Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md (nonexistent) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md (working copy) @@ -0,0 +1,6 @@ +# libnss-ato + +A [libnss-ato](https://github.com/donapieppo/libnss-ato) package +with patching (to compile on CentOS 7). + +The commit number of libnss-ato is `4a29c8410cdac590a210dab2dec41d5f4b40d282`. Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (nonexistent) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (working copy) @@ -0,0 +1,25 @@ +diff --git a/Makefile b/Makefile +index 147e0c4..df950d9 100644 +--- a/Makefile ++++ b/Makefile +@@ -7,6 +7,8 @@ INSTALL = /usr/bin/install + INSTALL_PROGRAM = ${INSTALL} + INSTALL_DATA = ${INSTALL} -m 644 + DESTDIR = "" ++CFLAGS = -std=c99 ++LDFLAGS = -lc + + prefix = "/usr" + exec_prefix = ${prefix} +diff --git a/libnss_ato.c b/libnss_ato.c +index f2f1c38..ec8dc09 100644 +--- a/libnss_ato.c ++++ b/libnss_ato.c +@@ -21,6 +21,7 @@ + * + */ + ++#define _SVID_SOURCE + #include + #include + #include Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: 3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/octet-stream \ No newline at end of property Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (nonexistent) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (working copy) @@ -0,0 +1,9 @@ +array:x:1006:1000::/home/array:/ca/bin/ca_shell + +# Only the first line of this file is parsed. +# All next lines are comments. +# You can not set multiple user accounts with this +# nss module. Use the format as in the standard /etc/passwd. +# For security reasons: don't use UID or GID under 500, +# won't work, and in the password field we return +# always an 'x', regardless what you wrote there... Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (nonexistent) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (working copy) @@ -0,0 +1,51 @@ +Name: libnss-ato +Summary: The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. +Version: 0.2.1 +Release: 1 +Source: %{name}-%{version}.tar.gz +Vendor: donapieppo +License: GPL +ExclusiveOS: linux +Group: System Environment/Kernel +Provides: %{name} +URL: https://github.com/donapieppo/libnss-ato +BuildRoot: %{_tmppath}/%{name}-%{version}-root +# do not generate debugging packages by default - newer versions of rpmbuild +# may instead need: +#%define debug_package %{nil} +%debug_package %{nil} +Requires: kernel, fileutils, findutils, gawk, bash + +Patch999001: avx.patch + +#### +%description +The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. + +%prep +%setup +%patch999001 -p1 + +%build +make clean +make + +%install +echo %{BuildRoot} + +install -dDm 0755 %{buildroot}/lib/ +install -dDm 0755 %{buildroot}/etc/ + +install -Dm 644 libnss_ato.so.2 %{buildroot}/lib/libnss_ato-2.3.6.so +ln -fs libnss_ato-2.3.6.so %{buildroot}/lib/libnss_ato.so.2 +install -Dm 644 libnss-ato.conf %{buildroot}/etc/libnss-ato.conf + +%clean +rm -rf %{buildroot} + +%files +/lib/libnss_ato.so.2 +/lib/libnss_ato-2.3.6.so +/etc/libnss-ato.conf + +%post Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SOURCES/sshd.pam =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SOURCES/sshd.pam (revision 8849) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SOURCES/sshd.pam (working copy) @@ -1,11 +1,11 @@ #%PAM-1.0 auth required pam_sepermit.so -auth substack password-auth +auth substack array-common-auth.pam auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so -account include password-auth +account substack array-common-acct.pam password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close Index: /branches/rel_avx_2_7_2/avx_cli.spec =================================================================== --- /branches/rel_avx_2_7_2/avx_cli.spec (revision 8849) +++ /branches/rel_avx_2_7_2/avx_cli.spec (working copy) @@ -205,6 +205,8 @@ install -Dm 0644 conf/bonding/ifcfg-bond16 %{buildroot}/etc/sysconfig/network-scripts/ifcfg-bond16 install -Dm 0600 conf/system/securetty %{buildroot}/ca/conf/system/securetty install -Dm 0644 conf/system/login %{buildroot}/ca/conf/system/login +install -Dm 0644 conf/system/array-common-auth.pam %{buildroot}/etc/pam.d/array-common-auth.pam +install -Dm 0644 conf/system/array-common-acct.pam %{buildroot}/etc/pam.d/array-common-acct.pam install -Dm 0644 conf/bonding/ifcfg-template %{buildroot}/ca/conf/bonding/ifcfg-template install -Dm 0644 conf/bonding/avxbond.info %{buildroot}/ca/conf/bonding/avxbond.info install -Dm 0644 conf/bonding/avxbond.info %{buildroot}/ca/conf/bonding/avxbond.info.sample @@ -366,6 +368,8 @@ %attr (644,root,root)/ca/conf/system/group %attr (600,root,root)/ca/conf/system/securetty %attr (644,root,root)/ca/conf/system/login +%attr (644,root,root)/etc/pam.d/array-common-auth.pam +%attr (644,root,root)/etc/pam.d/array-common-acct.pam %attr (644,root,root)/ca/conf/system/avxdpdk.info.3600 %attr (644,root,root)/ca/conf/system/avxdpdk.info.7600 %attr (644,root,root)/ca/conf/system/avxdpdk.info.7601 Index: /branches/rel_avx_2_7_2/conf/system/array-common-acct.pam =================================================================== --- /branches/rel_avx_2_7_2/conf/system/array-common-acct.pam (nonexistent) +++ /branches/rel_avx_2_7_2/conf/system/array-common-acct.pam (working copy) @@ -0,0 +1 @@ +account [success=done default=bad] pam_unix.so Index: /branches/rel_avx_2_7_2/conf/system/array-common-auth.pam =================================================================== --- /branches/rel_avx_2_7_2/conf/system/array-common-auth.pam (nonexistent) +++ /branches/rel_avx_2_7_2/conf/system/array-common-auth.pam (working copy) @@ -0,0 +1 @@ +auth [success=done default=bad] pam_unix.so Index: /branches/rel_avx_2_7_2/src/backend/sys_cmd.c =================================================================== --- /branches/rel_avx_2_7_2/src/backend/sys_cmd.c (revision 8849) +++ /branches/rel_avx_2_7_2/src/backend/sys_cmd.c (working copy) @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #include @@ -40,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -49,6 +51,7 @@ #include #include #include +#include #include @@ -57,6 +60,9 @@ #include #include +#include +#include + #include #include #include @@ -7017,3 +7023,427 @@ } #undef AVX_IF_DESC_CMD_LENGTH + +#define AVX_NSS_CONF "/etc/nsswitch.conf" +#define _AVX_EXAUTH_STR_LEN 64 + +/* The PAM stacks with + * RADIUS authentication enabled appear like the following: + * + * [success=done default=ignore] pam_radius_auth.so + * [success=done default=bad] pam_unix.so + * + * With this setting, PAM will run the following flow: + * 1. First check RADIUS users. + * - If user is met in RADIUS, return to the application + * (done by "success=done"). + * - If not, go to the next step (done by "default=ignore"). + * 2. Check UNIX users. + * - It user is met in UNIX, return to the application. + * - If not, abort the whole PAM authentication + * (done by "default=bad"). + * + * As a counterpart, the PAM stacks with RADIUS authentication + * disabled appear like the following: + * + * [success=done default=bad] pam_unix.so + */ + +#define _AVX_PAM_FIRST_PASS "[success=done default=ignore]" +#define _AVX_PAM_LAST_PASS "[success=done default=bad]" +#define _AVX_PAM_USE_RADIUS "pam_radius_auth.so" +#define _AVX_PAM_USE_UNIX "pam_unix.so" + +#define _AVX_WRITE_PAM_CONF(conf, type, BODY) \ + do { \ + FILE *fp = fopen(conf, "w"); \ + if (!fp) { \ + printf("Cannot open %s PAM conf\n", type); \ + goto fail; \ + } \ + BODY fclose(fp); \ + } while (0) + +#define _AVX_WRITE_PASS(type, ctrl, mod) \ + fprintf(fp, "%s %s %s", type, ctrl, mod) + +#define AUTH_PAM "/etc/pam.d/array-common-auth.pam" +#define ACCT_PAM "/etc/pam.d/array-common-acct.pam" +static char *__MAPPED_USER = "radius"; +static char *__MAPPED_GRP = "config"; + +int exauth_on() { + _AVX_WRITE_PAM_CONF( + AUTH_PAM, "auth", + _AVX_WRITE_PASS("auth", _AVX_PAM_FIRST_PASS, _AVX_PAM_USE_RADIUS); + fprintf(fp, "\n"); + _AVX_WRITE_PASS("auth", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + _AVX_WRITE_PAM_CONF( + ACCT_PAM, "account", + _AVX_WRITE_PASS("account", _AVX_PAM_FIRST_PASS, _AVX_PAM_USE_RADIUS); + fprintf(fp, "\n"); + _AVX_WRITE_PASS("account", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + /* Add RADIUS mapped user */ + pid_t pid; + int pstat = -1; + if(!