[TACACS+]: Add support for TACACS+ Authentication (#1019)

* [TACACS+]: Add support for TACACS+ Authentication

* pam_tacplus - A TACACS+ protocol client library and PAM module to
  supports core TACACS+ functions for AAA.
* nss_tacplus - A NSS plugin for TACACS+ to extend function getpwnam,
  make the TACACS+ authenticated user which is not found in local
  could login successfully.

* Add make rules for pam_tacplus and install script
* Add a patch for pam_tacplus to disable pam-auth-update pam-tacplus
  by default
* Add a patch for pam_tacplus to inlucde and build nss_tacplus

  Signed-off-by: [email protected]

* [TACACS+]: Add nss-tacplus as a separate src repo

* Separate nss-tacplus from pam-tacplus, modify tacacs.mk and
  makefile, add a patch to adapt to the new user map profile.
* Use the lastest stable version for pam-tacplus, add a dependent
  package in sonic-salve, add two patches to fix build error.
* Add scripts to disable tacplus by default.
* Remove hostcfgd service file

  Signed-off-by: Chenchen Qi <[email protected]>

* [TACACS+]: Fix nss-tacplus filter some valid TACACS+ username

* The NAME_REGEX for username check in plugin nss-tacplus is
  the ANSI version "^[0-9a-zA-Z_-\ ]*$", but the regular expression
  in /etc/adduser.conf is not defined as ANSI version. To avoid
  nss-tacplus filter some valid TACACS+ username, remove username
  check.

  Signed-off-by: Chenchen Qi <[email protected]>

files/build_templates/sonic_debian_extension.j2

@@ -89,6 +89,14 @@ sudo cp -f $IMAGE_CONFIGS/bash/bash.bashrc $FILESYSTEM_ROOT/etc/
 sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/sonic-device-data_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
+# Install pam-tacplus and nss-tacplus
+sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libtac2_*.deb
+sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libpam-tacplus_*.deb
+sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libnss-tacplus_*.deb
+# Disable tacplus by default
+sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
+sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
+
 # Copy crontabs
 sudo cp -f $IMAGE_CONFIGS/cron.d/* $FILESYSTEM_ROOT/etc/cron.d/
 

rules/tacacs.mk

@@ -0,0 +1,29 @@
+# libpam-tacplus packages
+
+PAM_TACPLUS_VERSION = 1.4.1-1
+
+export PAM_TACPLUS_VERSION
+
+LIBPAM_TACPLUS = libpam-tacplus_$(PAM_TACPLUS_VERSION)_amd64.deb
+$(LIBPAM_TACPLUS)_RDEPENDS += $(LIBTAC2)
+$(LIBPAM_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/pam
+SONIC_MAKE_DEBS += $(LIBPAM_TACPLUS)
+
+LIBTAC_DEV = libtac-dev_$(PAM_TACPLUS_VERSION)_amd64.deb
+$(LIBTAC_DEV)_DEPENDS += $(LIBTAC2)
+$(eval $(call add_derived_package,$(LIBTAC2),$(LIBTAC_DEV)))
+
+LIBTAC2 = libtac2_$(PAM_TACPLUS_VERSION)_amd64.deb
+$(eval $(call add_extra_package,$(LIBPAM_TACPLUS),$(LIBTAC2)))
+
+
+# libnss-tacplus packages
+NSS_TACPLUS_VERSION = 1.0.4-1
+
+export NSS_TACPLUS_VERSION
+
+LIBNSS_TACPLUS = libnss-tacplus_$(NSS_TACPLUS_VERSION)_amd64.deb
+$(LIBNSS_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
+$(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
+$(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
+SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)

slave.mk

@@ -391,7 +391,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
                 $(LINUX_KERNEL) \
                 $(IGB_DRIVER) \
                 $(SONIC_DEVICE_DATA) \
-                $(SONIC_UTILS)) \
+                $(SONIC_UTILS) \
+                $(LIBPAM_TACPLUS) \
+                $(LIBNSS_TACPLUS)) \
         $$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
         $$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE))
 	$(HEADER)

sonic-slave/Dockerfile

@@ -204,6 +204,8 @@ RUN apt-get update && apt-get install -y \
 # For gtest
         libgtest-dev \
         cmake \
+# For pam_tacplus build
+        autoconf-archive \
 # For python-based swsscommon
         swig3.0 \
 # For iproute2