diff options
author | Christian Breunig <christian@breunig.cc> | 2023-09-29 07:26:31 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-29 07:26:31 +0200 |
commit | 400df973d3518e9f18cb84b52ca89e08a399e461 (patch) | |
tree | 9b9e06d73009065ecbac1d5a4da2cb94018d7e53 /debian/vyos-1x.postinst | |
parent | fed59f9bddead060275f368de69e4e4470015ca9 (diff) | |
parent | 784fb7dc2ccc63789ed85d803e3ae41eef0e0253 (diff) | |
download | vyos-1x-400df973d3518e9f18cb84b52ca89e08a399e461.tar.gz vyos-1x-400df973d3518e9f18cb84b52ca89e08a399e461.zip |
Merge pull request #2256 from zdc/T5577-circinus
T5577: Optimized PAM configs for RADIUS/TACACS+
Diffstat (limited to 'debian/vyos-1x.postinst')
-rw-r--r-- | debian/vyos-1x.postinst | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index b43416152..860319edf 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -29,14 +29,9 @@ do sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file done -# We do not make use of a TACACS UNIX group - drop it -if grep -q '^tacacs' /etc/group; then - delgroup tacacs -fi - -# Both RADIUS and TACACS users belong to aaa group - this must be added first -if ! grep -q '^aaa' /etc/group; then - addgroup --firstgid 1000 --quiet aaa +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --firstgid 1000 --quiet radius fi # Remove TACACS user added by base package - we use our own UID range and group @@ -53,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -64,14 +64,13 @@ if ! grep -q '^tacacs' /etc/passwd; then level=0 vyos_group=vyattaop while [ $level -lt 16 ]; do - adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \ + adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \ --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \ --shell /bin/vbash tacacs${level} adduser --quiet tacacs${level} frrvty adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator @@ -87,7 +86,7 @@ fi # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then - adduser --quiet --firstuid 1000 --disabled-login --ingroup users \ + adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \ --shell /sbin/radius_shell radius_user adduser --quiet radius_user frrvty @@ -96,12 +95,11 @@ if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet radius_user adm adduser --quiet radius_user dip adduser --quiet radius_user users - adduser --quiet radius_user aaa fi # Add RADIUS admin user for RADIUS authenticated users to map to if ! grep -q '^radius_priv_user' /etc/passwd; then - adduser --quiet --firstuid 1000 --disabled-login --ingroup users \ + adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \ --shell /sbin/radius_shell radius_priv_user adduser --quiet radius_priv_user frrvty @@ -112,7 +110,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet radius_priv_user disk adduser --quiet radius_priv_user users adduser --quiet radius_priv_user frr - adduser --quiet radius_priv_user aaa fi # add hostsd group for vyos-hostsd |