Behavior changes
This release contains behavior changes that relate to the TACACS+ protocol.
TACACS+ authenticated users group
The implementation detail for users to be automatically authenticated through TACACS+ has changed.
Users who are authenticated through TACACS+ are automatically placed into a system group. In 1903 this changed from vyatta-system-user-tacplus to vyatta.system.user.tacplus. This is an implementation detail and may be subject to further changes in the future.
Home directories
This release changes the home directories for TACACS+ authenticated users.
The
on-the-fly generated home directories for TACACS+ authenticated users have
changed from /tmp/<username> to
/var/tmp/aaa-home/<user>. These
generated home directories do not persist across reboots.
Session authorization
This release changes the session authorization requirements to be more compliant with the TACACS+ protocol.
The TACACS+ implementation is now more compliant with section 11.1 of https://tools.ietf.org/html/draft-grant-tacacs-02. From 1903 onward, a TACACS+ server must not send any mandatory arguments other than level, or local-user-name, which is now deprecated.
Command accounting
This release contains updates and behavior changes to command accounting.
Accounting support has been re-implemented in 1903 with the following benefits:
- Secrets are redacted
- Accounted commands are expanded and normalized
The following behavior changes should also be noted:
- An additional protocol AV pair is sent in Accounting messages. The value will be either
op-mode, orconf-modeindicating that the command was executed in operational mode or configuration mode, respectively. - The run configuration mode command is accounted as an operational command (protocol=op-mode) with the run keyword removed.
- The edit configuration mode command will be accounted as a set command if it results in new configuration. If no new configuration results then no accounting will occur.
- Invalid or un-authorized commands are not accounted.
The executed command and arguments are no longer concatenated into a single cmd AV pair. Instead the command is sent as the cmd AV pair and each argument is sent as a distinct cmd-arg AV pair.
| Mode | Command | Notes |
|---|---|---|
| Configuration | save (no arguments) | Command does not have any effect. |
| Configuration | top | Navigational command (no system impact) |
| Configuration | up | Navigational command (no system impact) |
| Configuration | exit | The protocol AV pair provides the CLI mode context |
| Operational | configure | The protocol AV pair provides the CLI mode context |
| Operational | reset terminal | Command affects the executing user's console only |
| Operational | set terminal … | Command affects the executing user's console only |
| Operational | spawn … | Executes a non-modeled command |
| Any | Non-modeled command | Accounting is supported for modeled commands only |
Command authorization
This release updates and corrects command authorization for configuration mode commands and is now more compliant with the TACACS+ protocol.
The TACACS+ implementation is now more compliant with section 12.1 of https://tools.ietf.org/html/draft-grant-tacacs-02. Starting in 1903, a server must not send any mandatory arguments in response to a command authorization request.
The command and arguments being authorized are no longer concatenated into a single cmd AV pair. Instead, the command is sent as the cmd AV pair and each argument is sent as a distinct cmd-arg AV pair.
Additionally, the behavior of command authorization for configuration mode commands has been corrected. Configuration mode commands are now authorized as follows.
| Command | Request | Notes |
|---|---|---|
| commit | None (not authorized) | No change |
| commit-confirm | None (not authorized) | No change |
| compare | Single request reflecting what was entered by the user | |
| confirm | None (not authorized) | No change |
| delete | Single request reflecting what was entered by the user | No change |
| discard | None (not authorized) | No change |
| edit | If the command results in the creation of new configuration, then a request will be sent reflecting what was entered by the user, except the edit keyword will be substituted with set; otherwise none (not authorized) | |
| exit | None (not authorized) | No change |
| load | Single request reflecting what was entered by the user | |
| loadkey | Single request reflecting what was entered by the user | |
| merge | Single request reflecting what was entered by the user | |
| rollback | Single request reflecting what was entered by the user | |
| run | Authorized as an operational mode command with the run keyword removed | No change |
| save | Executing save with no additional arguments has no system impact, therefore no requests are made (not authorized) | No change |
| save <args> | Single request reflecting what was entered by the user | |
| set | Single request reflecting what was entered by the user | No change |
| show | Single request reflecting what was entered by the user | |
| top | None (not authorized) | No change |
| up | None (not authorized) | No change |
| validate | None (not authorized) | No change |
| Tab completion | None (not authorized) |
Interaction with ACM
This release removes the requirement for TACACS+ authenticated users to interact with the ACM ruleset.
When TACACS+ command authorization is enabled in 1903, TACACS+ authenticated users are no longer subjected to the operational (system acm operational-ruleset) mode ACM ruleset. This matches the existing behavior of TACACS+ users not being subjected to the configuration (system acm ruleset) mode ACM ruleset. This means TACACS+ users are presented with all the operational mode commands and the TACACS+ server is authoritative in whether a given user is allowed to execute a command or not.