sonic-utilities icon indicating copy to clipboard operation
sonic-utilities copied to clipboard

Published 20 hours ago verified publisher icon sonic-net

Tacacs password encryption

Open sunhorus opened this issue 2 years ago • 0 comments

What I did

Add encryption feature used with TACACS+ server passkey configuration

another PRs will be submitted to [sonic-host-services] and [sonic-buildimage] to complete the feature

How I did it

By adding optional backward-compatible passkey encryption configuration commands flags [-e|--enc] [-x|--enckey]

How to verify it

All the following output after the modification is done, also if using clear text passkey the files will have its normal configuration "secret" tag not "enc_secret" as showing here

show tacacs
TACPLUS_SERVER address 1.1.1.1
               is_key_encrypted True
               passkey U2FsdGVkX1+WN1bG7+CYdRv3/BtNyLI9pjj94S5IpLyDBUMjOwV6eKuc94HqTdJUhgMdUvUvDsCU4om1Uvcn63IBh5kpg1OzSe619204CTPQn0EU5fVLFrMYjq87De8g
               priority 1
               tcp_port 49
               Status UP
cat /etc/pam.d/common-auth-sonic
auth	[success=done new_authtok_reqd=done default=ignore auth_err=die]	pam_tacplus.so server=1.1.1.1:49 enc_secret=U2FsdGVkX1+WN1bG7+CYdRv3/BtNyLI9pjj94S5IpLyDBUMjOwV6eKuc94HqTdJUhgMdUvUvDsCU4om1Uvcn63IBh5kpg1OzSe619204CTPQn0EU5fVLFrMYjq87De8g login=pap timeout=5   try_first_pass
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
cat /etc/tacplus_nss.conf
server=10.1.1.59:49,enc_secret=U2FsdGVkX1+WN1bG7+CYdRv3/BtNyLI9pjj94S5IpLyDBUMjOwV6eKuc94HqTdJUhgMdUvUvDsCU4om1Uvcn63IBh5kpg1OzSe619204CTPQn0EU5fVLFrMYjq87De8g,timeout=5

Previous command output (if the output of a command-line utility has changed)

show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey sonic

TACPLUS_SERVER address 1.1.1.1
               passkey sonic
               priority 1
               tcp_port 49
               Status UP

New command output (if the output of a command-line utility has changed)

show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey U2FsdGVkX1/cBBcVuwwJk1TUYPZcUomFNKEfpSJStLg=
TACPLUS global is_key_encrypted True

TACPLUS_SERVER address 1.1.1.1
               is_key_encrypted True
               passkey U2FsdGVkX1+WN1bG7+CYdRv3/BtNyLI9pjj94S5IpLyDBUMjOwV6eKuc94HqTdJUhgMdUvUvDsCU4om1Uvcn63IBh5kpg1OzSe619204CTPQn0EU5fVLFrMYjq87De8g
               priority 1
               tcp_port 49
               Status UP

sunhorus avatar Nov 02 '23 14:11 sunhorus