Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SONiC design doc: TACACS+ improvement #813

Merged
merged 19 commits into from
Oct 21, 2021
Merged

Add SONiC design doc: TACACS+ improvement #813

Changes from 2 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
89fef3e
Add TACACS+ protocol requirement document.
liuh-80 Jul 9, 2021
5e3fc17
Improve document.
liuh-80 Jul 9, 2021
d1805c6
Update document according to PR comments.
liuh-80 Jul 13, 2021
f3c8020
Improve document.
liuh-80 Jul 15, 2021
bf1e468
Update requirement document, remove some authorization limitation bec…
liuh-80 Jul 20, 2021
e060412
Save document change.
liuh-80 Jul 27, 2021
8ce6293
Improve design document.
liuh-80 Jul 28, 2021
39e1376
Update design document.
liuh-80 Jul 29, 2021
ecc6f3e
Fix section numbers.
liuh-80 Jul 29, 2021
ef48e3d
Improve document.
liuh-80 Jul 29, 2021
241e35d
Update document according to EOS AAA behavior.
liuh-80 Aug 4, 2021
dc8e5e0
Improve document.
liuh-80 Aug 6, 2021
e06e901
Fix typo
liuh-80 Aug 18, 2021
e8da9bc
Improve document according to review feedback.
liuh-80 Aug 19, 2021
4cf0581
Improve document according to community review.
liuh-80 Sep 22, 2021
1bec8fc
Improve document according review comments.
liuh-80 Sep 22, 2021
4d1660c
Fix PR comments.
liuh-80 Sep 22, 2021
15bd52c
Update design document.
liuh-80 Oct 12, 2021
92ea017
Add comments for AAA table 'login' attribute name issue.
liuh-80 Oct 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
178 changes: 178 additions & 0 deletions doc/aaa/TACACS+ Requirement.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
# SONiC TACACS+ Protocol Requirement

# Table of Contents
- [Table of Contents](#table-of-contents)
- [About this Manual](#about-this-manual)
- [1 Functional Requirements](#1-functional-requirement)
* [1.1 Authentication](#11-authentication)
* [1.2 Authorization](#12-authorization)
* [1.3 Accounting](#13-accounting)
* [1.4 User script](#14-user-script)
* [1.5 Docker support](#15-docker-support)
* [1.6 Multiple TACACS server](#16-multiple-tacas-server)
- [2 Configuration and Management Requirements](#2-configuration-and-management-requirements)
* [2.1 SONiC CLI](#21-sonic-cli)
* [2.2 Config DB](#22-config-db)
* [2.3 Counter](#23-counter)
* [2.4 System log](#24-system-log)
- [3 Limitation](#limitation)
* [3.1 Command size](#31-command-size)
* [3.2 Server count](#32-server-count)

# About this Manual
This document provides a detailed description on the requirement of TACACS+ protocol support.

# 1 Functional Requirement
## 1.1 Authentication
- Authentication when user login to SONiC host.


## 1.2 Authorization
- Authorization when:
- User login to SONiC host.
- User run command on SONiC host.
- User can only run commands in whitelist.
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
- For recursive command/script, only the top level command have authorization.

- Only command in whitelist visible to user:
- Whitelist is per host, all user share same whitelist to simplify design.
- Different privilege level have different permission to run these command.
- All commands in sudoers will add to the whitelist. and sudoers config file still need for RO users, this is because when remote TACACS server not accessible from SONiC, we need use local group permission for failover.

- Disable user behavior in shell:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why rbash is a must for command authorization?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason is because for command authorization, we create a symbol link for every command we want enable authorization.
Without rbash user can run any command, include those command we not create symbol link.
Then they can bypass the authorization very easy.

Copy link
Contributor

@qiluo-msft qiluo-msft Jul 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disable

Disable for RO users are understandable. Is it possible to keep RW users capability at the same time of AAA? #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case, we need consider some other solution. I will check other solution in POC and update this document.

Copy link
Contributor Author

@liuh-80 liuh-80 Jul 15, 2021
edited by qiluo-msft
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I check some other solution and they are based on shell function hook, those solution have a common limitation: user can bypass restriction by ingest new shell hook.

Then after check the rbash restriction, I think we have 2 solution:

  1. Patch bash to allow redirection in restrict mode, and accept most other restriction because those are necessary for use tacplus-auth: those restriction we accept will make both RO/RW user can't access commands not in our white list, and make user can't switch to other shell.

  2. Patch bash, so bash can do Authorization before execute any user command.
    With this solution, there is no any restriction in router machine side, in TACACS server side we just need disable user switch to other shell.

I will try a POC for solution 2, it's seems will be a minor change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The POC for solution 2 is ready, which will authorize any user 'disk' command, so if solution 2 is acceptable, will update the document.

For 'disk' command, in bash, if a command is a file stored in disk, it's a disk command. built-in command and bash function are not disk command, executable file and script are disk command.

