TACACS: Don't send sshd's bad password to AAA

[renukamanavalan]

[cherry-pick PR #9123 ]

Why I did it

When sshd realizes that this login can't succeed due to internal device state
or configuration, instead of failing right there, it proceeds to prompt for
password, so as the user does not get any clue on where is the failure point.

Yet to ensure that this login does not proceed, sshd replaces user provided password
with a specific pattern of characters matching length of user provided password.
This pattern is "<BS><LF><CR><DEL>INCORRECT", which is bound to fail.

If user provided length is smaller/equal, the substring of pattern is overwritten.
If user provided length is greater, the pattern is repeated until length is exhausted.

But if the PAM-tacacs plugin would send this password to AAA, the user could get
locked out by AAA, for providing incorrect value.

How I did it

Hence this fix, matches obtained password against the pattern. If match, fail just before
reaching AAA server.

How to verify it

1. Make sure tacacs is properly configured.
2. Try logging in as, say "user-A"; ensure it succeeds
3. Pick another user, say user-B and ensure this user has not logged into this device before (look into /etc/passed & folders under /home)
4. Disable monit service (as that could fix the issue using disk_check.py)
5. Start TCP dump for all TACACS servers.
6. Simulate Read-only disk
7. Try logging in using user-B.
8. Verify it fails, after 3 attempts
9. Stop tcp dump.
10. TCP dump should show "authentication" for user-A only

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

[lguohan]

better to keep the same description as the original pr

[qiluo-msft]

Keep it as 0010 as the master commit? Then later if we decide to backport more patches, others will be easier.

[renukamanavalan]

Not really. As master has diverged well with 3 patches, this patch had to be manually re-created. The contents of 0010 & 0007 are different but for the same purpose. Similarly, in future, if we would need any patch from master it has to be re-created manually. The title of the patch would indicate the patch purpose, which is same in both master & here.

[qiluo-msft]

Sorry for misleading. Is it possible to keep original file name ../0010-handle-bad-password-set-by-sshd.patch? I am okay if the file content changes.

[renukamanavalan]

I got your point.
The number is just meant for sequence of application. So here, this patch has to be applied after 0006, hence 0007.