Skip to content

TACACSPLUS_PASSKEY_ENCRYPTION support Part - II #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 19 commits into from
Closed

TACACSPLUS_PASSKEY_ENCRYPTION support Part - II #81

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
8b909b8
TACACSPLUS_PASSKEY_ENCRYPTION support
nmoray Oct 25, 2023
48e7d1d
code cleanup
nmoray Oct 25, 2023
c877edb
Added syslogs
nmoray Oct 25, 2023
b37ddcd
Removed debug prints
nmoray Oct 25, 2023
945f4f2
Fixed AUT issues
nmoray Oct 25, 2023
5b61c0c
Fixed build issues
nmoray Oct 26, 2023
7cb53e6
Fixed build issues
nmoray Oct 26, 2023
43641de
fixed build issues
nmoray Oct 26, 2023
66b57b5
Added a check for passkey before appending into server configs
nmoray Oct 26, 2023
c6c8e0a
Fixed build issues
nmoray Oct 26, 2023
977a268
TACACSPLUS_PASSKEY_ENCRYPTION support
nmoray Oct 25, 2023
a7d01d6
Merge branch 'tacacs_pass_encrypt' of https://github.com/nmoray/sonic…
nmoray Oct 26, 2023
0a1b098
Fixed AUT issue
nmoray Oct 27, 2023
7b14786
Fixed build issues
nmoray Oct 27, 2023
911e2c0
Addressed comments
nmoray Oct 30, 2023
bb5e5ee
Incorporated security cipher class into the existing implemenatation
nmoray Nov 24, 2023
d745364
Added a logic to remove the cipher pass file file encryption is disabled
nmoray Feb 1, 2024
1d85eb6
Updated class name
nmoray Apr 12, 2024
9285df1
Merge branch 'master' into tacacs_pass_encrypt
nmoray Apr 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions scripts/hostcfgd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ LIMITS_CONF = "/etc/security/limits.conf"
TACPLUS_SERVER_PASSKEY_DEFAULT = ""
TACPLUS_SERVER_TIMEOUT_DEFAULT = "5"
TACPLUS_SERVER_AUTH_TYPE_DEFAULT = "pap"
TACACS_SECRET_SALT = "2e6593364d369fba925092e0c1c51466c276faa127f20d18cc5ed8ae52bedbcd"

# RADIUS
RADIUS_SERVER_AUTH_PORT_DEFAULT = "1812"
Expand All @@ -76,6 +77,38 @@ CFG_DB = "CONFIG_DB"
STATE_DB = "STATE_DB"


def get_salt():
file_path = "/etc/shadow"
target_username = "admin" + ":"
salt = TACACS_SECRET_SALT

# Read the file and search for the "admin" username
try:
with open(file_path, 'r') as file:
for line in file:
if target_username in line:
# Format: username:$id$salt$hashed
parts = line.split('$')
if len(parts) == 4:
salt = parts[2]
break

except FileNotFoundError:
syslog.syslog(syslog.LOG_ERR, "File not found: {}".format(file_path))
except Exception as e:
syslog.syslog(syslog.LOG_ERR, "output: {}".format(str(e)))
return salt

def decrypt_passkey(secret):
salt = get_salt()
cmd = "echo " + format(secret) + " | openssl enc -aes-128-cbc -a -d -salt -pbkdf2 -pass pass:" + salt
proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
output, errs = proc.communicate()

if not errs:
output = output.decode('utf-8')
return output, errs

def signal_handler(sig, frame):
if sig == signal.SIGHUP:
syslog.syslog(syslog.LOG_INFO, "HostCfgd: signal 'SIGHUP' is caught and ignoring..")
Expand Down Expand Up @@ -500,6 +533,14 @@ class AaaCfg(object):
server = tacplus_global.copy()
server['ip'] = addr
server.update(self.tacplus_servers[addr])
if server['passkey'] is not None:
config_db = ConfigDBConnector()
config_db.connect()
output, errs = decrypt_passkey(server['passkey'])
Copy link
Contributor

@liuh-80 liuh-80 Nov 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What will happen when OS upgrade from old version which not support this feature? the passkey not encrypt in old version, decrypt will failed here, code here need identify this.
#closed

another solution is add code to DB migrator, but that script is very complex.

