Skip to content

rtbrick/libnss-tacplus

Repository files navigation

libnss_tacplus v1.0.1
June 22, 2016

This NSS module has one and only one purpose.  It allows getpwname lookups for
TACACS+ users that login without any
local account on the system (mapped to local tacacs0..15), when authenticated
with pam_tacplus.  libnss_tacplus is not useful by itself.  libnss_tacplus
uses libtacplus-map to lookup mappings, and libtac to communicate with TACACS+
servers.

libnss_tacplus provides only the getpwnam_r entry point, and uses
the libtac authenticate and accounting functions.

Normal use is to have tacplus as the last lookup method
for "passwd" in /etc/nsswitch.conf, although it will work
in any position:
    passwd: compat tacplus

The above edit is made for debian packages via postinst at installation.

If the username is found, and is also found in the local password
file (via fgetpwent()), the local user passwd structure is returned
(that is, the plugin is basicly a NOP).

Otherwise, the plugin asks the TACACS+ server if the user is known, and then
asks for attributes, so it can determine the user's privilege level.

If the username is not found, a mapped lookup is performed using the
libtacplus_map.so exported functions. The lookup is done by the one or two
digit privilege level (0 by default) to "tacacs", and looking that name up
in the local password file; that is, privilege level 15 looks for local user
"tacacs15".   If found, the password structure is filled in with the
information for that user, *except* that pw_name is filled in with the
original (login) name.

This code is based in the pam_tacplus plugin, written by
Pawel Krawczyk <[email protected]> and Jeroen Nijhof
<[email protected]>, as well as others.   It is based
on version pam_tacplus version 1.3.9.  It uses the libtac
as found in pam_tacplus.  A few minor changes have been made,
and libtac is built as a static archive library.

This library requires that the libpam_tacplus headers and shared libraries
be built and installed (my modified version, not the stock version) to
build, and to function.

All are performed using TACACS+ protocol [1], designed by Cisco Systems.
This is remote AAA protocol, supported by most Cisco hardware.

~~~~~~~~~~~~~~~~~~~
Recognized options in the configuration file are the same as the command line
arguments for libpam_tacplus, but not all pam_tacplus options are supported.

Option		           Description
---------------     ----------------------------------
debug               output debugging information via
                    syslog(3); note, that the debugging
                    is heavy, including passwords!

secret=STRING       can be specified more than once;
                    secret key used to encrypt/decrypt
                    packets sent/received from the server

server=HOSTNAME     can be specified more than once;
server=IP_ADDR      adds a TACACS+ server to the servers
                    list
                    default is 5 seconds

login=STRING        TACACS+ authentication service,
                    this can be "pap", "chap" or "login"
                    at the moment. Default is pap.

service             TACACS+ service for authorization
                    and accounting

protocol            TACACS+ protocol for authorization
                    and accounting

min_uid             min_uid is the minimum uid to lookup via tacacs.
                    Setting this to 0 means uid 0 (root) is never looked up,
                    good for robustness and performance.
                    Should not be greater than the local tacacs{0..15} uids

exclude_users       This is a comma separated list of usernames that are never
                    looked up via tacacs.  Should include system users such as
                    root.


The service and protocol items are widely described in TACACS+ draft [1].
They are required by the server, but it will work if they don't match the
real service authorized :)

See tacplus_nss.conf for an example configuration file.

See the libpam_tacplus README for more information on the tacacs
protocol, server_lists, etc.

On first call, we parse the configuration file (we only try once,
unless it can't be opened, in which case we'll keep trying on
every call).   We then try to connect to a tacacs server.

After connecting we ask if the user is known (we send an authorization
request to the server).  This function sends an encrypted packet to the
TACACS+ server.  The packet contains username to verify. TACACS+ server
replied with either positive or negative response. If the reponse is
negative, the whole thing is over ;)

If the server responds that the user is valid (no authentication
exchange is done), we parse the returned attributes (if any)
looking for the privilege level (any string starting with "priv",
case independent), and then parse out the privilege level, and
construct the "tacacs##" username.

At this time, we make a new connection to the tacacs server on
every getpwnam_r().   Ideally, that would not be done, but it
appears that the linux tacplus server, at least, closes the
connection at it's end after the exchange, so subsequent requests
get SIGPIPE.


Limitations:
~~~~~~~~~~~~

This libnss_tacplus plugin has only been compiled and tested on
debian wheezy and jessie at this writing.  The FreeBSD NSS interface
is somewhat different, and will require porting.

This plugin has only been tested with the unmodified linux tacacs+
server so far (using the debian wheezy package)

References:
~~~~~~~~~~~

TACACS+
1. ftp://ftpeng.cisco.com/pub/tacplus/tac_plus.rfc.1.76.txt
2. ftp://ftpeng.cisco.com/pub/tacplus/tac_plus.3.0.12.alpha.tar.Z

NSS plugin (glibc)
3. http://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html

Author:
~~~~~~~

Dave Olson <[email protected]>