Login through RADIUS is not working due to invalid shell

[saravanan-i]

Why I did it

RADIUS presumes that sonic launch shell (/usr/bin/sonic-launch-shell) is available by default to be authenticated users, which is not the case. This leads to failure in RADIUS authentication.

How I did it

Added valid bash shell (/bin/bash) in RADIUS nss code

How to verify it

Verification of remote RADIUS user with valid credentials is authenticated without any failure - PASS

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211

Description for the changelog

Fixed RADIUS user authentication issue due to invalid shell (sonic-launch-shell)
Resolves

This pull request resolves PR#11352 (#11352) under sonic-buildimage repository.

[DavidZagury]

Looks good to me. However, in the triage meeting where we first discussed this issue, we asked BRCM to check the reason it was first built with that shell.
I don't think we got a answer about that.

@zhangyanzhao did BRCM check that? can we conclude that the shell really is wrong and we can change it? if so, this PR should fix the issue.

[dharmaraj-gurusamy]

Looks good to me. @lguohan / @zhangyanzhao - Please review.

[liat-grozovik]

@lguohan @qiluo-msft would you please help to approve this fix? it is needed for 202211

[keboliu]

@qiluo-msft would you please help to review and approve?

[lguohan]

THIS PR also claims fix #11352

#14466

can we get clarification? which pr fix? which one to go?

[keboliu]

THIS PR also claims fix #11352

#14466

can we get clarification? which pr fix? which one to go?

@saravanan-i would you please clarify?

[saravanan-i]

THIS PR also claims fix #11352
#14466
can we get clarification? which pr fix? which one to go?

@saravanan-i would you please clarify?

This PR has corrected the invalid soft link ("sonic-launch-shell") to valid RADIUS login launch shell("/bin/bash"). Other authentication protocols like TACACS use this shell ("/bin/bash") in SoNIC. Link to TACACS code which use the shell ("/bin/bash") TACACS_Link_shell

[zhangyanzhao]

@adyeung can you please help to review this PR? Thanks.

[Yarden-Z]

To reduce the attack surface, maybe change the default group given here.
MPL = 0 user does not require docker, but maybe it does require the redis group or adm group.

[saravanan-i]

Hi @Yarden-Z . They were defined as per the existing RADIUS design document of SoNIC ( RADIUS_Design ). I haven't introduced them as part of this pull request. Can you please confirm if you have to change the same ?

[Yarden-Z]

I understand that these values were introduced in the HLD design.
But given this item - I think we can re-visit this.
From my perspective, a non-privileged user requires redis (potentially) and the default adm group.
If I understood your question

[qiluo-msft]

The readonly user should be in users group, and no docker group membership. #WontFix

[saravanan-i]

Hi @qiluo-msft. User groups were defined based on existing RADIUS design document of SoNiC RADIUS_Design. I haven't introduced them as part of this pull request. Can you please confirm if we have to modify the same ?