(pid = fork())) { + execl("/usr/sbin/adduser", "adduser", "-s", CA_SHELL, + "-g", __MAPPED_GRP, "-d", "/home/radius", "-m", __MAPPED_USER, NULL); + _exit(1); + } + if(pid == -1) { + printf("Cannot add RADIUS mapped user\n"); + return -1; + } + waitpid(pid, &pstat, 0); + + /* Add RADIUS mapped user configuration */ + FILE *fp = fopen("/etc/libnss-ato.conf", "w"); + if(!fp) { + printf("Cannot open mapping configuration\n"); + if(!(pid = fork())) { + execl("/usr/sbin/userdel", "userdel", "-f", "-r", __MAPPED_USER, NULL); + _exit(1); + } + if(pid == -1) + return -2; + waitpid(pid, &pstat, 0); + return -1; + } + /* Get RADIUS mapped user information */ + struct passwd *pw = getpwnam(__MAPPED_USER); + fprintf(fp, "%s:x:%d:%d::%s:%s\n", + pw->pw_name, pw->pw_uid, pw->pw_gid, + pw->pw_dir, pw->pw_shell); + fclose(fp); + + /* Activate NSS of RADIUS users */ + system("sed -i '/^passwd:/s/$/ ato/' " AVX_NSS_CONF); + system("sed -i '/^shadow:/s/$/ ato/' " AVX_NSS_CONF); + + sleep(1); + + return 0; + +fail: + return -1; +} + +int exauth_off() { + _AVX_WRITE_PAM_CONF( + AUTH_PAM, "auth", + _AVX_WRITE_PASS("auth", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + _AVX_WRITE_PAM_CONF( + ACCT_PAM, "account", + _AVX_WRITE_PASS("account", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + /* Deactivate NSS of RADIUS user */ + system("sed -i '/^passwd:/s/ ato//g' " AVX_NSS_CONF); + system("sed -i '/^shadow:/s/ ato//g' " AVX_NSS_CONF); + + /* Delete RADIUS mapped user */ + pid_t pid; + int pstat = -1; + if(!(pid = fork())) { + execl("/usr/sbin/userdel", "userdel", "-f", "-r", __MAPPED_USER, NULL); + _exit(1); + } + if(pid == -1) { + printf("Cannot delete RADIUS mapped user\n"); + goto fail; + } + waitpid(pid, &pstat, 0); + + sleep(1); + + return 0; + +fail: + return -1; +} + + +#define _AVX_AES_BLOCK_SZ 16 +#define _AVX_ENCRYPTED_SECRET_LEN 129 + +/*********************************************************************** +* This func is for changing server secret from plaintext to ciphertext +* via AES128 encrypt and base64 encode +* +* This function is originated from APV rel_apv_10_7 branch revision 38549. +* +* secret_in: server secret in plaintext, max length is _AVX_ENCRYPTED_SECRET_LEN +* secret_out: server secret in ciphertext, this is looger than secret_in +* but shorter than 2 times of _AVX_ENCRYPTED_SECRET_LEN +* +************************************************************************/ + +static int +encrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) +{ + AES_KEY aes_key; + unsigned char key[_AVX_AES_BLOCK_SZ]; + unsigned char iv[_AVX_AES_BLOCK_SZ]; + unsigned char seed_key[11] = "ARRAYCLICK"; + unsigned char seed_iv[12] = "ARRAYISBEST"; + unsigned char temp[2 * _AVX_ENCRYPTED_SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, _AVX_ENCRYPTED_SECRET_LEN); + len = strlen((char *)temp) + 1; + + if (len % _AVX_AES_BLOCK_SZ != 0) { + len = (len / _AVX_AES_BLOCK_SZ + 1) * _AVX_AES_BLOCK_SZ; + } + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_encrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(secret_in, temp, len, &aes_key, iv, AES_ENCRYPT); + + EVP_EncodeBlock(secret_out, temp, len); + + return 0; +} + +/*********************************************************************** +* This func is for changing server secret from ciphertext to plaintext +* via base64 decode and AES128 decrypt +* +* This function is originated from APV rel_apv_10_7 