diff options
| author | zsdc <taras@vyos.io> | 2023-09-26 11:27:07 +0300 |
|---|---|---|
| committer | zsdc <taras@vyos.io> | 2023-11-20 19:07:11 +0200 |
| commit | d7457268fcaa5626e512eb00a9aab36f4a617f28 (patch) | |
| tree | b44029f81f1a47a86b475a00d0b22587addfd2db /src/conf_mode/system-login.py | |
| parent | 471e26233e2e1c7b4ad20aff673a18ac5d745296 (diff) | |
| download | vyos-1x-d7457268fcaa5626e512eb00a9aab36f4a617f28.tar.gz vyos-1x-d7457268fcaa5626e512eb00a9aab36f4a617f28.zip | |
PAM: T5577: Optimized RADIUS PAM config
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
Diffstat (limited to 'src/conf_mode/system-login.py')
| -rwxr-xr-x | src/conf_mode/system-login.py | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 7cfd5c940..4e61bd8ad 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -299,9 +299,15 @@ def apply(login): env = os.environ.copy() env['DEBIAN_FRONTEND'] = 'noninteractive' try: + # Disable PAM before enabling or modifying anything + cmd('pam-auth-update --disable radius-mandatory radius-optional', env=env) if 'radius' in login: # Enable RADIUS in PAM - cmd('pam-auth-update --package --enable radius', env=env) + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}', env=env) # Make NSS system aware of RADIUS # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/\smapname/b\' \ @@ -312,8 +318,6 @@ def apply(login): -e \'/^group:[^#]*$/s/: */&mapname /\' \ /etc/nsswitch.conf" else: - # Disable RADIUS in PAM - cmd('pam-auth-update --package --remove radius', env=env) # Drop RADIUS from NSS NSS system # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ |