[hostcfgd] Default value of fallthrough for authentication set to be False. #2746

…ipaddress has backport to python2.7

…tility. BTW, ipaddress deprecates ipaddr and ipaddress has python2 backport

Signed-off-by: Renuka Manavalan <remanava@microsoft.com>

Sync with upstream

This implies that by default, if TACACS is configured properly and it reported auth_err, then don't try fail through to traditional unix authentication through /etc/passwd. If this failthrough is intended, make it explicit through "sudo config aaa authentication failthrough enable" Removed an unused variable "aaa.fallback" Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled. admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough default; date Wed Apr 3 23:05:18 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1316 Apr 3 23:05 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication" Wed Apr 3 23:06:37 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1294 Apr 3 23:06 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication" Wed Apr 3 23:07:09 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1321 Apr 3 23:07 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[hostcfgd] Default value of fallthrough for authentication set to be False. #2746

[hostcfgd] Default value of fallthrough for authentication set to be False. #2746

Commits on Mar 15, 2019

Commits on Apr 1, 2019

Commits on Apr 3, 2019