diff options
author | Christian Breunig <christian@breunig.cc> | 2023-11-21 10:08:20 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-21 10:08:20 +0100 |
commit | bdf0a3b288f93f2e8257106de968ddaa3fca0e21 (patch) | |
tree | b44029f81f1a47a86b475a00d0b22587addfd2db | |
parent | 471e26233e2e1c7b4ad20aff673a18ac5d745296 (diff) | |
parent | d7457268fcaa5626e512eb00a9aab36f4a617f28 (diff) | |
download | vyos-1x-bdf0a3b288f93f2e8257106de968ddaa3fca0e21.tar.gz vyos-1x-bdf0a3b288f93f2e8257106de968ddaa3fca0e21.zip |
Merge pull request #2513 from zdc/T5577-equuleus
PAM: T5577: Optimized RADIUS PAM config (backport from circinus)
-rw-r--r-- | debian/vyos-1x.postinst | 9 | ||||
-rw-r--r-- | interface-definitions/include/radius-server-ipv4-ipv6.xml.i | 20 | ||||
-rwxr-xr-x | src/conf_mode/system-login.py | 10 | ||||
-rw-r--r-- | src/pam-configs/radius | 20 | ||||
-rw-r--r-- | src/pam-configs/radius-mandatory | 19 | ||||
-rw-r--r-- | src/pam-configs/radius-optional | 19 |
6 files changed, 74 insertions, 23 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 81ba74b9b..7b865fb11 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -45,3 +45,12 @@ done # Enable Cloud-init pre-configuration service systemctl enable vyos-config-cloud-init.service + +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --quiet radius +fi + +# And add RADIUS users to this group +usermod -aG radius radius_user +usermod -aG radius radius_priv_user diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i index 5b12bec62..6a432bac9 100644 --- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i +++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i @@ -47,6 +47,26 @@ <multi/> </properties> </leafNode> + <leafNode name="security-mode"> + <properties> + <help>Security mode for RADIUS authentication</help> + <completionHelp> + <list>mandatory optional</list> + </completionHelp> + <valueHelp> + <format>mandatory</format> + <description>Deny access immediately if RADIUS answers with Access-Reject</description> + </valueHelp> + <valueHelp> + <format>optional</format> + <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description> + </valueHelp> + <constraint> + <regex>(mandatory|optional)</regex> + </constraint> + </properties> + <defaultValue>optional</defaultValue> + </leafNode> </children> </node> <!-- include end --> diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 7cfd5c940..4e61bd8ad 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -299,9 +299,15 @@ def apply(login): env = os.environ.copy() env['DEBIAN_FRONTEND'] = 'noninteractive' try: + # Disable PAM before enabling or modifying anything + cmd('pam-auth-update --disable radius-mandatory radius-optional', env=env) if 'radius' in login: # Enable RADIUS in PAM - cmd('pam-auth-update --package --enable radius', env=env) + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}', env=env) # Make NSS system aware of RADIUS # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/\smapname/b\' \ @@ -312,8 +318,6 @@ def apply(login): -e \'/^group:[^#]*$/s/: */&mapname /\' \ /etc/nsswitch.conf" else: - # Disable RADIUS in PAM - cmd('pam-auth-update --package --remove radius', env=env) # Drop RADIUS from NSS NSS system # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ diff --git a/src/pam-configs/radius b/src/pam-configs/radius deleted file mode 100644 index 0e2c71e38..000000000 --- a/src/pam-configs/radius +++ /dev/null @@ -1,20 +0,0 @@ -Name: RADIUS authentication -Default: yes -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so - -Account-Type: Primary -Account: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so - -Session-Type: Additional -Session: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory new file mode 100644 index 000000000..3368fe7ff --- /dev/null +++ b/src/pam-configs/radius-mandatory @@ -0,0 +1,19 @@ +Name: RADIUS authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so +Auth: + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=end] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=bad success=ok] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional new file mode 100644 index 000000000..73085061d --- /dev/null +++ b/src/pam-configs/radius-optional @@ -0,0 +1,19 @@ +Name: RADIUS authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_radius_auth.so +Auth: + [default=ignore success=end] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=end] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so |