branch revision 38549. +* +* secret_in: server secret in ciphertext, max length is 4/3 times of +* _AVX_ENCRYPTED_SECRET_LEN +* secret_out: server secret in plaintext, this is shorter than _AVX_ENCRYPTED_SECRET_LEN +* +************************************************************************/ + +static int +decrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) +{ + AES_KEY aes_key; + unsigned char key[_AVX_AES_BLOCK_SZ]; + unsigned char iv[_AVX_AES_BLOCK_SZ]; + unsigned char seed_key[11] = "ARRAYCLICK"; + unsigned char seed_iv[12] = "ARRAYISBEST"; + unsigned char temp[2 * _AVX_ENCRYPTED_SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, 2 * _AVX_ENCRYPTED_SECRET_LEN); + temp[2 * _AVX_ENCRYPTED_SECRET_LEN - 1] = '\0'; + len = strlen((char *)temp); + + if (len > (_AVX_ENCRYPTED_SECRET_LEN / 3 * 4)) { + return -1; + } + + if (len < 24) { + /* encrypted secret is 16 Byte at least, after base64 it is 24 */ + return -1; + } + + len = EVP_DecodeBlock(temp, secret_in, len); + + if (len == -1) { + return -1; + } + + len -= len % _AVX_AES_BLOCK_SZ; + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_decrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(temp, secret_out, len, &aes_key, iv, AES_DECRYPT); + + return 0; +} + +#define AVX_RADIUS_CONF "/etc/pam_radius.conf" + +const char *AVX_EXAUTH_ENCRYPTED_FLAG = "ENCRYPTED"; +const int RADIUS_TIMEOUT = 3; + +int set_radius_server( + char *host, + uint16_t port, + char *secret, + char *encrypted_flag +) { + FILE *fp = fopen(AVX_RADIUS_CONF, "w"); + if(!fp) { + printf("Cannot open RADIUS server config\n"); + return -1; + } + + int encrypt_enabled = strncmp(encrypted_flag, AVX_EXAUTH_ENCRYPTED_FLAG, strlen(AVX_EXAUTH_ENCRYPTED_FLAG)); + unsigned char d[_AVX_EXAUTH_STR_LEN]; + if(encrypt_enabled == 0) + decrypt_secret((unsigned char *)secret, d); + + fprintf(fp, "%s:%d %s %d\n", host, port, encrypt_enabled == 0 ? d : secret, RADIUS_TIMEOUT); + + fclose(fp); + + sleep(1); + + return 0; +} + +int unset_radius_server() { + system("rm -rf " AVX_RADIUS_CONF); + + sleep(1); + + return 0; +} + +#define _AVX_EXAUTH_PREFIX "admin aaa" +#define _AVX_EXAUTH_BUF_LEN 1024 +#define _AVX_EXAUTH_STAT _AVX_EXAUTH_PREFIX " %s\n" +#define _AVX_EXAUTH_PORT_LEN 6 + +/* TO-DO: let port number output be an integer */ +#define _AVX_EXAUTH_PROPS_BASE \ + _AVX_EXAUTH_PREFIX " server es01 \"%s\" %s \"%s\"" +#define _AVX_EXAUTH_PROPS _AVX_EXAUTH_PROPS_BASE "\n" +#define _AVX_EXAUTH_PROPS_ENCRYPTED \ + _AVX_EXAUTH_PROPS_BASE " \"%s\"\n" + +/* TO-DO: let port number output be an integer */ +#define _AVX_EXAUTH_GET_PROPS(host, port, secret) \ + do { \ + FILE *fp = fopen(AVX_RADIUS_CONF, "r"); \ + char *p; \ + char ip_port_str[_AVX_EXAUTH_STR_LEN]; \ + char buf[1024]; \ + int timeout; \ + while(!feof(fp) && (fgets(buf, sizeof(buf), fp) != NULL && (!ferror(fp)))) { \ + p = buf; \ + if(sscanf(p, "%s %s %d", ip_port_str, secret, &timeout) < 2) { \ + printf("error\n"); \ + goto fail; \ + } \ + \ + /* Get IP:PORT pair with IPv4 format */ \ + char *colon = strchr(ip_port_str, ':'); \ + if(!colon) { \ + printf("IP:PORT invalid\n"); \ + goto fail; \ + } \ + \ + strncpy(host, ip_port_str, colon - ip_port_str); \ + host[colon - ip_port_str] = '\0'; \ + strncpy(port, colon + 1, _AVX_EXAUTH_PORT_LEN); \ + } \ + fclose(fp); \ + } while(0) + +/* Count the lines in array-common-auth.pam + * to check whether external authentication is on or off + * (i.e., one for off, two for on). */ +#define AVX_CNT_PAM_LINE(line_cnt) \ + do { \ + FILE *fp; \ + char ret[1035]; \ + fp = popen("wc -l < " AUTH_PAM, "r"); \ + if(!fp) { \ + printf("Failed to run cmd\n"); \ + goto fail; \ + } \ + while(fgets(ret, sizeof(ret), fp) != NULL) \ + line_cnt = atoi(ret); \ + pclose(fp); \ + } while(0) + +char *write_exauth_conf(void) { + char *save_exauth; + save_exauth = (char *)malloc(sizeof(char) * _AVX_EXAUTH_BUF_LEN); + if(!save_exauth) { + printf("System error occurred.