summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/https.py5
-rwxr-xr-xsrc/conf_mode/system-login.py27
-rw-r--r--src/etc/sysctl.d/30-vyos-router.conf8
-rwxr-xr-xsrc/helpers/vyos-load-config.py2
-rwxr-xr-xsrc/init/vyos-router4
-rwxr-xr-xsrc/migration-scripts/https/4-to-556
-rw-r--r--src/pam-configs/radius20
-rw-r--r--src/pam-configs/radius-mandatory19
-rw-r--r--src/pam-configs/radius-optional19
-rw-r--r--src/pam-configs/tacplus17
-rw-r--r--src/pam-configs/tacplus-mandatory17
-rw-r--r--src/pam-configs/tacplus-optional17
-rwxr-xr-xsrc/services/vyos-http-api-server10
13 files changed, 158 insertions, 63 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 010490c7e..028a5007a 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -215,14 +215,9 @@ def generate(https):
api_data = vyos.defaults.api_data
api_settings = https.get('api', {})
if api_settings:
- port = api_settings.get('port', '')
- if port:
- api_data['port'] = port
vhosts = https.get('api-restrict', {}).get('virtual-host', [])
if vhosts:
api_data['vhost'] = vhosts[:]
- if 'socket' in list(api_settings):
- api_data['socket'] = True
if api_data:
vhost_list = api_data.get('vhost', [])
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 02c97afaa..87a269499 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -104,6 +104,9 @@ def get_config(config=None):
# prune TACACS global defaults if not set by user
if login.from_defaults(['tacacs']):
del login['tacacs']
+ # same for RADIUS
+ if login.from_defaults(['radius']):
+ del login['radius']
# create a list of all users, cli and users
all_users = list(set(local_users + cli_users))
@@ -377,17 +380,23 @@ def apply(login):
except Exception as e:
raise ConfigError(f'Deleting user "{user}" raised exception: {e}')
- # Enable RADIUS in PAM configuration
- pam_cmd = '--remove'
+ # Enable/disable RADIUS in PAM configuration
+ cmd('pam-auth-update --disable radius-mandatory radius-optional')
if 'radius' in login:
- pam_cmd = '--enable'
- cmd(f'pam-auth-update --package {pam_cmd} radius')
-
- # Enable/Disable TACACS in PAM configuration
- pam_cmd = '--remove'
+ if login['radius'].get('security_mode', '') == 'mandatory':
+ pam_profile = 'radius-mandatory'
+ else:
+ pam_profile = 'radius-optional'
+ cmd(f'pam-auth-update --enable {pam_profile}')
+
+ # Enable/disable TACACS+ in PAM configuration
+ cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional')
if 'tacacs' in login:
- pam_cmd = '--enable'
- cmd(f'pam-auth-update --package {pam_cmd} tacplus')
+ if login['tacacs'].get('security_mode', '') == 'mandatory':
+ pam_profile = 'tacplus-mandatory'
+ else:
+ pam_profile = 'tacplus-optional'
+ cmd(f'pam-auth-update --enable {pam_profile}')
return None
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
index 1c9b8999f..67d96969e 100644
--- a/src/etc/sysctl.d/30-vyos-router.conf
+++ b/src/etc/sysctl.d/30-vyos-router.conf
@@ -105,3 +105,11 @@ net.core.rps_sock_flow_entries = 32768
net.core.default_qdisc=fq_codel
net.ipv4.tcp_congestion_control=bbr
+# VRF - Virtual routing and forwarding
+# When net.vrf.strict_mode=0 (default) it is possible to associate multiple
+# VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a
+# table can be associated to a single VRF device.
