summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authoraapostoliuk <a.apostoliuk@vyos.io>2023-07-18 14:06:43 +0300
committeraapostoliuk <a.apostoliuk@vyos.io>2023-07-25 10:49:47 +0300
commitadb1a0fe63b1a7fff7cad955d0423a91a07823a1 (patch)
tree517fc65d3458766ca5a1deffbc4523778cf21f75 /src
parent64cc7d7e3b9e2f0f8e16cb95272336062700b91f (diff)
downloadvyos-1x-adb1a0fe63b1a7fff7cad955d0423a91a07823a1.tar.gz
vyos-1x-adb1a0fe63b1a7fff7cad955d0423a91a07823a1.zip
login: T4790: Added check of the sum of radius timeouts
Added check of the sum of login radius timeouts. It has to be less or eq 50 sec. Added check of a number of login radius servers. It has to be less or eq 8 Otherwise, log in to the device can be discarded. Backported from 1.4
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system-login.py21
1 files changed, 18 insertions, 3 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index aba10689d..7cfd5c940 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -42,6 +42,10 @@ airbag.enable()
radius_config_file = "/etc/pam_radius_auth.conf"
+# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
+MAX_RADIUS_TIMEOUT: int = 50
+MAX_RADIUS_COUNT: int = 8
+
def get_local_users():
"""Return list of dynamically allocated users (see Debian Policy Manual)"""
local_users = []
@@ -123,18 +127,29 @@ def verify(login):
if 'radius' in login:
if 'server' not in login['radius']:
raise ConfigError('No RADIUS server defined!')
-
+ sum_timeout: int = 0
+ radius_servers_count: int = 0
fail = True
for server, server_config in dict_search('radius.server', login).items():
if 'key' not in server_config:
raise ConfigError(f'RADIUS server "{server}" requires key!')
- if 'disabled' not in server_config:
+ if 'disable' not in server_config:
+ sum_timeout += int(server_config['timeout'])
+ radius_servers_count += 1
fail = False
- continue
+
if fail:
raise ConfigError('All RADIUS servers are disabled')
+ if radius_servers_count > MAX_RADIUS_COUNT:
+ raise ConfigError(
+ f'Number of RADIUS servers more than {MAX_RADIUS_COUNT}')
+
+ if sum_timeout > MAX_RADIUS_TIMEOUT:
+ raise ConfigError(
+ f'Sum of RADIUS servers timeouts has to be less or eq {MAX_RADIUS_TIMEOUT} sec')
+
verify_vrf(login['radius'])
if 'source_address' in login['radius']: