[hostcfgd] Default value of fallthrough for authentication set to be False. #2746
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ipaddress has backport to python2.7
…tility. BTW, ipaddress deprecates ipaddr and ipaddress has python2 backport
Signed-off-by: Renuka Manavalan <remanava@microsoft.com>
Sync with upstream
This implies that by default, if TACACS is configured properly and it reported auth_err, then don't try fail through to traditional unix authentication through /etc/passwd. If this failthrough is intended, make it explicit through "sudo config aaa authentication failthrough enable" Removed an unused variable "aaa.fallback" Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled. admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough default; date Wed Apr 3 23:05:18 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1316 Apr 3 23:05 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication" Wed Apr 3 23:06:37 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1294 Apr 3 23:06 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication" Wed Apr 3 23:07:09 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1321 Apr 3 23:07 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
|
@renukamanavalan: Please format description using markdown (enclose code/output blocks in triple-backticks (```)) |
renukamanavalan
added
Request for 201811 Branch 
and removed
Included in 201811 Branch
labels
lguohan
reviewed
Apr 4, 2019
| @@ -44,8 +44,6 @@ class AaaCfg(object): | |||
| def __init__(self): | |||
| self.auth_default = { | |||
| 'login': 'local', | |||
| 'failthrough': True, | |||
| 'fallback': True | |||
There was a problem hiding this comment.
why change fallback as well? is fallback same as failthrough?
There was a problem hiding this comment.
No.
fallback is an unused variable. Just house cleaning.
lguohan
approved these changes
Apr 5, 2019
Kalimuthu-Velappan
pushed a commit
to Kalimuthu-Velappan/sonic-buildimage
that referenced
this pull request
Sep 12, 2019
…lse. (sonic-net#507) Reference: Pull request sonic-net#2746
Kalimuthu-Velappan
pushed a commit
to Kalimuthu-Velappan/sonic-buildimage
that referenced
this pull request
Sep 12, 2019
* In sync with our latest change, where we default failthrough to be False. Reference: Pull request sonic-net#2746 * Loading minigraph, flushes DB, which is not sent as updates to hostcfgd. So stop hostcfgd before load and restart after load, to be able to act in sync with updated CONFIG-DB.
8 tasks
StormLiangMS
added a commit
that referenced
this pull request
Mar 30, 2023
Why I did it 832ef9c4 - Fix bug in GCU vlanintf_validator ([Bcm SAI] ugprade Broadcom SAI to version 3.3.5.4m-1 #2765) (5 minutes ago) [jingwenxie] 53f611b7 - Revert "Convert IPv6 addresses to lowercase in apply-patch (Add Pegatron project to branch 201807 #2299)" (Add note for running out of disk space in /var/lib/docker to README.md #2758) (20 hours ago) [jingwenxie] 79a21cef - Revert frr route check ([mlnx] fix url inconsistency in fw.mk #2761) (8 minutes ago) [StormLiangMS] 824680ed - Resolved rc!=0 problem by replacing fgrep with awk. Added ipv4 filtering to get only v4 peers in case of show ip bgp neighbors (Improve eeprom access reliability #2756) (30 hours ago) [saurabh17g] 10f31ea6 - Revert "Replace pickle by json (Add autoneg to 7170-Q59S20 #2636)" ([hostcfgd] Default value of fallthrough for authentication set to be False. #2746) (7 days ago) [Mai Bui] 05fa7513 - Fix the show interface counters throwing exception on device with no external interfaces ([docker-platform-monitor]: Add smartmontools 6.6-1 #2703) (11 days ago) [abdosi] f27dea0c - [route_check] remove check-frr_patch mock ([minigraph]: Mark both ERSPAN and ERSPANv6 as mirror ACL tables #2732) (11 days ago) [Stepan Blyshchak] 2d95529d - Revert "Update load minigraph to load backend acl (mlnx msn2010: default config_db.json generation with sonic-cfggen is not working #2236)" (swss stretch update broke restore_neighbors.py for neigh service #2735) (12 days ago) [Neetha