+#
+# A VRF table can be used by the VyOS CLI only once (ensured by verify()),
+# this simply adds an additional Kernel safety net
+net.vrf.strict_mode=1
diff --git a/src/helpers/vyos-load-config.py b/src/helpers/vyos-load-config.py
index e579e81b2..4ec865454 100755
--- a/src/helpers/vyos-load-config.py
+++ b/src/helpers/vyos-load-config.py
@@ -66,7 +66,7 @@ def get_local_config(filename):
return config_str
-if any(x in file_name for x in protocols):
+if any(file_name.startswith(f'{x}://') for x in protocols):
config_string = vyos.remote.get_remote_config(file_name)
if not config_string:
sys.exit(f"No such config file at '{file_name}'")
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 3db06b368..3445da2cf 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -256,9 +256,9 @@ netgroup: nis
EOF
# restore PAM back to virgin state (no radius/tacacs services)
- pam-auth-update --package --remove radius
+ pam-auth-update --disable radius-mandatory radius-optional
rm -f /etc/pam_radius_auth.conf
- pam-auth-update --package --remove tacplus
+ pam-auth-update --disable tacplus-mandatory tacplus-optional
rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
# Certain configuration files are re-generated by the configuration
diff --git a/src/migration-scripts/https/4-to-5 b/src/migration-scripts/https/4-to-5
new file mode 100755
index 000000000..a503e0cb7
--- /dev/null
+++ b/src/migration-scripts/https/4-to-5
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T5762: http: api: smoketests fail as they can not establish IPv6 connection
+# to uvicorn backend server, always make the UNIX domain socket the
+# default way of communication
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base = ['service', 'https']
+if not config.exists(base):
+ # Nothing to do
+ sys.exit(0)
+
+# Delete "socket" CLI option - we always use UNIX domain sockets for
+# NGINX <-> API server communication
+if config.exists(base + ['api', 'socket']):
+ config.delete(base + ['api', 'socket'])
+
+# There is no need for an API service port, as UNIX domain sockets
+# are used
+if config.exists(base + ['api', 'port']):
+ config.delete(base + ['api', 'port'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ sys.exit(1)
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
deleted file mode 100644
index eee9cb93e..000000000
--- a/src/pam-configs/radius
+++ /dev/null
@@ -1,20 +0,0 @@
-Name: RADIUS authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
- [default=ignore success=2] pam_succeed_if.so service = sudo
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so
-
-Account-Type: Primary
-Account:
- [default=ignore success=2] pam_succeed_if.so service = sudo
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
-
-Session-Type: Additional
-Session:
- [default=ignore success=2] pam_succeed_if.so service = sudo
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so
diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory
new file mode 100644
index 000000000..3368fe7ff
--- /dev/null
+++ b/src/pam-configs/radius-mandatory
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so
+Auth:
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=bad success=ok] pam_radius_auth.so
diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional
new file mode 100644
index 000000000..73085061d
--- /dev/null
+++ b/src/pam-configs/radius-optional
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+ [default=ignore success=end] pam_radius_auth.so
+Auth:
+ [default=ignore success=end] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so
diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus
deleted file mode 100644
index 66a1eaa4c..000000000
--- a/src/pam-configs/tacplus
+++ /dev/null
@@ -1,17 +0,0 @@
-Name: TACACS+ authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Account-Type: Primary
-Account:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Session-Type: Additional
-Session:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory
new file mode 100644
index 000000000..ffccece19
--- /dev/null
+++ b/src/pam-configs/tacplus-mandatory
@@ -0,0 +1,17 @@
+Name: TACACS+ authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth:
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
new file mode 100644
index 000000000..095c3a164
--- /dev/null
+++ b/src/pam-configs/tacplus-optional
@@ -0,0 +1,17 @@
+Name: TACACS+ authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth:
+ [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 3a9efb73e..daee24257 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -825,15 +825,7 @@ def initialization(session: ConfigSession, app: FastAPI = app):
if app.state.vyos_graphql:
graphql_init(app)
- if not server_config['socket']:
- config = ApiServerConfig(app,
- host=server_config["listen_address"],
- port=int(server_config["port"]),
- proxy_headers=True)
- else:
- config = ApiServerConfig(app,
- uds="/run/api.sock",
- proxy_headers=True)
+ config = ApiServerConfig(app, uds="/run/api.sock", proxy_headers=True)
server = ApiServer(config)
def run_server():
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 09:11:54 +0000