Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TACACS+]: Add support to specify source address for TACACS+ #4610

Merged
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
872ac28
Added support to allow/deny packets matching source IP/destination IP
venkatmahalingam May 14, 2020
bceff9f
Added support to allow/deny packets matching source IP/destination IP…
venkatmahalingam May 14, 2020
2410e97
Merge branch 'master' of https://github.com/venkatmahalingam/sonic-bu…
venkatmahalingam May 14, 2020
44ac39f
[TACACS+]: Add support to specify source address for TACACS+
venkatmahalingam May 16, 2020
c01a656
[TACACS+]: Add support to specify source address for TACACS+
venkatmahalingam May 16, 2020
41d67ce
Merge branch 'tacacs+_src_ip_support' of https://github.com/venkatmah…
venkatmahalingam May 16, 2020
c7948c0
Reverted the changes not applicable for this pull request
venkatmahalingam May 16, 2020
b748481
Addressed the comment
venkatmahalingam Jun 16, 2020
86bc6d6
Initialised the source address to NULL after free.
venkatmahalingam Jun 16, 2020
6ebd74a
# This is a combination of 5 commits.
venkatmahalingam May 16, 2020
743ff25
Merge branch 'tacacs+_src_ip_support' of https://github.com/venkatmah…
venkatmahalingam Jun 22, 2020
c3c8ee5
Comment addressed.
venkatmahalingam Jun 22, 2020
ea24aff
[TACACS+]: Add support to specify source address for TACACS+
venkatmahalingam Jun 23, 2020
3ff5291
Merge branch 'tacacs+_src_ip_support' of https://github.com/venkatmah…
venkatmahalingam Jun 23, 2020
8833852
Addressed the review comments.
venkatmahalingam Jun 30, 2020
25584e8
Addressed the review comments.
venkatmahalingam Jun 30, 2020
3d4530a
Merge branch 'tacacs+_src_ip_support' of https://github.com/venkatmah…
venkatmahalingam Jul 2, 2020
43771d6
Tested TACACS+ authentication with IPv6 source address.
venkatmahalingam Jul 6, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions files/image_config/hostcfgd/common-auth-sonic.j2
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,16 @@ auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
{% elif auth['login'] == 'local,tacacs+' %}
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass
{% for server in servers | sub(0, -1) %}
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {% if server.vrf %} vrf={{ server.vrf }} {% endif %} try_first_pass
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {% if server.vrf %} vrf={{ server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass
{% endfor %}
{% if servers | count %}
{% set last_server = servers | last %}
auth [success=1 default=ignore] pam_tacplus.so server={{ last_server.ip }}:{{ last_server.tcp_port }} secret={{ last_server.passkey }} login={{ last_server.auth_type }} timeout={{ last_server.timeout }} {% if last_server.vrf %} vrf={{ last_server.vrf }} {% endif %} try_first_pass
auth [success=1 default=ignore] pam_tacplus.so server={{ last_server.ip }}:{{ last_server.tcp_port }} secret={{ last_server.passkey }} login={{ last_server.auth_type }} timeout={{ last_server.timeout }} {% if last_server.vrf %} vrf={{ last_server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass

{% endif %}
{% elif auth['login'] == 'tacacs+' or auth['login'] == 'tacacs+,local' %}
{% for server in servers %}
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {%if server.vrf %} vrf={{ server.vrf }} {% endif %} try_first_pass
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {%if server.vrf %} vrf={{ server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass
{% endfor %}
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass

Expand Down
8 changes: 6 additions & 2 deletions files/image_config/hostcfgd/hostcfgd
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,10 @@ class AaaCfg(object):
auth.update(self.auth)
tacplus_global = self.tacplus_global_default.copy()
tacplus_global.update(self.tacplus_global)
if 'src_ip' in tacplus_global:
src_ip = tacplus_global['src_ip']
else:
src_ip = None

servers_conf = []
if self.tacplus_servers:
Expand All @@ -192,7 +196,7 @@ class AaaCfg(object):
env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True)
env.filters['sub'] = sub
template = env.get_template(template_file)
pam_conf = template.render(auth=auth, servers=servers_conf)
pam_conf = template.render(auth=auth, src_ip=src_ip, servers=servers_conf)
with open(PAM_AUTH_CONF, 'w') as f:
f.write(pam_conf)

Expand All @@ -215,7 +219,7 @@ class AaaCfg(object):
# Set tacacs+ server in nss-tacplus conf
template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE)
template = env.get_template(template_file)
nss_tacplus_conf = template.render(debug=self.debug, servers=servers_conf)
nss_tacplus_conf = template.render(debug=self.debug, src_ip=src_ip, servers=servers_conf)
with open(NSS_TACPLUS_CONF, 'w') as f:
f.write(nss_tacplus_conf)

Expand Down
7 changes: 7 additions & 0 deletions files/image_config/hostcfgd/tacplus_nss.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@
debug=on
{% endif %}

# src_ip - set source address of TACACS+ protocol packets
# Default: None (auto source ip address)
# src_ip=2.2.2.2
{% if src_ip %}
src_ip={{ src_ip }}
{% endif %}

# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
# Default: None (no TACACS+ server)
# server=1.1.1.1:49,secret=test,timeout=3
Expand Down
72 changes: 72 additions & 0 deletions src/tacacs/nss/0007-Add-support-for-TACACS-source-address.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
From e01ec7cbc302269953a4a9cdc2031a34a042b6de Mon Sep 17 00:00:00 2001
From: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Date: Tue, 16 Jun 2020 09:52:13 -0700
Subject: [PATCH] Add support for TACACS+ source address.

Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
---
nss_tacplus.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/nss_tacplus.c b/nss_tacplus.c
index 7feeda6..735736e 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -73,6 +73,7 @@ typedef struct {
static tacplus_server_t tac_srv[TAC_PLUS_MAXSERVERS];
static int tac_srv_no;
static useradd_info_t useradd_grp_list[MAX_TACACS_USER_PRIV + 1];
+static struct addrinfo *source_addr;

static char *tac_service = "shell";
static char *tac_protocol = "ssh";
@@ -247,6 +248,9 @@ static int parse_config(const char *file)
return NSS_STATUS_UNAVAIL;
}

+ if(source_addr)
+ freeaddrinfo(source_addr);
venkatmahalingam marked this conversation as resolved.
Show resolved Hide resolved
+ source_addr = NULL;
debug = false;
tac_srv_no = 0;
while(fgets(buf, sizeof buf, fp)) {
@@ -262,6 +266,18 @@ static int parse_config(const char *file)
else if(!strncmp(buf, "user_priv=", 10)) {
parse_user_priv(buf);
}
+ else if(!strncmp(buf, "src_ip=", 7)) {
+ struct addrinfo hints;
+ char *ip = buf + 7;
+
+ memset(&hints, 0, sizeof hints);
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+ if(0 != getaddrinfo(ip, NULL, &hints, &source_addr))
+ syslog(LOG_ERR, "%s: error setting the source ip information",
+ nssname);
+ }
else if(!strncmp(buf, "server=", 7)) {
if(TAC_PLUS_MAXSERVERS <= tac_srv_no) {
syslog(LOG_ERR, "%s: tac server num is more than %d",
@@ -282,6 +298,8 @@ static int parse_config(const char *file)
nssname, n, tac_ntop(tac_srv[n].addr->ai_addr),
tac_srv[n].key[0], tac_srv[n].timeout);
}
+ syslog(LOG_DEBUG, "%s: src_ip=%s", nssname, NULL == source_addr
+ ? "NULL" : tac_ntop(source_addr->ai_addr));
syslog(LOG_DEBUG, "%s: many_to_one %s", nssname, 1 == many_to_one
? "enable" : "disable");
for(n = MIN_TACACS_USER_PRIV; n <= MAX_TACACS_USER_PRIV; n++) {
@@ -675,7 +693,7 @@ connect_tacacs(struct tac_attrib **attr, int srvr)
if(!*tac_service) /* reported at config file processing */
return -1;

- fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL,
+ fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, source_addr,
venkatmahalingam marked this conversation as resolved.
Show resolved Hide resolved
tac_srv[srvr].timeout, vrfname[0] ? vrfname : NULL);
if(fd >= 0) {
*attr = NULL; /* so tac_add_attr() allocates memory */
--
2.7.4

1 change: 1 addition & 0 deletions src/tacacs/nss/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
git $(GIT_APPLY) ../0004-Skip-accessing-tacacs-servers-for-local-non-tacacs-u.patch
git $(GIT_APPLY) ../0005-libnss-Modify-parsing-of-IP-addr-and-port-number-str.patch
git $(GIT_APPLY) ../0006-fix-compiling-warning-about-token-dereference.patch
git $(GIT_APPLY) ../0007-Add-support-for-TACACS-source-address.patch

dpkg-buildpackage -rfakeroot -b -us -uc
popd
Expand Down
124 changes: 124 additions & 0 deletions src/tacacs/pam/0006-Add-support-for-source-ip-address.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
From a481a4192aefa72467dfffa36caf85fbd3a30ab1 Mon Sep 17 00:00:00 2001
From: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Date: Sat, 2 May 2020 14:21:24 -0700
Subject: [PATCH] Add support for source ip address

---
pam_tacplus.c | 8 ++++----
support.c | 31 +++++++++++++++++++++++++++++++
support.h | 1 +
3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/pam_tacplus.c b/pam_tacplus.c
index 38e2a70..ec8ea27 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -177,7 +177,7 @@ int _pam_account(pam_handle_t *pamh, int argc, const char **argv,

status = PAM_SESSION_ERR;
for(srv_i = 0; srv_i < tac_srv_no; srv_i++) {
- tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, NULL, tac_timeout, __vrfname);
+ tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, tac_source_addr, tac_timeout, __vrfname);
if (tac_fd < 0) {
_pam_log(LOG_WARNING, "%s: error sending %s (fd)",
__FUNCTION__, typemsg);
@@ -276,7 +276,7 @@ int pam_sm_authenticate (pam_handle_t * pamh, int flags,
if (ctrl & PAM_TAC_DEBUG)
syslog(LOG_DEBUG, "%s: trying srv %d", __FUNCTION__, srv_i );

- tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, NULL, tac_timeout, __vrfname);
+ tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, tac_source_addr, tac_timeout, __vrfname);
renukamanavalan marked this conversation as resolved.
Show resolved Hide resolved
if (tac_fd < 0) {
_pam_log(LOG_ERR, "%s: connection to srv %d failed", __FUNCTION__, srv_i);
continue;
@@ -579,7 +579,7 @@ int pam_sm_acct_mgmt (pam_handle_t * pamh, int flags,
if(tac_protocol[0] != '\0')
tac_add_attrib(&attr, "protocol", tac_protocol);

- tac_fd = tac_connect_single(active_server.addr, active_server.key, NULL, tac_timeout, __vrfname);
+ tac_fd = tac_connect_single(active_server.addr, active_server.key, tac_source_addr, tac_timeout, __vrfname);
if(tac_fd < 0) {
_pam_log (LOG_ERR, "TACACS+ server unavailable");
if(arep.msg != NULL)
@@ -762,7 +762,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
if (ctrl & PAM_TAC_DEBUG)
syslog(LOG_DEBUG, "%s: trying srv %d", __FUNCTION__, srv_i );

- tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, NULL, tac_timeout, __vrfname);
+ tac_fd = tac_connect_single(tac_srv[srv_i].addr, tac_srv[srv_i].key, tac_source_addr, tac_timeout, __vrfname);
if (tac_fd < 0) {
_pam_log(LOG_ERR, "connection failed srv %d: %m", srv_i);
continue;
diff --git a/support.c b/support.c
index 7c00618..96c24c3 100644
--- a/support.c
+++ b/support.c
@@ -37,6 +37,8 @@ char tac_service[64];
char tac_protocol[64];
char tac_prompt[64];
char *__vrfname=NULL;
+char tac_source_ip[64];
+struct addrinfo *tac_source_addr = NULL;

void _pam_log(int err, const char *format,...) {
char msg[256];
@@ -274,6 +276,10 @@ int _pam_parse (int argc, const char **argv) {
}
} else if(!strncmp(*argv, "vrf=", 4)) {
__vrfname = strdup(*argv + 4);
+ } else if (!strncmp (*argv, "source_ip=", strlen("source_ip="))) {
+ /* source ip for the packets */
+ strncpy (tac_source_ip, *argv + strlen("source_ip="), sizeof(tac_source_ip));
+ set_source_ip (tac_source_ip, &tac_source_addr);
venkatmahalingam marked this conversation as resolved.
Show resolved Hide resolved
} else {
_pam_log (LOG_WARNING, "unrecognized option: %s", *argv);
}
@@ -292,8 +298,33 @@ int _pam_parse (int argc, const char **argv) {
_pam_log(LOG_DEBUG, "tac_protocol='%s'", tac_protocol);
_pam_log(LOG_DEBUG, "tac_prompt='%s'", tac_prompt);
_pam_log(LOG_DEBUG, "tac_login='%s'", tac_login);
+ _pam_log(LOG_DEBUG, "tac_source_ip='%s'", tac_source_ip);
venkatmahalingam marked this conversation as resolved.
Show resolved Hide resolved
}

return ctrl;
} /* _pam_parse */

+/* set source ip address for the outgoing tacacs packets */
+void set_source_ip(const char *tac_source_ip,
+ struct addrinfo **source_address) {
+
+ struct addrinfo hints;
+ int rv;
+
+ /* check if source address is configured */
+ if (*tac_source_ip == 0)
venkatmahalingam marked this conversation as resolved.
Show resolved Hide resolved
+ return;
+
+ /* set the source ip address for the tacacs packets */
+ if (tac_source_ip != NULL) {
venkatmahalingam marked this conversation as resolved.
Show resolved Hide resolved
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ if ((rv = getaddrinfo(tac_source_ip, NULL, &hints,
+ source_address)) != 0) {
+ _pam_log(LOG_ERR, "error setting the source ip information");
+ } else {
+ _pam_log(LOG_DEBUG, "source ip is set");
+ }
+ }
+}
diff --git a/support.h b/support.h
index 9cbd040..09b8a85 100644
--- a/support.h
+++ b/support.h
@@ -37,6 +37,7 @@ extern int tac_srv_no;
extern char tac_service[64];
extern char tac_protocol[64];
extern char tac_prompt[64];
+extern struct addrinfo *tac_source_addr;

int _pam_parse (int, const char **);
unsigned long _resolve_name (char *);
--
2.7.4

1 change: 1 addition & 0 deletions src/tacacs/pam/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
git apply ../0003-Obfuscate-key-before-printing-to-syslog.patch
git apply ../0004-management-vrf-support.patch
git apply ../0005-pam-Modify-parsing-of-IP-address-and-port-number-to-.patch
git apply ../0006-Add-support-for-source-ip-address.patch

dpkg-buildpackage -rfakeroot -b -us -uc
popd
Expand Down