\n"); + goto fail; + } + bzero(save_exauth, _AVX_EXAUTH_BUF_LEN); + + char host[_AVX_EXAUTH_STR_LEN]; + char port[_AVX_EXAUTH_PORT_LEN]; + char secret[_AVX_EXAUTH_STR_LEN]; + int conf_existed = access(AVX_RADIUS_CONF, F_OK) == 0; + if(conf_existed) + _AVX_EXAUTH_GET_PROPS(host, port, secret); + + unsigned char e[_AVX_ENCRYPTED_SECRET_LEN]; + encrypt_secret((unsigned char *)secret, e); + + int line_cnt = 0; + AVX_CNT_PAM_LINE(line_cnt); + + int len = 0; + int ret; +#define _(fmt, ...) \ + do { \ + ret = sprintf(save_exauth + len, fmt, __VA_ARGS__); \ + len += ret; \ + } while(0) + + _(_AVX_EXAUTH_STAT, line_cnt > 1 ? "on" : "off"); + if(conf_existed) + _(_AVX_EXAUTH_PROPS_ENCRYPTED, host, port, e, AVX_EXAUTH_ENCRYPTED_FLAG); +#undef _ + + return save_exauth; + +fail: + return NULL; +} + +int show_exauth_all(void) { + char host[_AVX_EXAUTH_STR_LEN]; + char port[_AVX_EXAUTH_PORT_LEN]; + char secret[_AVX_EXAUTH_STR_LEN]; + + int line_cnt = 0; + AVX_CNT_PAM_LINE(line_cnt); + + /* Show status of external authentication, + * i.e., the line in array-common-auth.pam. */ + printf(_AVX_EXAUTH_STAT, line_cnt > 1 ? "on" : "off"); + + if(access(AVX_RADIUS_CONF, F_OK) == 0) { + /* Get RADIUS server attributes */ + _AVX_EXAUTH_GET_PROPS(host, port, secret); + + printf(_AVX_EXAUTH_PROPS, host, port, "*****"); + } + + return 0; + +fail: + return -1; +} Index: /branches/rel_avx_2_7_2/src/backend/sys_tool.h =================================================================== --- /branches/rel_avx_2_7_2/src/backend/sys_tool.h (revision 8849) +++ /branches/rel_avx_2_7_2/src/backend/sys_tool.h (working copy) @@ -72,6 +72,10 @@ extern char* write_system_interactive(void); extern char* write_if_shutdown(void); extern char* write_if_description(void); +extern char* write_exauth_conf(void); + +extern int show_exauth_all(void); + extern int clear_nameserver(char *ip); extern int clear_iphost(void); extern int ui_clear_supportip(void); Index: /branches/rel_avx_2_7_2/src/backend/sys_tool.c =================================================================== --- /branches/rel_avx_2_7_2/src/backend/sys_tool.c (revision 8849) +++ /branches/rel_avx_2_7_2/src/backend/sys_tool.c (working copy) @@ -358,6 +358,11 @@ CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL, "#interface description" }, + { + write_exauth_conf, + CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL, + "#admin aaa configuration" + }, /*last entry is empty*/ { NULL, Index: /branches/rel_avx_2_7_2/src/generator/commands.pm =================================================================== --- /branches/rel_avx_2_7_2/src/generator/commands.pm (revision 8849) +++ /branches/rel_avx_2_7_2/src/generator/commands.pm (working copy) @@ -7239,6 +7239,151 @@ optional => "NO", }, ], }, + { + obj_type => "MENU", + name => "admin", + parent_menu => ".", + uniq_name => "root_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Administration configuration", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_admin", + uniq_name => "root_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication configuration", + }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_admin_aaa", + uniq_name => "root_admin_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, + { + obj_type => "ITEM", + name => "es01", + menu => "root_admin_server_aaa", + help_string => "Configure external RADIUS authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "set_radius_server", + function_args => [ + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "Secret", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_no", + uniq_name => "root_no_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Delete administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_no_admin", + uniq_name => "root_no_admin_aaa_server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Delete external authentication