diff options
| author | aapostoliuk <a.apostoliuk@vyos.io> | 2023-07-18 14:06:43 +0300 |
|---|---|---|
| committer | aapostoliuk <a.apostoliuk@vyos.io> | 2023-07-25 10:49:47 +0300 |
| commit | adb1a0fe63b1a7fff7cad955d0423a91a07823a1 (patch) | |
| tree | 517fc65d3458766ca5a1deffbc4523778cf21f75 | |
| parent | 64cc7d7e3b9e2f0f8e16cb95272336062700b91f (diff) | |
| download | vyos-1x-adb1a0fe63b1a7fff7cad955d0423a91a07823a1.tar.gz vyos-1x-adb1a0fe63b1a7fff7cad955d0423a91a07823a1.zip | |
login: T4790: Added check of the sum of radius timeouts
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
| -rwxr-xr-x | src/conf_mode/system-login.py | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index aba10689d..7cfd5c940 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -42,6 +42,10 @@ airbag.enable() radius_config_file = "/etc/pam_radius_auth.conf" +# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec +MAX_RADIUS_TIMEOUT: int = 50 +MAX_RADIUS_COUNT: int = 8 + def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] @@ -123,18 +127,29 @@ def verify(login): if 'radius' in login: if 'server' not in login['radius']: raise ConfigError('No RADIUS server defined!') - + sum_timeout: int = 0 + radius_servers_count: int = 0 fail = True for server, server_config in dict_search('radius.server', login).items(): if 'key' not in server_config: raise ConfigError(f'RADIUS server "{server}" requires key!') - if 'disabled' not in server_config: + if 'disable' not in server_config: + sum_timeout += int(server_config['timeout']) + radius_servers_count += 1 fail = False - continue + if fail: raise ConfigError('All RADIUS servers are disabled') + if radius_servers_count > MAX_RADIUS_COUNT: + raise ConfigError( + f'Number of RADIUS servers more than {MAX_RADIUS_COUNT}') + + if sum_timeout > MAX_RADIUS_TIMEOUT: + raise ConfigError( + f'Sum of RADIUS servers timeouts has to be less or eq {MAX_RADIUS_TIMEOUT} sec') + verify_vrf(login['radius']) if 'source_address' in login['radius']: |