-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TACACS+] Add Bash TACACS+ plugin for per-command authorization. #8715
Conversation
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
a94028c
to
db26d95
Compare
# Conflicts: # src/tacacs/pam/Makefile
From: liuh-80 <58683130+liuh-80@users.noreply.github.com> | ||
Date: Tue, 12 Oct 2021 10:09:10 +0800 | ||
Subject: [PATCH 3/4] Extract tacacs support functions into library. | ||
Subject: [PATCH] Extract tacacs support functions into library. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some code bug in this patch file:
- When parse nss_tacplus.conf, can't get TACACS server passkey, because the file format little different with upstream file format.
- Not release tacacs server data before load tacacs config file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the code change in this file, please check this PR: https://github.com/liuh-80/pam_tacplus/pull/4/files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 comments about code position fixed in this patch file.
the other comments about debug code change replied, it's necessary for debug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to discussion, update the patch and this code to only support debug, which is the upstream project beahvior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed offline: we will not use pam_tacplus function to parse nss_tacplus config in future. Then we will abandon this patch.
Fix libtacsupport.so can't parse tacplus_nss.conf issue and not reset server list before parse config file issue. ##### Work item tracking - Microsoft ADO **(number only)**: 24433713 #### Why I did it 1. Fix libtacsupport.so can't parse tacplus_nss.conf correctly issue: Support debug=on setting. Support put server address and secret in same row. 2. Fix the parse_config_file method not reset server list before parse config file issue. #### How I did it Fix libtacsupport.so can't parse tacplus_nss.conf issue and not reset server list before parse config file issue. #### How to verify it UT with CUnit cover all code in this plugin. Also pass all current UT. #### Which release branch to backport (provide reason below if selected) N/A #### Tested branch (Please provide the tested image version) Extract tacacs support functions into library, this will share TACACS config file parse code with other project. Also fix memory leak issue in parse config code. - [ ] SONiC.202012-15723.312602-e230e2d3e #### Description for the changelog Fix libtacsupport.so can't parse tacplus_nss.conf issue and not reset server list before parse config file issue.
This pull request add a bash plugin for TACACS+ per-command authorization
Why I did it
Support debug=on setting.
Support put server address and secret in same row.
How I did it
The bash plugin will be called before every user command, and check user command with remote TACACS+ server for per-command authorization.
How to verify it
UT with CUnit cover all code in this plugin.
Also pass all current UT.
Which release branch to backport (provide reason below if selected)
N/A
Description for the changelog
Add Bash TACACS+ plugin.
A picture of a cute animal (not mandatory but encouraged)