configurations", + }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_no_admin_aaa_server", + uniq_name => "root_no_admin_aaa", + help_string => "Delete external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + }, + { + obj_type => "ITEM", + name => "es01", + menu => "root_no_admin_aaa", + help_string => "Delete external RADIUS authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "unset_radius_server", + function_args => [], + }, + { + obj_type => "ITEM", + name => "on", + menu => "root_admin_aaa", + help_string => "Turn on external authentication", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_on", + function_args => [], + }, + { + obj_type => "ITEM", + name => "off", + menu => "root_admin_aaa", + help_string => "Turn off external authentication", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_off", + function_args => [], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_show", + uniq_name => "root_show_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Display administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_show_admin", + uniq_name => "root_show_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Display external authentication configurations", + }, + { + obj_type => "ITEM", + name => "all", + menu => "root_show_admin_aaa", + help_string => "Display all external authentication configurations", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_ENABLE", + function_name => "show_exauth_all", + function_args => [], + }, ); # This method is required to expost the command table to the caller. Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst (working copy) @@ -0,0 +1,49 @@ +python-pam +========== + +Python pam module supporting py3 (and py2) + +Commandline example: + +``` +[david@Scott python-pam]$ python pam.py +Username: david +Password: +0 Success + +[david@Scott python-pam]$ python2 pam.py +Username: david +Password: +0 Success +``` + +Inline examples: +``` +[david@Scott python-pam]$ python +Python 3.4.1 (default, May 19 2014, 17:23:49) +[GCC 4.9.0 20140507 (prerelease)] on linux +Type "help", "copyright", "credits" or "license" for more information. +>>> import pam +>>> p = pam.pam() +>>> p.authenticate('david', 'correctpassword') +True +>>> p.authenticate('david', 'badpassword') +False +>>> p.authenticate('david', 'correctpassword', service='login') +True +>>> p.authenticate('david', 'correctpassword', service='unknownservice') +False +>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True) +True +>>> p.authenticate('david', 'correctpassword', encoding='latin-1') +True +>>> print('{} {}'.format(p.code, p.reason)) +0 Success +>>> p.authenticate('david', 'badpassword') +False +>>> print('{} {}'.format(p.code, p.reason)) +7 Authentication failure +>>> +``` + + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER (working copy) @@ -0,0 +1 @@ +pip Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA (working copy) @@ -0,0 +1,76 @@ +Metadata-Version: 2.0 +Name: python-pam +Version: 1.8.4 +Summary: Python PAM module using ctypes, py3/py2 +Home-page: https://github.com/FirefighterBlu3/python-pam +Author: David Ford +Author-email: david@blue-labs.org +Maintainer: David Ford +Maintainer-email: david@blue-labs.org +License: License :: OSI Approved :: MIT License +Download-URL: https://github.com/FirefighterBlu3/python-pam +Platform: i686 +Platform: x86_64 +Classifier: Development Status :: 6 - Mature +Classifier: Environment :: Plugins +Classifier: Intended Audience :: Developers +Classifier: Intended Audience :: Information Technology +Classifier: Intended Audience :: System Administrators +Classifier: License :: OSI Approved :: MIT License +Classifier: Operating System :: POSIX +Classifier: Operating System :: POSIX :: Linux +Classifier: Programming Language :: Python +Classifier: Programming Language :: Python :: 2 +Classifier: Programming Language :: Python :: 3 +Classifier: