diff options
author | Christian Breunig <christian@breunig.cc> | 2023-11-21 10:08:03 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-21 10:08:03 +0100 |
commit | 916adfaf0774df0731522bf3cbd886d794735c50 (patch) | |
tree | b043c0e29103c814467239ea8d729c6ecc4d6d49 /debian/vyos-1x.postinst | |
parent | cec47950a5d30944c0063723d3967cd17502d6b1 (diff) | |
parent | e1bf5516bbb00de5689a1091a6e21b1fc45a7340 (diff) | |
download | vyos-1x-916adfaf0774df0731522bf3cbd886d794735c50.tar.gz vyos-1x-916adfaf0774df0731522bf3cbd886d794735c50.zip |
Merge pull request #2512 from zdc/T5577-sagitta
PAM: T5577: Backported PAM settings from circinus
Diffstat (limited to 'debian/vyos-1x.postinst')
-rw-r--r-- | debian/vyos-1x.postinst | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 232600b48..22b50ce2a 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -29,14 +29,9 @@ do sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file done -# We do not make use of a TACACS UNIX group - drop it -if grep -q '^tacacs' /etc/group; then - delgroup tacacs -fi - -# Both RADIUS and TACACS users belong to aaa group - this must be added first -if ! grep -q '^aaa' /etc/group; then - addgroup --firstgid 1000 --quiet aaa +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --firstgid 1000 --quiet radius fi # Remove TACACS user added by base package - we use our own UID range and group @@ -53,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -64,14 +64,13 @@ if ! grep -q '^tacacs' /etc/passwd; then level=0 vyos_group=vyattaop while [ $level -lt 16 ]; do - adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \ + adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \ --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \ --shell /bin/vbash tacacs${level} adduser --quiet tacacs${level} frrvty adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator @@ -87,7 +86,7 @@ fi # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then - adduser --quiet --firstuid 1000 --disabled-login --ingroup users \ + adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \ --shell /sbin/radius_shell radius_user adduser --quiet radius_user frrvty @@ -96,12 +95,11 @@ if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet radius_user adm adduser --quiet radius_user dip adduser --quiet radius_user users - adduser --quiet radius_user aaa fi # Add RADIUS admin user for RADIUS authenticated users to map to if ! grep -q '^radius_priv_user' /etc/passwd; then - adduser --quiet --firstuid 1000 --disabled-login --ingroup users \ + adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \ --shell /sbin/radius_shell radius_priv_user adduser --quiet radius_priv_user frrvty @@ -112,7 +110,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet radius_priv_user disk adduser --quiet radius_priv_user users adduser --quiet radius_priv_user frr - adduser --quiet radius_priv_user aaa fi # add hostsd group for vyos-hostsd |