From a1c3c06567c35f3b91c57b147ce07f2cad80aba2 Mon Sep 17 00:00:00 2001 From: Renuka Manavalan Date: Fri, 15 Mar 2019 15:50:34 +0000 Subject: [PATCH 1/4] Install ipaddress python package that has deprecated current ipaddr. ipaddress has backport to python2.7 --- build_debian.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/build_debian.sh b/build_debian.sh index 98881b50946d..2d4574aa611f 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -356,6 +356,7 @@ set /files/etc/sysctl.conf/net.core.wmem_max 2097152 ## docker-py is needed by Ansible docker module sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT easy_install pip sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install 'docker-py==1.6.0' +sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install 'ipaddress' ## Note: keep pip installed for maintainance purpose ## Get gcc and python dev pkgs From c701194355b1c63568bafb8d181c161616a1f024 Mon Sep 17 00:00:00 2001 From: Renuka Manavalan Date: Fri, 15 Mar 2019 18:27:09 +0000 Subject: [PATCH 2/4] Install python ipaddress module as required by route_check.py sonic utility. BTW, ipaddress deprecates ipaddr and ipaddress has python2 backport --- files/build_templates/sonic_debian_extension.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index da7ad28b5462..bbca7b2d1b19 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -87,6 +87,9 @@ sudo cp {{redis_dump_load_py2_wheel_path}} $FILESYSTEM_ROOT/$REDIS_DUMP_LOAD_PY2 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install $REDIS_DUMP_LOAD_PY2_WHEEL_NAME sudo rm -rf $FILESYSTEM_ROOT/$REDIS_DUMP_LOAD_PY2_WHEEL_NAME +# Install Python module for ipaddress +sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install ipaddress + # Install SwSS SDK Python 2 package SWSSSDK_PY2_WHEEL_NAME=$(basename {{swsssdk_py2_wheel_path}}) sudo cp {{swsssdk_py2_wheel_path}} $FILESYSTEM_ROOT/$SWSSSDK_PY2_WHEEL_NAME From 3906da01905f6a6586ce695d7dcb8f01c8e5ddad Mon Sep 17 00:00:00 2001 From: Renuka Manavalan Date: Fri, 15 Mar 2019 22:00:22 +0000 Subject: [PATCH 3/4] Revert the old chaneg per review comments. Signed-off-by: Renuka Manavalan --- build_debian.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/build_debian.sh b/build_debian.sh index 2d4574aa611f..98881b50946d 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -356,7 +356,6 @@ set /files/etc/sysctl.conf/net.core.wmem_max 2097152 ## docker-py is needed by Ansible docker module sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT easy_install pip sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install 'docker-py==1.6.0' -sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install 'ipaddress' ## Note: keep pip installed for maintainance purpose ## Get gcc and python dev pkgs From 6d7ecc426c284548b3610297826d2d739dbd874a Mon Sep 17 00:00:00 2001 From: Renuka Manavalan Date: Wed, 3 Apr 2019 23:07:42 +0000 Subject: [PATCH 4/4] [hostcfgd] -- Fix the default for failthrough as false. This implies that by default, if TACACS is configured properly and it reported auth_err, then don't try fail through to traditional unix authentication through /etc/passwd. If this failthrough is intended, make it explicit through "sudo config aaa authentication failthrough enable" Removed an unused variable "aaa.fallback" Tested manually. Note the presence of 'auth_err=die' in all cases except when failthrough is explicitly enabled. admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough default; date Wed Apr 3 23:05:18 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1316 Apr 3 23:05 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough enable; date ; h4 "AAA|authentication" Wed Apr 3 23:06:37 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1294 Apr 3 23:06 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass admin@str-s6000-acs-13:~$ sudo config aaa authentication failthrough disable; date ; h4 "AAA|authentication" Wed Apr 3 23:07:09 UTC 2019 admin@str-s6000-acs-13:~$ ls -lrt /etc/pam.d/common-auth-sonic ; grep 123 /etc/pam.d/common-auth-sonic -rw-r--r-- 1 root root 1321 Apr 3 23:07 /etc/pam.d/common-auth-sonic auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.22:49 secret=testing123 login=login timeout=5 try_first_pass auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=100.127.20.21:49 secret=testing123 login=login timeout=5 try_first_pass --- files/image_config/hostcfgd/hostcfgd | 2 -- 1 file changed, 2 deletions(-) diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index 5daebe257260..ae51af5cc8e4 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -44,8 +44,6 @@ class AaaCfg(object): def __init__(self): self.auth_default = { 'login': 'local', - 'failthrough': True, - 'fallback': True } self.tacplus_global_default = { 'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,