diff options
| author | zsdc <taras@vyos.io> | 2023-09-26 11:27:07 +0300 |
|---|---|---|
| committer | zsdc <taras@vyos.io> | 2023-11-20 19:07:11 +0200 |
| commit | d7457268fcaa5626e512eb00a9aab36f4a617f28 (patch) | |
| tree | b44029f81f1a47a86b475a00d0b22587addfd2db | |
| parent | 471e26233e2e1c7b4ad20aff673a18ac5d745296 (diff) | |
| download | vyos-1x-d7457268fcaa5626e512eb00a9aab36f4a617f28.tar.gz vyos-1x-d7457268fcaa5626e512eb00a9aab36f4a617f28.zip | |
PAM: T5577: Optimized RADIUS PAM config
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
| -rw-r--r-- | debian/vyos-1x.postinst | 9 | ||||
| -rw-r--r-- | interface-definitions/include/radius-server-ipv4-ipv6.xml.i | 20 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 10 | ||||
| -rw-r--r-- | src/pam-configs/radius | 20 | ||||
| -rw-r--r-- | src/pam-configs/radius-mandatory | 19 | ||||
| -rw-r--r-- | src/pam-configs/radius-optional | 19 |
6 files changed, 74 insertions, 23 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 81ba74b9b..7b865fb11 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -45,3 +45,12 @@ done # Enable Cloud-init pre-configuration service systemctl enable vyos-config-cloud-init.service + +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --quiet radius +fi + +# And add RADIUS users to this group +usermod -aG radius radius_user +usermod -aG radius radius_priv_user diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i index 5b12bec62..6a432bac9 100644 --- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i +++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i @@ -47,6 +47,26 @@ <multi/> </properties> </leafNode> + <leafNode name="security-mode"> + <properties> + <help>Security mode for RADIUS authentication</help> + <completionHelp> + <list>mandatory optional</list> + </completionHelp> + <valueHelp> + <format>mandatory</format> + <description>Deny access immediately if RADIUS answers with Access-Reject</description> + </valueHelp> + <valueHelp> + <format>optional</format> + <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description> + </valueHelp> + <constraint> + <regex>(mandatory|optional)</regex> + </constraint> + </properties> + <defaultValue>optional</defaultValue> + </leafNode> </children> </node> <!-- include end --> diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 7cfd5c940..4e61bd8ad 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -299,9 +299,15 @@ def apply(login): env = os.environ.copy() env['DEBIAN_FRONTEND'] = 'noninteractive' try: + # Disable PAM before enabling or modifying anything + cmd('pam-auth-update --disable radius-mandatory radius-optional', env=env) if 'radius' in login: # Enable RADIUS in PAM - cmd('pam-auth-update --package --enable radius', env=env) + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}', env=env) # Make NSS system aware of RADIUS # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/\smapname/b\' \ @@ -312,8 +318,6 @@ def apply(login): -e \'/^group:[^#]*$/s/: */&mapname /\' \ /etc/nsswitch.conf" else: - # Disable RADIUS in PAM - cmd('pam-auth-update --package --remove radius', env=env) # Drop RADIUS from NSS NSS system # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ diff --git a/src/pam-configs/radius b/src/pam-configs/radius deleted file mode 100644 index 0e2c71e38..000000000 --- a/src/pam-configs/radius +++ /dev/null @@ -1,20 +0,0 @@ -Name: RADIUS authentication -Default: yes -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so - -Account-Type: Primary -Account: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so - -Session-Type: Additional -Session: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory new file mode 100644 index 000000000..3368fe7ff --- /dev/null +++ b/src/pam-configs/radius-mandatory @@ -0,0 +1,19 @@ +Name: RADIUS authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so +Auth: + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=end] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=bad success=ok] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional new file mode 100644 index 000000000..73085061d --- /dev/null +++ b/src/pam-configs/radius-optional @@ -0,0 +1,19 @@ +Name: RADIUS authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_radius_auth.so +Auth: + [default=ignore success=end] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=end] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so |