- Changing directories with the cd builtin.
- User still can access files in other folder, and use 'ls' command to list content in other folder, for example:
```
test@testhost:~$ ls -l /etc/
total 880
drwxr-xr-x 3 test test 4096 Aug 22 2020 NetworkManager
drwxr-xr-x 7 test test 4096 Aug 22 2020 X11
drwxr-xr-x 3 test test 4096 Aug 22 2020 acpi
```
- Setting or unsetting the values of the SHELL, PATH, HISTFILE, ENV, or BASH_ENV variables.

- Specifying command names containing slashes, for example:
```
test@testhost:~$ /etc/date
rbash: /etc/date: restricted: cannot specify `/' in command names

test@testhost:~$ date
Fri Jul 9 15:15:42 CST 2021
```

- Importing function definitions from the shell environment at startup.
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
- Parsing the value of SHELLOPTS from the shell environment at startup.
- Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
Copy link
Contributor

@qiluo-msft qiluo-msft Jul 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redirecting

What are the alternatives for user to achieve similar goal? #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By patch bash, we can allow user use redirect, will remove this from document.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a link to the patch? I am wondering if redirect could be configurable. For example, RW users could use redirect as normal, but RO users are banned to use redirect.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a very simple code change, remove following code in redir.c line:836

#if defined (RESTRICTED_SHELL)
      if (restricted && (WRITE_REDIRECT (ri)))
{
  free (redirectee_word);
  return (RESTRICTED_REDIRECT);
}
#endif /* RESTRICTED_SHELL */

So for RW allow and RO disable, we can:

  1. create a variable isReadonlyUser

  2. When bash startup, check current user group and set this variable.

  3. If any behavior we want to disable for RO only we can change code like this:

    #if defined (RESTRICTED_SHELL)
    if (restricted && isReadonlyUser && (WRITE_REDIRECT (ri)))
    {
    free (redirectee_word);
    return (RESTRICTED_REDIRECT);
    }
    #endif /* RESTRICTED_SHELL */

- Builtin commands:

| **Command** | **Behavior** |
| -------- | -------------------------- |
| . | Specifying a filename containing a slash as an argument. |
| history | Specifying a filename containing a slash as an argument. |
| hash | Specifying a filename containing a slash as an argument to the -p option. |
| exec | Specifying a filename containing a slash as an argument to the -p option. |
| deleting/adding | Use the -f and -d options to the enable builtin. |
| enable | Using the 'enable' builtin command to enable disabled shell builtins. |
| command | Specifying the -p option to the 'command' builtin command. |
| set | Turning off restricted mode with ‘set +r’ or ‘set +o restricted’. |

- All these behavior disabled only for user input, command in script will not be affected, see here for more details: https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html


- Supported Authorization types:
- EXEC: user session authorization support. this happen when user login.
- Command: user run command in shell.

- Failover:
- Authorization will happen before execute, if remote TACACS server not available, use local group based authorization as failover.


## 1.3 Accounting
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
- Accounting is the action of recording what a user is doing, and/or has done.

- Following event will be accounted:
- User login to SONiC host.
- User logout.
- User run command on host:
- Command start run.
- Command finish.
- For recursive command/script, only the top level command have Accounting.
- Failover:
- Use syslog as backup when remote TACACS not not accessible from SONiC.


## 1.4 User script
- Any script in whitelist can run with Authorization and Accounting.
- If user create a script, admin user can use config command add script to whitelist.
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
- To run user script, TACACS server side must allow user run script, for example:
```
1. Tacacs service allow RW user run any script named as 'user_script_*'
2. RW user create a new script on sonic host, script name is 'user_script_collect_information.sh'
3. Then user can add user_script_collect_information.sh to white list and run it.
```
## 1.5 Docker support
- Docker exec command will be covered by Authorization and Accounting.
- SONiC AAA can't cover any command user run inside a docker.

## 1.6 Multiple TACACS server
- Support config multiple TACACS server.
- When a server not available, will try next server as backup.
- When all server not accessible from SONiC, use native failover solution.

# 2 Configuration and Management Requirements
## 2.1 SONiC CLI
- Enable/Disable TACACS Authorization/Accounting command
```
config tacacs authorization enable
config tacacs authorization disable
config tacacs accounting enable
config tacacs accounting disable
```

- Whitelist management command
```
show tacacs whitelist
Config tacacs whitelist remove <command>
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
Config tacacs whitelist add <command>
```

- Counter command
```
show tacacs counter
clean tacacs counter
```

## 2.2 Config DB
- TACACS AAA are fully configable by config DB.

## 2.3 Counter
- Support AAA counter:
```
show tacacs counter

server1: 10.1.1.45
Messages sent: 24
Messages received: 20
Requests accepted: 14
Requests rejected: 8
Requests timeout: 2
Requests retransmitted: 1
Bad responses: 1
```

## 2.4 System log
- Generate system log when Authentication/Authorization/Accounting.
- When remote TACACS server not accessible from SONiC, use system log for accounting.


# 3 Limitation
## 3.1 Command size
- TACACS protocol limittation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop.
- This limitation is a protocol level, all TACACS implementation have this limittation, include CISCO, ARISTA and Cumulus.
- Both Authorization and Accounting have this limitation.
- When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input.


## 3.2 Server count
- Max TACACS server count was hardcoded, default count is 8.