search

daveolson53 / libtacplus-map

mapping library to enable tacacs-authenticated users to login without a local (or ldap) password entry
GNU General Public License v2.0
0 stars 4 forks source link

sudo error #1

Closed idefixcert closed 1 year ago

idefixcert commented 4 years ago

I just try the following example

FROM       ubuntu:18.04
MAINTAINER Chris

RUN apt-get update

RUN apt-get update && \
    apt-get install -y software-properties-common wget less nano

RUN apt-get install -y dpdk openssh-server
RUN apt-get install -y sudo rsyslog

COPY deb/* deb/
RUN dpkg -i deb/libtacplus-map1_1.0.1-cl3u3_amd64.deb
RUN dpkg -i deb/libtac2_1.4.3-cl3u4_amd64.deb 
RUN dpkg -i deb/libnss-tacplus_1.0.4-cl3u3_amd64.deb 
RUN dpkg -i deb/libpam-tacplus_1.4.3-cl3u4_amd64.deb

COPY tacplus_servers /etc/tacplus_servers
COPY start.sh start.sh

#Permit Root user to login
RUN echo 'root:root' |chpasswd
RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config

EXPOSE 22

CMD    [ "start.sh"]

the start.sh file contains:

sudo service ssh start
sudo service rsyslog start
touch /var/log/auth.log
tail -f /var/log/auth.log

then I run these command:

docker build -t tacacs_client_image .   
docker run -it -P --network=tacacs --name tacacs_client tacacs_client_image

and also this to get the ssh port

docker port tacacs_client 22

if I login with ssh chris@localhost -p 32821 everything works as expected. The only thing which does not work is sudo less for example. Than I get: chris is not in the sudoers file. This incident will be reported. and in the log Feb 4 17:25:34 f74107dbf05f sudo: chris : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/tacacs15 ; USER=root ; COMMAND=/usr/bin/less

But the sudoers config looks good: tacacs15 ALL=(ALL:ALL) ALL

For me it looks like the request is made with user chris and not tacacs15. Also the prompt shows the username chris. echo $USER also. But pwdshows: /home/tacacs10.

Any help appreciated.

bacharya commented 4 years ago

Hi idefixcert,

I had a similar scenario and it worked perfectly fine.

Please check the groups of the mapped local user belong to:

tac_user@b508b319e119:~$ sudo id tacacs15
uid=1015(tac_user) gid=27(sudo) groups=27(sudo)

tac_user@b508b319e119:~$ groups
sudo
tac_user@b508b319e119:~$ pwd
/home/tacacs15
tac_user@b508b319e119:~$ sudo service --status-all
[sudo] password for tac_user: 
 [ - ]  cron
 [ - ]  dbus
 [ ? ]  dpdk
 [ ? ]  hwclock.sh
 [ - ]  procps
 [ + ]  rsyslog
 [ + ]  ssh
 [ - ]  unattended-upgrades
tac_user@b508b319e119:~$

In the above scenario I have a tacacs user(tac_user) with privilege15 and belongs to mapped user tacacs15.

knight-on-work commented 1 year ago

RUN dpkg -i deb/libtacplus-map1_1.0.1-cl3u3_amd64.deb

Hi idefixcert, mentioned deb packages will compatible with ubuntu 22.04 or not?

idefixcert commented 1 year ago

Not sure, I am not working actively on this project anymore, I think we can close the card.

daveolson53 commented 1 year ago

The sudo issue requires a patch that most people would be unlikely to accept. I think I posted it, but never tried to push it upstream.

I have not been involved with tacacs since late 2019, and do not plan to be involved in the future.