TACACSPLUS_PASSKEY_ENCRYPTION support Part - II #81
Conversation
nmoray
changed the title
nmoray
changed the title
code cleanup Added syslogs Removed debug prints Fixed AUT issues Fixed build issues Fixed build issues fixed build issues Added a check for passkey before appending into server configs Fixed build issues
…-host-services into tacacs_pass_encrypt
|
@nmoray Thanks |
scripts/hostcfgd
Outdated
| if server['passkey'] is not None: | ||
| config_db = ConfigDBConnector() | ||
| config_db.connect() | ||
| output, errs = decrypt_passkey(server['passkey']) |
There was a problem hiding this comment.
What will happen when OS upgrade from old version which not support this feature? the passkey not encrypt in old version, decrypt will failed here, code here need identify this.
#closed
another solution is add code to DB migrator, but that script is very complex.
There was a problem hiding this comment.
Yeah, you are right. Decrypt will fail if someone has either manually added the passkey in config_db or the device has old config where encrypted passkey was absent. So is it fine to add a check if the given server['passkey'] is the same as the one present in common-auth-sonic file (in plaintext). If so, skip decrypt_passkey() API and directly write the passkey in the same file in plaintext format only. Is it okay?
There was a problem hiding this comment.
I noticed in the HLD: A DB migration script will be added for users to migrate existing config_db to convert tacacs passkey plaintext to encrypted.
So please also create the DB migration script PR.
There was a problem hiding this comment.
@liuh-80 As I mentioned in the HLD PR, we can achieve the backward compatibility without DB migration by simply following the logic stated above. Please share your thoughts on the same.
There was a problem hiding this comment.
I think it's OK, please update code and HLD according to this design change.
|
Reviewers, if you are ok with this PR, please help to approve it. Thanks. |
What I did
Added a support of TACACS passkey encryption feature.
Ref. : HLD
This PR comprises the decryption logic.
How I did it
Implemented the feature by following HLD
How to verify it
`1. Configured TACACS passkey:
root@sonic:/# config tacacs passkey
Verified whether passkey is encrypted:
root@sonic:/# show runningconfiguration all | grep passkey
"passkey": "U2FsdGVkX19kFwDeP3IhgqbLJeed3pXtazJ73FtmD3I="
Verified /etc/pam.d/common-auth-sonic file to validate if the passkey is decrypted correctly [Referred while ssh'ing into the device]
root@sonic:~# cat /etc/pam.d/common-auth-sonic | grep secret
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass
Verified passkey is hidden in show tacacs output
root@sonic:~# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey configured Yes
Verified user able to login into device with TACACS credentials`
PR#3027