+#1214
Merged
lguohan merged 2 commits intosonic-net:masterfrom Dec 12, 2017
Merged
Conversation
* hostcfgd - configDB enforcer for TACACS+, listen configDB to modify the pam configuration for Authentication in host * Add a service script for hostcfgd Signed-off-by: Chenchen Qi <[email protected]>
lguohan
reviewed
Dec 7, 2017
| contents += line | ||
| line = f.readline() | ||
| contents += dbg + servers | ||
| with open(NSS_TACPLUS_CONF, 'w') as f: |
Collaborator
There was a problem hiding this comment.
once you change the conf file, how to make the conf effective? do you need to reload anything?
Author
There was a problem hiding this comment.
If tacplus is enabled for passwd in nsswitch.conf, the conf is loaded by nss-tacplus plugin when the function getpwnam() is called each time. Don't need to reload it.
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| os.system("sed -i -e '/^@include/s/common-auth-sonic$/common-auth/' /etc/pam.d/login") | ||
|
|
||
| # Set tacacs+ server in nss-tacplus conf | ||
| def modify_nss_conf(self): |
Collaborator
There was a problem hiding this comment.
it is very difficult to know what the actual conf file generated, it is better to design a template and use jinja2 library in python to generate the conf file. You can refer to the code in sonic-cfggen.
Author
There was a problem hiding this comment.
I have changed it with jinja2 template.
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| with open(PAM_AUTH_FILE, "w") as f: | ||
| f.write(AUTH_FILE_HEADER + auth_file_body + AUTH_FILE_FOOTER) | ||
|
|
||
| # Modify common-auth include file in /etc/pam.d/type and sshd |
Collaborator
There was a problem hiding this comment.
/etc/pam.d/type -> /etc/pam.d/login
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| self.aaacfg.load(aaa, tacacs_global, tacacs_server) | ||
|
|
||
| def aaa_handler(self, key, data): | ||
| syslog.syslog(syslog.LOG_INFO, 'value for {} changed to {}'.format(key, data)) |
Collaborator
There was a problem hiding this comment.
this is debug level -> LOG_DEBUG
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| self.aaacfg.aaa_update(key, data) | ||
|
|
||
| def tacacs_server_handler(self, key, data): | ||
| syslog.syslog(syslog.LOG_INFO, 'value for {} changed to {}'.format(key, data)) |
lguohan
reviewed
Dec 7, 2017
files/image_config/hostcfgd/hostcfgd
Outdated
| # Make sure root will always authentication on local, not TACACS+ | ||
| pam_modules = self.tacplus_servers + [AAA_LOCAL] | ||
| auth_file_body += "auth\t[success=%d new_authtok_reqd=done default=ignore]\t" % (len(pam_modules)-1) | ||
| auth_file_body += "pam_succeed_if.so user = root debug\n" |
Collaborator
There was a problem hiding this comment.
root is not allowed to login by default, there is also no debug account, only admin is enabled.
Author
There was a problem hiding this comment.
This configuration is used to ensure that an administrator user always login via local if TACACS+ authentication hangs or other error occur. But it's not correct to use root. The 'debug' means output debug log, not means debug account.
I have removed this logic because it looks like an impossible scenario.
* Generate common-auth-sonic and tacplus_nss.conf by jinja2 template Signed-off-by: Chenchen Qi <[email protected]>
lguohan
approved these changes
Dec 12, 2017
tiantianlv
pushed a commit
to SONIC-DEV/sonic-buildimage
that referenced
this pull request
Apr 24, 2020
Multi-Db changes for NAT feature. (sonic-net#1202) [cfgmgr] clear loopback and vrf in kernel if not warmstart (sonic-net#1141) upon cold reboot, skip remove mgmt vrf table from the kernel (sonic-net#1214)
tiantianlv
pushed a commit
to SONIC-DEV/sonic-buildimage
that referenced
this pull request
Apr 24, 2020
Multi-Db changes for NAT feature. (sonic-net#1202) [cfgmgr] clear loopback and vrf in kernel if not warmstart (sonic-net#1141) upon cold reboot, skip remove mgmt vrf table from the kernel (sonic-net#1214)
3 tasks
jleveque
added a commit
that referenced
this pull request
Nov 13, 2020