Copy link
Author

@nmoray nmoray Nov 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, you are right. Decrypt will fail if someone has either manually added the passkey in config_db or the device has old config where encrypted passkey was absent. So is it fine to add a check if the given server['passkey'] is the same as the one present in common-auth-sonic file (in plaintext). If so, skip decrypt_passkey() API and directly write the passkey in the same file in plaintext format only. Is it okay?

Copy link
Contributor

@liuh-80 liuh-80 Nov 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed in the HLD: A DB migration script will be added for users to migrate existing config_db to convert tacacs passkey plaintext to encrypted.

So please also create the DB migration script PR.

Copy link
Author

@nmoray nmoray Nov 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liuh-80 As I mentioned in the HLD PR, we can achieve the backward compatibility without DB migration by simply following the logic stated above. Please share your thoughts on the same.

Copy link
Contributor

@liuh-80 liuh-80 Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's OK, please update code and HLD according to this design change.

if not errs:
server['passkey'] = output
else:
syslog.syslog(syslog.LOG_ERR, "{}: decrypt_passkey failed.".format(addr))
servers_conf.append(server)
servers_conf = sorted(servers_conf, key=lambda t: int(t['priority']), reverse=True)

Expand Down
24 changes: 12 additions & 12 deletions tests/hostcfgd/test_tacacs_vectors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
"global": {
"auth_type": "chap",
"timeout": 5,
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"src_intf": "Ethernet0"
}
},
Expand All @@ -56,15 +56,15 @@
"tcp_port": 50,
"timeout": 10,
"auth_type": "chap",
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"vrf": "default"
},
"192.168.1.2" : {
"priority": 2,
"tcp_port": 51,
"timeout": 15,
"auth_type": "pap",
"passkey": "dellsonic1",
"passkey": "U2FsdGVkX1/JWY/fktTzRyZbuUg79+BnvEn1jPupNCM=",
"vrf": "mgmt"
}
},
Expand Down Expand Up @@ -108,7 +108,7 @@
"global": {
"auth_type": "chap",
"timeout": 5,
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"src_intf": "Ethernet0"
}
},
Expand All @@ -118,15 +118,15 @@
"tcp_port": 50,
"timeout": 10,
"auth_type": "chap",
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"vrf": "default"
},
"192.168.1.2" : {
"priority": 2,
"tcp_port": 51,
"timeout": 15,
"auth_type": "pap",
"passkey": "dellsonic1",
"passkey": "U2FsdGVkX1/JWY/fktTzRyZbuUg79+BnvEn1jPupNCM=",
"vrf": "mgmt"
}
},
Expand Down Expand Up @@ -170,7 +170,7 @@
"global": {
"auth_type": "chap",
"timeout": 5,
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"src_intf": "Ethernet0"
}
},
Expand All @@ -180,15 +180,15 @@
"tcp_port": 50,
"timeout": 10,
"auth_type": "chap",
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"vrf": "default"
},
"192.168.1.2" : {
"priority": 2,
"tcp_port": 51,
"timeout": 15,
"auth_type": "pap",
"passkey": "dellsonic1",
"passkey": "U2FsdGVkX1/JWY/fktTzRyZbuUg79+BnvEn1jPupNCM=",
"vrf": "mgmt"
}
},
Expand Down Expand Up @@ -232,7 +232,7 @@
"global": {
"auth_type": "chap",
"timeout": 5,
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"src_intf": "Ethernet0"
}
},
Expand All @@ -242,15 +242,15 @@
"tcp_port": 50,
"timeout": 10,
"auth_type": "chap",
"passkey": "dellsonic",
"passkey": "U2FsdGVkX1+hVtCDFDHckKVtuZsap88euNyLxGToWCw=",
"vrf": "default"
},
"192.168.1.2" : {
"priority": 2,
"tcp_port": 51,
"timeout": 15,
"auth_type": "pap",
"passkey": "dellsonic1",
"passkey": "U2FsdGVkX1/JWY/fktTzRyZbuUg79+BnvEn1jPupNCM=",
"vrf": "mgmt"
}
},
Expand Down