TACACS: Don't send sshd's bad password to AAA #9123
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ce state or configuration, instead of failing right there, it proceeds to prompt for password, so as the user does not get any clue on where is the failure point. To ensure that this login does not proceed, it replaces user provided password with a specific pattern of characters matching length of user provided password. This pattern is "<BS><LF><CR>>DEL>INCORRECT", which is bound to fail. If user provided length is smaller/equal, the substring of pattern is overwritten. If user profided length is greater, the pattern is repeated until length is exhausted. But if the PAM-tacacs plugin would send this password to AAA, the user could get locked out by AAA, for providing incorrect value. Hence this fix, matches obtained password against the pattern. If match, fail before attempting with AAA server.
liuh-80
previously approved these changes
Nov 4, 2021
liuh-80
reviewed
Nov 4, 2021
liuh-80
approved these changes
Nov 11, 2021
|
This commit could not be cleanly cherry-picked to 202012. Please submit another PR. |
renukamanavalan
added a commit
to renukamanavalan/sonic-buildimage
that referenced
this pull request
Nov 17, 2021
Don't send sshd created bad password to AAA
5 tasks
renukamanavalan
added a commit
that referenced
this pull request
Nov 20, 2021
[cherry-pick PR #9123 ] Why I did it When sshd realizes that this login can't succeed due to internal device state or configuration, instead of failing right there, it proceeds to prompt for password, so as the user does not get any clue on where is the failure point. Yet to ensure that this login does not proceed, sshd replaces user provided password with a specific pattern of characters matching length of user provided password. This pattern is "<BS><LF><CR><DEL>INCORRECT", which is bound to fail. If user provided length is smaller/equal, the substring of pattern is overwritten. If user provided length is greater, the pattern is repeated until length is exhausted. But if the PAM-tacacs plugin would send this password to AAA, the user could get locked out by AAA, for providing incorrect value. How I did it Hence this fix, matches obtained password against the pattern. If match, fail just before reaching AAA server. How to verify it Make sure tacacs is properly configured. Try logging in as, say "user-A"; ensure it succeeds Pick another user, say user-B and ensure this user has not logged into this device before (look into /etc/passed & folders under /home) Disable monit service (as that could fix the issue using disk_check.py) Start TCP dump for all TACACS servers. Simulate Read-only disk Try logging in using user-B. Verify it fails, after 3 attempts Stop tcp dump. TCP dump should show "authentication" for user-A only
renukamanavalan
added a commit
to renukamanavalan/sonic-buildimage
that referenced
this pull request
Feb 17, 2022
Identify the bad password set by sshd and fail auth before sending to AAA server, and hence avoid possible user lock out by AAA For more details, please refer the parent/original PR sonic-net#9123
6 tasks
renukamanavalan
added a commit
to renukamanavalan/sonic-buildimage
that referenced
this pull request
Feb 19, 2022
Identify the bad password set by sshd and fail auth before sending to AAA server, and hence avoid possible user lock out by AAA. For more details, please refer the parent/original PR sonic-net#9123
6 tasks
renukamanavalan
added a commit
that referenced
this pull request
Feb 19, 2022
Why I did it sshd overrides user password with a bad one, when pre-auth fails. Refer PR #9123 for more details How I did it Manual cherry pick of PR #9123 How to verify it Pick a user alias that has not logged into the switch yet Add this alias to /etc/tacplus_user Attempt to login as that user Look for the error message in /var/log/syslog e.g. "Feb 18 19:16:41.592191 sonic ERR sshd[5233]: auth fail: Password incorrect. user: user_xyz"
abdosi
pushed a commit
that referenced
this pull request
Feb 24, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why I did it
When sshd realizes that this login can't succeed due to internal device state
or configuration, instead of failing right there, it proceeds to prompt for
password, so as the user does not get any clue on where is the failure point.
Yet to ensure that this login does not proceed, sshd replaces user provided password
with a specific pattern of characters matching length of user provided password.
This pattern is
"<BS><LF><CR><DEL>INCORRECT", which is bound to fail.If user provided length is smaller/equal, the substring of pattern is overwritten.
If user provided length is greater, the pattern is repeated until length is exhausted.
But if the PAM-tacacs plugin would send this password to AAA, the user could get
locked out by AAA, for providing incorrect value.
How I did it
Hence this fix, matches obtained password against the pattern. If match, fail just before
reaching AAA server.
How to verify it
Which release branch to backport (provide reason below if selected)
Description for the changelog
A picture of a cute animal (not mandatory but encouraged)