vyos-1x.git/data/templates/ssh, branch vyos/1.4dev1 VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=vyos%2F1.4dev1 2023-02-24T18:07:18+00:00 login: T4943: Fixed 2FA + RADIUS compatibility 2023-02-24T18:07:18+00:00 zsdc taras@vyos.io 2023-02-24T18:07:18+00:00 urn:sha1:32a4415191ca725be9b3ca4c5f664123a0e767eb MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ``` ssh: T4720: Ability to configure SSH-server HostKeyAlgorithms 2022-10-17T12:15:22+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-10-17T12:15:22+00:00 urn:sha1:85f04237160a6ea98eea4ec58f1ccab9f6bfc31a Ability to configure SSH-server HostKeyAlgorithms. Specifies the host key signature algorithms that the server offers. Can accept multiple values. Merge pull request #1555 from goodNETnick/ssh_otp 2022-10-12T07:02:37+00:00 Christian Poessinger christian@poessinger.com 2022-10-12T07:02:37+00:00 urn:sha1:6951fa7ef6ea4a2715b9083d654f6cf3f3b60213 system login: T874: add 2FA support for local and ssh authentication system login: T874: add 2FA support for local and ssh authentication 2022-10-11T23:56:45+00:00 goodNETnick pknet@ya.ru 2022-09-22T06:03:04+00:00 urn:sha1:765f84386b6e94984ff79db2eab36d51f759159b ssh: T4716: Ablity to configure RekeyLimit data and time 2022-10-10T12:52:54+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-09-27T16:06:52+00:00 urn:sha1:b9de775a5b4f017f9d164a127d93f55ce9053756 Ability to configure SSH RekeyLimit data (in Megabytes) and time (in Minutes) set service ssh rekey data 1024 set service ssh rekey time 60 ssh: T3212: do not load systemd EnvironmentFile 2022-07-22T21:16:13+00:00 Christian Poessinger christian@poessinger.com 2022-07-22T21:05:25+00:00 urn:sha1:8c7cd6f181a4bbb5aee99f50e6c32eb1f4f37c3d sshguard: T4408: rename whitelist-address -> allow-from 2022-05-13T16:43:09+00:00 Christian Poessinger christian@poessinger.com 2022-05-13T16:43:07+00:00 urn:sha1:37a08888d103556326ecd13e4738301ac901c861 We do not only allow individual host addresses but also prefixes. sshguard: T4408: Add service ssh dynamic-protection 2022-05-12T17:27:38+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-05-10T15:14:19+00:00 urn:sha1:2e81f9e057f598a9a9e5c2d617e3d0818005d850 Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1 ssh: T4353: fix Jinja2 linting errors 2022-04-14T19:34:52+00:00 Christian Poessinger christian@poessinger.com 2022-04-14T19:34:52+00:00 urn:sha1:dbfc2add3434638628b43ecfa097fbd166c85db7 ssh: T4333: migrate to new vyos_defined Jinja2 test 2022-04-11T04:05:12+00:00 Christian Poessinger christian@poessinger.com 2022-04-11T04:05:12+00:00 urn:sha1:5f164e59aac8ce7b8eba50d3906da87a3bb7a9da