Topic :: Security +Classifier: Topic :: System :: Systems Administration :: Authentication/Directory + +python-pam +========== + +Python pam module supporting py3 (and py2) + +Commandline example: + +``` +[david@Scott python-pam]$ python pam.py +Username: david +Password: +0 Success + +[david@Scott python-pam]$ python2 pam.py +Username: david +Password: +0 Success +``` + +Inline examples: +``` +[david@Scott python-pam]$ python +Python 3.4.1 (default, May 19 2014, 17:23:49) +[GCC 4.9.0 20140507 (prerelease)] on linux +Type "help", "copyright", "credits" or "license" for more information. +>>> import pam +>>> p = pam.pam() +>>> p.authenticate('david', 'correctpassword') +True +>>> p.authenticate('david', 'badpassword') +False +>>> p.authenticate('david', 'correctpassword', service='login') +True +>>> p.authenticate('david', 'correctpassword', service='unknownservice') +False +>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True) +True +>>> p.authenticate('david', 'correctpassword', encoding='latin-1') +True +>>> print('{} {}'.format(p.code, p.reason)) +0 Success +>>> p.authenticate('david', 'badpassword') +False +>>> print('{} {}'.format(p.code, p.reason)) +7 Authentication failure +>>> +``` + + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD (working copy) @@ -0,0 +1,9 @@ +pam.py,sha256=9OckkGbj6VMenr5Zko0sfQZVZxPlZzrsdKSVlRfCmrw,7556 +pam.pyc,, +python_pam-1.8.4.dist-info/DESCRIPTION.rst,sha256=ZzlAiDBuUC_95APCmp0_eRYDnsl9NhuXjcgx4fFUz1g,1090 +python_pam-1.8.4.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4 +python_pam-1.8.4.dist-info/METADATA,sha256=o6bjHQd0CpDejv5ZiM656GmHfr7i6skyjgZQdt3-n6M,2127 +python_pam-1.8.4.dist-info/RECORD,, +python_pam-1.8.4.dist-info/WHEEL,sha256=kdsN-5OJAZIiHN-iO4Rhl82KyS0bDWf4uBwMbkNafr8,110 +python_pam-1.8.4.dist-info/metadata.json,sha256=AOmZ9XHKc0EGVu6BkIS36svGBCdgP5mXJo2R4_kzoD4,1151 +python_pam-1.8.4.dist-info/top_level.txt,sha256=0EOjbyc3hQyzjhn6iyMgsEseqA66Xz0p27iBN7G7W1w,4 Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL (working copy) @@ -0,0 +1,6 @@ +Wheel-Version: 1.0 +Generator: bdist_wheel (0.30.0) +Root-Is-Purelib: true +Tag: py2-none-any +Tag: py3-none-any + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json (working copy) @@ -0,0 +1 @@ +{"classifiers": ["Development Status :: 6 - Mature", "Environment :: Plugins", "Intended Audience :: Developers", "Intended Audience :: Information Technology", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: POSIX", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 3", "Topic :: Security", "Topic :: System :: Systems Administration :: Authentication/Directory"], "download_url": "https://github.com/FirefighterBlu3/python-pam", "extensions": {"python.details": {"contacts": [{"email": "david@blue-labs.org", "name": "David Ford", "role": "author"}, {"email": "david@blue-labs.org", "name": "David Ford", "role": "maintainer"}], "document_names": {"description": "DESCRIPTION.rst"}, "project_urls": {"Home": "https://github.com/FirefighterBlu3/python-pam"}}}, "generator": "bdist_wheel (0.30.0)", "license": "License :: OSI Approved :: MIT License", "metadata_version": "2.0", "name": "python-pam", "platform": "i686", "summary": "Python PAM module using ctypes, py3/py2", "version": "1.8.4"} \ No newline at end of file Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt (nonexistent) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt (working copy) @@ -0,0 +1 @@ +pam Index: /branches/rel_avx_2_7_2/update/avxsystem.ks =================================================================== --- /branches/rel_avx_2_7_2/update/avxsystem.ks (revision 8849) +++ /branches/rel_avx_2_7_2/update/avxsystem.ks (working copy) @@ -510,6 +510,8 @@ intel_auxiliary-1.0.1-1.x86_64 qat-4.15.0-0.x86_64 bc-1.06.95-13.el7.x86_64 +pam_radius-1.4.0-4.el7.x86_64 +libnss-ato-0.2-1.x86_64 %end %post --nochroot --interpreter ../tools/image-minimizer