[tacacs]: skip accessing tacacs servers for local non-tacacs users#2843
Merged
lguohan merged 2 commits intosonic-net:masterfrom May 9, 2019
Merged
[tacacs]: skip accessing tacacs servers for local non-tacacs users#2843lguohan merged 2 commits intosonic-net:masterfrom
lguohan merged 2 commits intosonic-net:masterfrom
Conversation
This helps use the legacy passwd file for user info and go to tacacs only if not found. This means, we never contact tacacs for local users like "admin". This isolates local users from any issues with tacacs servers. W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable.
jleveque
approved these changes
Apr 30, 2019
Collaborator
|
looks like #2163 changed this deliberately. |
Collaborator
|
without #2163, if user is already in passwd file nss will not even communicate with tacacs. This is to address the scenario of user permission change |
Contributor
Author
|
There does not seems to be a detailed explanation of the bug in the PR #2163. In short: But say a TACACS user is logged in, and then his credentials are removed from TACACS servers, it would not affect his current session. But he can't create anymore new sessions. So this restricts the nss access to only getting user info and nothing more. Hence compat first and TACACS next, should not affect the level of security in any way, Later when we move on to controlling authorizations, I believe this, still would not impact as its impact is restricted to getpwnam, getpwent and related functions, with source of info from passwd file only. |
Collaborator
|
the scenario is that user change from ro to rw, if we put compat first, will the user privilege gets updated after he changed from ro to rw on the tacacs side. |
Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus access is required for all tacacs users, who also get created locally.
lguohan
approved these changes
May 8, 2019
lguohan
changed the title
Collaborator
|
I have this question, why do you choose to compare the gecos? why not compare the group name of the tacacs user? it is going to be either remote_user or remote_user_su. |
Contributor
Author
|
The strings "remote_user" & "remote_user_su" are not names of groups, but used to set pw_gecos (Full name) of the user. The read-only users (privilege level = 1) get the gid as "100", which is |
lguohan
approved these changes
May 9, 2019
lguohan
pushed a commit
that referenced
this pull request
May 17, 2019
…2843) * Switch the nss look up order as "compat" followed by "tacplus". This helps use the legacy passwd file for user info and go to tacacs only if not found. This means, we never contact tacacs for local users like "admin". This isolates local users from any issues with tacacs servers. W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable. * Skip tacacs server access for local non-tacacs users. Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus access is required for all tacacs users, who also get created locally.
yxieca
pushed a commit
that referenced
this pull request
May 20, 2019
…2843) * Switch the nss look up order as "compat" followed by "tacplus". This helps use the legacy passwd file for user info and go to tacacs only if not found. This means, we never contact tacacs for local users like "admin". This isolates local users from any issues with tacacs servers. W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable. * Skip tacacs server access for local non-tacacs users. Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus access is required for all tacacs users, who also get created locally.
MichelMoriniaux
pushed a commit
to criteo-forks/sonic-buildimage
that referenced
this pull request
May 28, 2019
…onic-net#2843) * Switch the nss look up order as "compat" followed by "tacplus". This helps use the legacy passwd file for user info and go to tacacs only if not found. This means, we never contact tacacs for local users like "admin". This isolates local users from any issues with tacacs servers. W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable. * Skip tacacs server access for local non-tacacs users. Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus access is required for all tacacs users, who also get created locally.
dprital
added a commit
to dprital/sonic-buildimage
that referenced
this pull request
Jun 20, 2023
Update sonic-utilities submodule pointer to include the following: * 0b629ba Revert [chassis][voq] Clear fabric counters queue/port (2789) ([sonic-net#2882](sonic-net/sonic-utilities#2882)) * 3ba8241 [db_migtrator] Add migration of FLEX_COUNTER_DELAY_STATUS during 1911->master upgrade + fast-reboot. Add UT. ([sonic-net#2839](sonic-net/sonic-utilities#2839)) * fceef2e [chassis][voq] Clear fabric counters queue/port ([sonic-net#2789](sonic-net/sonic-utilities#2789)) * 659ba24 [syslog] Adjust runningconfiguration syslog command ([sonic-net#2843](sonic-net/sonic-utilities#2843)) * 46fba26 [db_migrator] add required protocol field in ROUTE_TABLE ([sonic-net#2766](sonic-net/sonic-utilities#2766)) * f186376 Fix issue: show interfaces transceiver eeprom -d should display same entry for CMIS cable ([sonic-net#2864](sonic-net/sonic-utilities#2864)) * de49179 fix precedence in portstat CLI ([sonic-net#2874](sonic-net/sonic-utilities#2874)) Signed-off-by: dprital <drorp@nvidia.com>
dprital
added a commit
to dprital/sonic-buildimage
that referenced
this pull request
Jun 21, 2023
Update sonic-utilities submodule pointer to include the following: * 0b629ba Revert [chassis][voq] Clear fabric counters queue/port (2789) ([sonic-net#2882](sonic-net/sonic-utilities#2882)) * 3ba8241 [db_migtrator] Add migration of FLEX_COUNTER_DELAY_STATUS during 1911->master upgrade + fast-reboot. Add UT. ([sonic-net#2839](sonic-net/sonic-utilities#2839)) * fceef2e [chassis][voq] Clear fabric counters queue/port ([sonic-net#2789](sonic-net/sonic-utilities#2789)) * 659ba24 [syslog] Adjust runningconfiguration syslog command ([sonic-net#2843](sonic-net/sonic-utilities#2843)) * 46fba26 [db_migrator] add required protocol field in ROUTE_TABLE ([sonic-net#2766](sonic-net/sonic-utilities#2766)) * f186376 Fix issue: show interfaces transceiver eeprom -d should display same entry for CMIS cable ([sonic-net#2864](sonic-net/sonic-utilities#2864)) * de49179 fix precedence in portstat CLI ([sonic-net#2874](sonic-net/sonic-utilities#2874)) Signed-off-by: dprital <drorp@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This helps use the legacy passwd file for user info and go to tacacs only if not found.
This means, we never contact tacacs for local users like "admin".
This isolates local users from any issues with tacacs servers.
W/o this fix, the sudo commands by local users could take * seconds, if the tacacs servers are unreachable.
- What I did
Switched order of user lookup to "compat" first, followed by "tacplus".
- How I did it
- How to verify it
Configure properly for tacacs+ login, with exception of server-IP, where you put an unreachable/non-existing.
login as admin and try "time sudo ls"
This would take roughly * <tacacs timeout -- which defaults to 5> seconds.
With this fix, the "sudo" will work fine
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)