[yang][tacacs]: reject unsupported mschap auth_type#26884
Open
Flamki wants to merge 1 commit intosonic-net:masterfrom
Open
[yang][tacacs]: reject unsupported mschap auth_type#26884Flamki wants to merge 1 commit intosonic-net:masterfrom
Flamki wants to merge 1 commit intosonic-net:masterfrom
Conversation
Remove TACACS mschap from sonic-system-tacacs YANG auth_type enum to avoid silently falling back to PAP at runtime. Add TACACS YANG tests to assert mschap is rejected for both global and server auth_type fields. Signed-off-by: Flamki <[email protected]>
Flamki
requested review from
dgsudharsan,
praveen-li,
qiluo-msft and
venkatmahalingam
as code owners
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Author
|
One compatibility note for visibility: this PR intentionally tightens YANG validation by rejecting auth_type=mschap (both TACPLUS global and TACPLUS_SERVER), since runtime does not actually support MSCHAP and falls back to PAP. Potential impact: any existing deployment still carrying auth_type=mschap in config DB may now fail validation/reload until switched to a supported type (pap/chap/login). Please let me know if you want a follow-up migration/cleanup path documented for operators upgrading with legacy configs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I did it
SONiC TACACS currently accepts
auth_type=mschap, but TACACS auth runtime falls back to PAP. This is misleading and can create security/configuration confusion.Closes #26540.
Work item tracking
How I did it
mschapfrom TACACS auth type enum in:src/sonic-yang-models/yang-models/sonic-system-tacacs.yangmschapis rejected in both:How to verify it
mschap(global or server-specific).InvalidValue) instead of being accepted and silently behaving as PAP.pap,chap,login) still work.Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Reject unsupported TACACS
mschapauth_type in YANG to prevent misleading PAP fallback behavior.Link to config_db schema for YANG module changes
N/A (YANG enum tightening only; no new table/schema section).
A picture of a cute animal (not mandatory but encouraged)