#5849) Submodule updates include the following commits. Also adding sonic-swsscommon build dependencies where necessary. * src/sonic-py-swsssdk 1ea30d2...9d9f0c6 (1): > [SonicV2Connector] make decode_responses=True as default, so python2 application need no code change when migrated to python3(#93) * src/sonic-snmpagent 6e4a796...57e54d9 (3): > Interact with Redis by str instead of bytes, migrate to SonicV2Connector with `decode_responses=True` (#171) > Add a test case for LLDP_LOC_CHASSIS.lldp_loc_man_addr has only one IPv6 address (#167) > [LLDP]: Update init_db to load global database config (#166) * src/sonic-utilities acfa824...b693cf6 (11): > Remove SKU create pytest output directory before execution of the script (#1226) > [show][techsupport][multi-ASIC] Add support to collect tech support on multi ASIC platform (#1193) > [show] Fix `show ip bgp sum` (#1194) > [sonic_sku_create] Move tests from sonic-utilities-tests/ folder to tests/ folder (#1222) > Replace swsssdk.SonicV2Connector with swsscommon.SonicV2Connector (SWIG wrapper of C++ implementation) in production code (#1217) > Copy missing values from INIT_CFG to config_db as part of db_migration task (#1209) > [connect][clear] Support --devicename option for connect/clear line commands (#1214) > [consutil][show] Remove root need from show line command (#1218) > [Mellanox] SKU creator Tool (#1163) > SONiC installer - fix string formatting during image type check (#1197) > [show/fgnhg.py] Fix whitespace issues (#1211)
raphaelt-nvidia
pushed a commit
to raphaelt-nvidia/sonic-buildimage
that referenced
this pull request
Jan 14, 2021
…et#1214) * upon cold reboot, skip remove mgmt vrf table from the kernel Co-authored-by: Bing Sun <[email protected]>
santhosh-kt
pushed a commit
to santhosh-kt/sonic-buildimage
that referenced
this pull request
Feb 25, 2021
sonic-net#5849) Submodule updates include the following commits. Also adding sonic-swsscommon build dependencies where necessary. * src/sonic-py-swsssdk 1ea30d2...9d9f0c6 (1): > [SonicV2Connector] make decode_responses=True as default, so python2 application need no code change when migrated to python3(sonic-net#93) * src/sonic-snmpagent 6e4a796...57e54d9 (3): > Interact with Redis by str instead of bytes, migrate to SonicV2Connector with `decode_responses=True` (sonic-net#171) > Add a test case for LLDP_LOC_CHASSIS.lldp_loc_man_addr has only one IPv6 address (sonic-net#167) > [LLDP]: Update init_db to load global database config (sonic-net#166) * src/sonic-utilities acfa824...b693cf6 (11): > Remove SKU create pytest output directory before execution of the script (sonic-net#1226) > [show][techsupport][multi-ASIC] Add support to collect tech support on multi ASIC platform (sonic-net#1193) > [show] Fix `show ip bgp sum` (sonic-net#1194) > [sonic_sku_create] Move tests from sonic-utilities-tests/ folder to tests/ folder (sonic-net#1222) > Replace swsssdk.SonicV2Connector with swsscommon.SonicV2Connector (SWIG wrapper of C++ implementation) in production code (sonic-net#1217) > Copy missing values from INIT_CFG to config_db as part of db_migration task (sonic-net#1209) > [connect][clear] Support --devicename option for connect/clear line commands (sonic-net#1214) > [consutil][show] Remove root need from show line command (sonic-net#1218) > [Mellanox] SKU creator Tool (sonic-net#1163) > SONiC installer - fix string formatting during image type check (sonic-net#1197) > [show/fgnhg.py] Fix whitespace issues (sonic-net#1211)
stepanblyschak
pushed a commit
to stepanblyschak/sonic-buildimage
that referenced
this pull request
May 10, 2021
…ommands (sonic-net#1214) admin@sonic:~$ sudo connect line --devicename switch1 Successful connection to line 1 Press ^A ^X to disconnect admin@sonic:~$ sudo sonic-clear line --devicename switch1 admin@sonic:~$ sudo show line -b Line Baud PID Start Time Device ------ ------ ----- ------------ -------- 1 9600 - - switch1
theasianpianist
pushed a commit
to theasianpianist/sonic-buildimage
that referenced
this pull request
Feb 5, 2022
…et#1214) * upon cold reboot, skip remove mgmt vrf table from the kernel Co-authored-by: Bing Sun <[email protected]>
dgsudharsan
pushed a commit
to dgsudharsan/sonic-buildimage
that referenced
this pull request
Jun 18, 2025
