TACACSPLUS_PASSKEY_ENCRYPTION support Part - II#81
TACACSPLUS_PASSKEY_ENCRYPTION support Part - II#81nmoray wants to merge 19 commits intosonic-net:masterfrom
Conversation
nmoray
changed the title
nmoray
changed the title
code cleanup Added syslogs Removed debug prints Fixed AUT issues Fixed build issues Fixed build issues fixed build issues Added a check for passkey before appending into server configs Fixed build issues
…-host-services into tacacs_pass_encrypt
|
@nmoray Thanks |
| if server['passkey'] is not None: | ||
| config_db = ConfigDBConnector() | ||
| config_db.connect() | ||
| output, errs = decrypt_passkey(server['passkey']) |
There was a problem hiding this comment.
What will happen when OS upgrade from old version which not support this feature? the passkey not encrypt in old version, decrypt will failed here, code here need identify this.
#closed
another solution is add code to DB migrator, but that script is very complex.
There was a problem hiding this comment.
Yeah, you are right. Decrypt will fail if someone has either manually added the passkey in config_db or the device has old config where encrypted passkey was absent. So is it fine to add a check if the given server['passkey'] is the same as the one present in common-auth-sonic file (in plaintext). If so, skip decrypt_passkey() API and directly write the passkey in the same file in plaintext format only. Is it okay?
There was a problem hiding this comment.
I noticed in the HLD: A DB migration script will be added for users to migrate existing config_db to convert tacacs passkey plaintext to encrypted.
So please also create the DB migration script PR.
There was a problem hiding this comment.
@liuh-80 As I mentioned in the HLD PR, we can achieve the backward compatibility without DB migration by simply following the logic stated above. Please share your thoughts on the same.
There was a problem hiding this comment.
I think it's OK, please update code and HLD according to this design change.
|
Reviewers, if you are ok with this PR, please help to approve it. Thanks. |
| server.update(self.tacplus_servers[addr]) | ||
| if 'key_encrypt' in server: | ||
| secure_cipher = master_key_mgr() | ||
| if server['key_encrypt'] == 'True': |
There was a problem hiding this comment.
this value depends on how 'key_encrypt' was set. It can also be 'true' instead of 'True' (it's actually more correct to use 'true'). there's an is_true() function you can use if you don't want to worry about which format you might get.
| syslog.syslog(syslog.LOG_ERR, "{}: decrypt_passkey failed.".format(addr)) | ||
| else: | ||
| # Delete the cipher_pass file if exist | ||
| secure_cipher.del_cipher_pass() |
There was a problem hiding this comment.
this will delete the whole file, probably not what we want. it should be enough just to remove the TACACS entry, or set the passkey to ""
|
Please resolve conflict, add testcases to coverage new code. |
Yeah sure @qiluo-msft. I will do it. But unless and until sonic-net/sonic-buildimage#17201 PR is merged, build won't be success for this PR. So if possible please help in merging the dependent PR fist. |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@anders-nexthop @qiluo-msft @madhupalu I have closed this PR due to several merge conflicts and created a new PR. |
7 participants
What I did
Added a support of TACACS passkey encryption feature.
Ref. : HLD
This PR comprises the decryption logic.
How I did it
Implemented the feature by following HLD
How to verify it
`1. Configured TACACS passkey:
root@sonic:/# config tacacs passkey
Verified whether passkey is encrypted:
root@sonic:/# show runningconfiguration all | grep passkey
"passkey": "U2FsdGVkX19kFwDeP3IhgqbLJeed3pXtazJ73FtmD3I="
Verified /etc/pam.d/common-auth-sonic file to validate if the passkey is decrypted correctly [Referred while ssh'ing into the device]
root@sonic:~# cat /etc/pam.d/common-auth-sonic | grep secret
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass
Verified passkey is hidden in show tacacs output
root@sonic:~# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey configured Yes
Verified user able to login into device with TACACS credentials`
PR#3027