tacacs ipv6 support - Githubissues

h-lopez commented 7 months ago

this is interesting, throwing this into an issue to look at later.

relevant docs:

nvidia since it looks like we're using the cumulus tac_plus pkg

relevant files:

/etc/tacplus_nss.conf
/etc/tacplus_servers

vyos currently adds the servers+keys to both files which seems excessive, from the tacacs config template vyos ships with, we can just have tacplus_nss.conf read the server list from tacplus_servers, so uncommented that line

# The include keyword allows centralizing the tacacs+ server information
# including the IP address and shared secret
include=/etc/tacplus_servers

relevant section in tacplus_servers:

secret=[redacted]
server=[fd00:41:acab:21bb:be24:11ff:fe8a:471e]:49
#server=172.21.50.106:49

however, trying to actually use this config results in failure, tacacs fails to authenticate against the remote server

Apr 10 00:05:07 cr2-3656 sshd[100576]: nss_tacplus: Configuration file(s) have changed, re-initializing
Apr 10 00:05:07 cr2-3656 sshd[100576]: nss_tacplus: skip invalid server: [fd00 (getaddrinfo: Servname not supported for ai_socktype)
Apr 10 00:05:07 cr2-3656 sshd[100576]: nss_tacplus: skip invalid server: [fd00 (getaddrinfo: Servname not supported for ai_socktype)
Apr 10 00:05:07 cr2-3656 sshd[100576]: pam_unix(sshd:session): session closed for user hlopez
Apr 10 00:05:08 cr2-3656 sshd[101892]: pam_unix(sshd:session): session closed for user hlopez
Apr 10 00:05:08 cr2-3656 sshd[101892]: pam_mail(sshd:session): user unknown
Apr 10 00:05:16 cr2-3656 sshd[102214]: nss_tacplus: skip invalid server: [fd00 (getaddrinfo: Servname not supported for ai_socktype)
Apr 10 00:05:16 cr2-3656 sshd[102214]: nss_tacplus: skip invalid server: [fd00 (getaddrinfo: Servname not supported for ai_socktype)
Apr 10 00:05:16 cr2-3656 sshd[102214]: Invalid user hlopez from 172.21.20.13 port 58525
Apr 10 00:05:17 cr2-3656 sshd[102214]: pam_tacplus(sshd:auth): auth failed 2
Apr 10 00:05:17 cr2-3656 sshd[102214]: pam_unix(sshd:auth): check pass; user unknown
Apr 10 00:05:17 cr2-3656 sshd[102214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.20.13 
Apr 10 00:05:19 cr2-3656 sshd[102214]: Failed password for invalid user hlopez from 172.21.20.13 port 58525 ssh2
Apr 10 00:05:21 cr2-3656 sshd[102214]: error: Received disconnect from 172.21.20.13 port 58525:14: Unable to authenticate using any of the configured authentication methods.  [preauth]
Apr 10 00:05:21 cr2-3656 sshd[102214]: Disconnected from invalid user hlopez 172.21.20.13 port 58525 [preauth]

despite the syslog errors about "invalid server", pcap shows it reaching out to the remote server via ipv6 but failing. i can see it log to my tacacs server, again sourcing from an ipv6 address, so ipv6 transport def works.

2024-04-10 00:05:16 -0500|!|fd00:41:acab:21bb::3|!|hlopez|!|ssh|!|172.21.20.13|!|ascii login failed
2024-04-10 00:05:50 -0500|!|fd00:41:acab:21bb::3|!|hlopez|!|ssh|!|172.21.20.13|!|ascii login failed

if i revert to using ipv4 AND remote in and leave that TACACS user session connected:

secret=[redacted]
server=[fd00:41:acab:21bb:be24:11ff:fe8a:471e]:49
#server=172.21.50.106:49

hlnetadmin@cr2-3656:~$ show users
NAME     LINE         TIME             COMMENT
hlnetadmin pts/0        2024-04-09 22:44 (172.21.20.13)
hlopez   pts/1        2024-04-10 00:11 (172.21.20.13)

...then update the config to use IPv6 servers again:

secret=[redacted]
server=[fd00:41:acab:21bb:be24:11ff:fe8a:471e]:49
#server=172.21.50.106:49

i can authenticate new TACACS sessions using an IPv6 TACACS server, under different accounts (with differing priv level)

2024-04-10 00:13:29 -0500|!|fd00:41:acab:21bb::3|!|oxidized|!|ssh|!|172.21.20.13|!|ascii login succeeded
2024-04-10 00:13:32 -0500|!|fd00:41:acab:21bb::3|!|hlopez|!|ssh|!|172.21.20.13|!|ascii login succeeded

as soon as I disconnect all active TACACS users sessions, it goes back to failing. WTF

2024-04-10 00:16:23 -0500|!|fd00:41:acab:21bb::3|!|hlopez|!|ssh|!|172.21.20.13|!|ascii login failed

h-lopez commented 7 months ago

side notes for future PR once this more or less works:

need to raise error if user sets an IPv6 server with the source source-ip option, seems to break ipv6 if set and underlying module does not support setting an ipv6 source addr
ipv6 must be wrapped in brackets for it to function as a server

h-lopez commented 7 months ago

i thought wrapping an ipv4 address in brackets leads to an invalid config but it works... if there's an existing TACACs session already going on similar to the ipv6 issue already mentioned

#server=172.21.50.106:49
server=[172.21.50.106]:49

i'm not 100% sure how the underlying modules interact but i guess nss_tacplus can't parse addresses if they have brackets? fwiw passing along an ipv6 addr without brackets doesn't work either.

h-lopez commented 4 months ago

you can specify fqdn in cumulusvx, results in:

prefer_ip_version=4
secret=[redacted]
server=tacacs1.hlnet.us:49

h-lopez commented 4 months ago

got it to work if you specify ipv6 tacacs host as fqdn....but not as the actual v6 addr

h-lopez / vyos-1x

tacacs ipv6 support #1