…D automatically (sonic-net#1214) #### Why I did it src/sonic-sairedis ``` * f21e12c - (HEAD -> 202412, origin/HEAD, origin/202412) [trim]: Add Packet Trimming Port/Queue stats to VS lib (#60) (8 hours ago) [Nazarii Hnydyn] * 9d39644 - Merge pull request #61 from mssonicbld/cherry/msft-202412/1548 (4 days ago) [Ze Gan] * 613654b - [syncd] Move log set function after api initialize (4 days ago) [Sonic Build Admin] ``` #### How I did it #### How to verify it #### Description for the changelog
vmittal-msft
pushed a commit
to vmittal-msft/sonic-buildimage
that referenced
this pull request
Oct 20, 2025
…03 (sonic-net#1235) ```<br>* aa74696 - (HEAD -> 202503) Merge branch '202412' of https://github.com/Azure/sonic-buildimage-msft into 202503 (2025-06-13) [Sonic Automation] * 9fa6edd - (origin/202412, 202412) [action] [PR:22588] skip frr_bmp container from monit (sonic-net#1212) (2025-06-12) [mssonicbld] * 70de857 - [submodule][202412] Update submodule sonic-sairedis to the latest HEAD automatically (sonic-net#1214) (2025-06-12) [mssonicbld] * f3d9c03 - [action] [PR:22673] Add qos values for Arista-7060X6-16PE-384C-O128S2 TH5-512 (sonic-net#1224) (2025-06-12) [mssonicbld] * c20f188 - Add qos values for Arista-7060X6-16PE-384C-O128S2 TH5-512 (sonic-net#1220) (2025-06-12) [rick-arista] * 07dbeed - [FRR]: Fix SRv6 static SIDs delete crash (sonic-net#1200) (2025-06-12) [Riff] |\ | failure_prs.log skip_prs.log 2d5e52b - Merge branch '202412' into fix/fix_srv6_static_sids_crash_202412 (2025-06-10) [Carmine Scarpitta] | failure_prs.log skip_prs.log 26e0868 - Merge branch '202412' into fix/fix_srv6_static_sids_crash_202412 (2025-06-05) [Carmine Scarpitta] | failure_prs.log skip_prs.log 1b90ab9 - Address review comments (2025-06-05) [Carmine Scarpitta] | failure_prs.log skip_prs.log cb402c7 - [FRR]: Fix SRv6 static SIDs delete crash (2025-06-04) [Carmine Scarpitta] * 053f8ac - [202412] Code sync sonic-net/sonic-buildimage:202411 => 202412 (sonic-net#1159) (2025-06-12) [Riff] |\ | failure_prs.log skip_prs.log 8cd8a28 - Merge remote-tracking branch 'base/202411' into code-sync-202412 (2025-06-10) [r12f] | failure_prs.log skip_prs.log 81dd34b - [submodule] Update submodule sonic-swss to the latest HEAD automatically (sonic-net#22883) (2025-06-08) [mssonicbld] | failure_prs.log skip_prs.log 66690b6 - [submodule] Update submodule sonic-swss to the latest HEAD automatically (sonic-net#22857) (2025-06-06) [mssonicbld] | failure_prs.log skip_prs.log 221fdba - [submodule] Update submodule sonic-swss-common to the latest HEAD automatically (sonic-net#22858) (2025-06-06) [mssonicbld] | failure_prs.log skip_prs.log 928671d - switch to use host syslog to for openbmp logging (sonic-net#22817) (2025-06-03) [mssonicbld] | failure_prs.log skip_prs.log f212bcd - Adding default QoS configurations for Arista-7050CX3-32S-C28S4. (sonic-net#22744) (2025-05-31) [mssonicbld] | failure_prs.log skip_prs.log e060bb6 - [submodule] Update submodule sonic-gnmi to the latest HEAD automatically (sonic-net#22740) (2025-05-29) [mssonicbld] | failure_prs.log skip_prs.log 6cfffb6 - [submodule] Update submodule sonic-linux-kernel to the latest HEAD automatically (sonic-net#22290) (2025-05-25) [mssonicbld] | failure_prs.log skip_prs.log c4fef0a - skip frr_bmp container from monit (sonic-net#22603) (2025-05-25) [mssonicbld] | failure_prs.log skip_prs.log 3a9d5bc - [build] Upgrade natsort pypi package from 6.2.1 to 8.4.0 (sonic-net#22609) (2025-05-24) [Liu Shilong] | failure_prs.log skip_prs.log 683b336 - Bump up /dev/shm size for Broadcom platforms to 512MB by default (sonic-net#22547) (2025-05-23) [mssonicbld] | failure_prs.log skip_prs.log fb14505 - [submodule] Update submodule sonic-swss to the latest HEAD automatically (sonic-net#22636) (2025-05-22) [mssonicbld] | failure_prs.log skip_prs.log 78d363b - [resolv-config] Improve container resolv.conf update mechanism (sonic-net#22462) (2025-05-15) [mssonicbld] | failure_prs.log skip_prs.log e87edda - Override PTF_IMAGE_TAG for release branch [202411] (sonic-net#22585) (2025-05-13) [Sai Kiran] * 8081aec - Fix info and order of components for 7060x6_64pe_b (sonic-net#1231) (2025-06-12) [Ryan Garofano]<br>```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
- How I did it
- How to verify it
- Description for the changelog
Add configDB enforcer for TACACS+
- A picture of a cute animal (not mandatory but encouraged)
