diff options
| author | zsdc <taras@vyos.io> | 2023-09-26 11:27:07 +0300 |
|---|---|---|
| committer | zsdc <taras@vyos.io> | 2023-11-20 19:07:11 +0200 |
| commit | d7457268fcaa5626e512eb00a9aab36f4a617f28 (patch) | |
| tree | b44029f81f1a47a86b475a00d0b22587addfd2db /debian | |
| parent | 471e26233e2e1c7b4ad20aff673a18ac5d745296 (diff) | |
| download | vyos-1x-d7457268fcaa5626e512eb00a9aab36f4a617f28.tar.gz vyos-1x-d7457268fcaa5626e512eb00a9aab36f4a617f28.zip | |
PAM: T5577: Optimized RADIUS PAM config
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/vyos-1x.postinst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 81ba74b9b..7b865fb11 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -45,3 +45,12 @@ done # Enable Cloud-init pre-configuration service systemctl enable vyos-config-cloud-init.service + +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --quiet radius +fi + +# And add RADIUS users to this group +usermod -aG radius radius_user +usermod -aG radius radius_priv_user |