John] c869c970 - (master) Update the ref guide to reflect the vlan brief output ([teamd] update teamd docker to stretch and fix teamd_init failure #2731) (2 weeks ago) [Vivek] 76457141 - Fix fast-reboot DB migration ([teamd]: update teamd docker to stretch #2734) (2 weeks ago) [Aryeh Feigin] f7f783bc - Enhance the logic to wait for all buffer tables to be removed in _clear_qos ([sfputil] Not able to read out values of voltage/temp/power on some cables #2720) (2 weeks ago) [Stephen Sun] e6179afa - Remove timer from FAST_REBOOT STATE_DB entry and use finalizer (Rollback kernel submodule update. #2621) (3 weeks ago) [Aryeh Feigin] ff688323 - [route_check] fix IPv6 address handling ([docker pmon] install fancontrol & sensord #2722) (3 weeks ago) [Stepan Blyshchak] 7a604c51 - update fast-reboot ([201811][sairedis][swss] advance sub module head of sairedis and swss #2728) (3 weeks ago) [jhli-cisco] 9f83ace9 - [GCU] Add vlanintf-validator (Revert "[device/celestica] blacklist gpio_ich kernel module on haliburton" #2697) (3 weeks ago) [jingwenxie] 338d1c05 - Check SONiC dependencies before installation. ([sonic-slave]: Add iproute2 dependencies in stretch docker #2716) (3 weeks ago) [Liu Shilong] 64d2efd2 - Improve show acl commands ([sonic-utilities] update submodule #2667) (3 weeks ago) [bingwang-ms] 2ef5b31e - [GCU] Add PFC_WD RDMA validator ([sub module] advance sonic-utilities sub module for 201811 branch #2619) (3 weeks ago) [isabelmsft] c7aa8416 - [show][muxcable] increase timeout for displaying HW_STATUS (Fixing get_transceiver_change_event #2712) (3 weeks ago) [vdahiya12] 2fc2b826 - YANG validation for ConfigDB Updates: MIRROR_SESSION use case ([mellanox] Update SDK to 4.3.0132 #2430) (3 weeks ago) [isabelmsft] e16bdaae - Fix non-zero status exit on non secure boot system ([service] add warmboot finializer service #2715) (3 weeks ago) [kellyyeh] 90d70152 - [route_check] implement a check for FRR routes not marked offloaded (Feature to run an option platform specific script on the first boot #2531) (3 weeks ago) [Stepan Blyshchak] c2bc150a - [warm/fast-reboot] Backup logs from tmpfs to disk during fast/warm shutdown ([swss]: update swss docker to stretch #2714) (3 weeks ago) [Vaibhav Hemant Dixit] a015834d - [db_migrator] Add missing attribute 'weight' to route entries in APPL DB ([device/celestica] blacklist gpio_ich kernel module on seastone #2691) (4 weeks ago) [Vaibhav Hemant Dixit] cd519aac - [ci] Fix pipeline issue caused by sonic-slave-* change. ([201803] Modify Debian apt repos to reflect changes made by maintainers #2709) (4 weeks ago) [Liu Shilong] 2680e6f3 - [dhcp_relay] Fix dhcp_relay restart error while add/del vlan ([thrift] add a patch to revert THRIFT-3650 #2688) (4 weeks ago) [Yaqiang Zhu] How I did it How to verify it
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
Fixed a default value of fallthrough for authentication to be False. Dropped an unused variable.
- How I did it
- How to verify it
Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled.
admin@str-s6000-acs-13:
$ sudo config aaa authentication failthrough default; date$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonicWed Apr 3 23:05:18 UTC 2019
admin@str-s6000-acs-13:
-rw-r--r-- 1 root root 1316 Apr 3 23:05 /etc/pam.d/common-auth-sonic
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
admin@str-s6000-acs-13:
$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication"$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonicWed Apr 3 23:06:37 UTC 2019
admin@str-s6000-acs-13:
-rw-r--r-- 1 root root 1294 Apr 3 23:06 /etc/pam.d/common-auth-sonic
auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
admin@str-s6000-acs-13:
$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication"$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonicWed Apr 3 23:07:09 UTC 2019
admin@str-s6000-acs-13:
-rw-r--r-- 1 root root 1321 Apr 3 23:07 /etc/pam.d/common-auth-sonic
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass
auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)