summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-11-21 10:08:03 +0100
committerGitHub <noreply@github.com>2023-11-21 10:08:03 +0100
commit916adfaf0774df0731522bf3cbd886d794735c50 (patch)
treeb043c0e29103c814467239ea8d729c6ecc4d6d49 /debian/vyos-1x.postinst
parentcec47950a5d30944c0063723d3967cd17502d6b1 (diff)
parente1bf5516bbb00de5689a1091a6e21b1fc45a7340 (diff)
downloadvyos-1x-916adfaf0774df0731522bf3cbd886d794735c50.tar.gz
vyos-1x-916adfaf0774df0731522bf3cbd886d794735c50.zip
Merge pull request #2512 from zdc/T5577-sagitta
PAM: T5577: Backported PAM settings from circinus
Diffstat (limited to 'debian/vyos-1x.postinst')
-rw-r--r--debian/vyos-1x.postinst25
1 files changed, 11 insertions, 14 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 232600b48..22b50ce2a 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -29,14 +29,9 @@ do
sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
-# We do not make use of a TACACS UNIX group - drop it
-if grep -q '^tacacs' /etc/group; then
- delgroup tacacs
-fi
-
-# Both RADIUS and TACACS users belong to aaa group - this must be added first
-if ! grep -q '^aaa' /etc/group; then
- addgroup --firstgid 1000 --quiet aaa
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+ addgroup --firstgid 1000 --quiet radius
fi
# Remove TACACS user added by base package - we use our own UID range and group
@@ -53,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then
fi
fi
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+ rm /usr/share/pam-configs/tacplus
+fi
+
# Add TACACS system users required for TACACS based system authentication
if ! grep -q '^tacacs' /etc/passwd; then
# Add the tacacs group and all 16 possible tacacs privilege-level users to
@@ -64,14 +64,13 @@ if ! grep -q '^tacacs' /etc/passwd; then
level=0
vyos_group=vyattaop
while [ $level -lt 16 ]; do
- adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+ adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
--no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
--shell /bin/vbash tacacs${level}
adduser --quiet tacacs${level} frrvty
adduser --quiet tacacs${level} adm
adduser --quiet tacacs${level} dip
adduser --quiet tacacs${level} users
- adduser --quiet tacacs${level} aaa
if [ $level -lt 15 ]; then
adduser --quiet tacacs${level} vyattaop
adduser --quiet tacacs${level} operator
@@ -87,7 +86,7 @@ fi
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
- adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
--no-create-home --gecos "RADIUS mapped user at privilege level operator" \
--shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
@@ -96,12 +95,11 @@ if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet radius_user adm
adduser --quiet radius_user dip
adduser --quiet radius_user users
- adduser --quiet radius_user aaa
fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
- adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
--no-create-home --gecos "RADIUS mapped user at privilege level admin" \
--shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
@@ -112,7 +110,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet radius_priv_user disk
adduser --quiet radius_priv_user users
adduser --quiet radius_priv_user frr
- adduser --quiet radius_priv_user aaa
fi
# add hostsd group for vyos-hostsd