Add support for mgmt vrf

When management vrf is enabled and vrf is present in the tacacs config, if we are unable to reach any configured tacacs server, try setting vrf context on the socket. Previously libnss-tacplus worked only with ssh@mgmt, now works with normal ssh in mgmt vrf Setting via the socket (rather than vrf context) is required so we don't set the VRF context for arbitrary processes that do uid or username lookups.
rtbrick · May 23, 2017 · 52aa2d4 · 52aa2d4
1 parent 490882d
commit 52aa2d4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/debian/changelog b/debian/changelog
@@ -9,8 +9,9 @@ libnss-tacplus (1.0.2) unstable; urgency=low
     libraries can connect to a TACACS+ server without being tacacs aware.
   * Improved debugging messages.
   * Minor corrections to Copyright and licensing
+  * Added vrf config variable, so NSS lookups work correctly$
 
- -- Dave Olson <[email protected]>  Tue, 29 Nov 2016 16:55:16 -0800
+ -- Dave Olson <[email protected]>  Tue, 07 Mar 2017 12:58:03 -0800
 
 libnss-tacplus (1.0.2-1) unstable; urgency=low
 

diff --git a/debian/control b/debian/control
@@ -1,14 +1,17 @@
 Source: libnss-tacplus
 Priority: optional
 Maintainer: Dave Olson <[email protected]>
-Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev, libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev, dpkg-dev (>= 1.16.1)
+Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev (>= 1.4.1~),
+    libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev,
+    dpkg-dev (>= 1.16.1), git
 Section: libs
 Standards-Version: 3.9.6
 Homepage: http://www.cumulusnetworks.com
 
 Package: libnss-tacplus
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2, libtacplus-map1, libaudit1
+Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2 (>= 1.4.1~),
+    libtacplus-map1, libaudit1
 Description: NSS module for TACACS+ authentication without local passwd entry
 	Performs getpwname and getpwuid lookups via NSS for users logged in via
 	tacacs authentication, and mapping done with libtacplus_map
diff --git a/nss_tacplus.c b/nss_tacplus.c
@@ -67,6 +67,7 @@ static tacplus_server_t tac_srv[TAC_PLUS_MAXSERVERS];
 static int tac_srv_no, tac_key_no;
 static char tac_service[] = "shell";
 static char tac_protocol[] = "ssh";
+static char vrfname[64];
 static char *exclude_users;
 static uid_t min_uid = ~0U; /*  largest possible */
 static int debug;
@@ -157,6 +158,8 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top)
             if (valid > (lbuf+8))
                 min_uid = (uid_t)uid;
         }
+        else if(!strncmp(lbuf, "vrf=", 4))
+            strncpy(vrfname, lbuf + 4, sizeof(vrfname));
         else if(!strncmp(lbuf, "server=", 7)) {
             if(tac_srv_no < TAC_PLUS_MAXSERVERS) {
                 struct addrinfo hints, *servers, *server;
@@ -454,7 +457,8 @@ connect_tacacs(struct tac_attrib **attr, int srvr)
     if(!*tac_service) /* reported at config file processing */
         return -1;
 
-    fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL);
+    fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL,
+        vrfname[0]?vrfname:NULL);
     if(fd >= 0) {
         *attr = NULL; /* so tac_add_attr() allocates memory */
         tac_add_attrib(attr, "service", tac_service);
@@ -505,7 +509,6 @@ lookup_tacacs_user(struct pwbuf *pb)
                 return 2;
         }
     }
-
     for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
         arep.msg = NULL;
         arep.attr = NULL;