TACACS: Don't send sshd's bad password to AAA #9310
Conversation
Don't send sshd created bad password to AAA
|
better to keep the same description as the original pr |
renukamanavalan
changed the title
| @@ -20,6 +20,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : | |||
| git apply ../0004-management-vrf-support.patch | |||
| git apply ../0005-pam-Modify-parsing-of-IP-address-and-port-number-to-.patch | |||
| git apply ../0006-Add-support-for-source-ip-address.patch | |||
| git apply ../0007-handle-bad-password-set-by-sshd.patch | |||
There was a problem hiding this comment.
Keep it as 0010 as the master commit? Then later if we decide to backport more patches, others will be easier.
There was a problem hiding this comment.
Not really. As master has diverged well with 3 patches, this patch had to be manually re-created. The contents of 0010 & 0007 are different but for the same purpose. Similarly, in future, if we would need any patch from master it has to be re-created manually. The title of the patch would indicate the patch purpose, which is same in both master & here.
There was a problem hiding this comment.
Sorry for misleading. Is it possible to keep original file name ../0010-handle-bad-password-set-by-sshd.patch? I am okay if the file content changes.
There was a problem hiding this comment.
I got your point.
The number is just meant for sequence of application. So here, this patch has to be applied after 0006, hence 0007.
[cherry-pick PR #9123 ]
Why I did it
When sshd realizes that this login can't succeed due to internal device state
or configuration, instead of failing right there, it proceeds to prompt for
password, so as the user does not get any clue on where is the failure point.
Yet to ensure that this login does not proceed, sshd replaces user provided password
with a specific pattern of characters matching length of user provided password.
This pattern is
"<BS><LF><CR><DEL>INCORRECT", which is bound to fail.If user provided length is smaller/equal, the substring of pattern is overwritten.
If user provided length is greater, the pattern is repeated until length is exhausted.
But if the PAM-tacacs plugin would send this password to AAA, the user could get
locked out by AAA, for providing incorrect value.
How I did it
Hence this fix, matches obtained password against the pattern. If match, fail just before
reaching AAA server.
How to verify it
Which release branch to backport (provide reason below if selected)
Description for the changelog
A picture of a cute animal (not mandatory but encouraged)