summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
AgeCommit message (Collapse)Author
2023-02-24login: T4943: Fixed 2FA + RADIUS compatibilityzsdc
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ```
2022-11-14T4815: Fix various name server config issuesYuxiang Zhu
1. When a PPPoE session is connected, `pppd` will update `/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set. This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`, which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection. This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead. 2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`. This causes IPv6 name server entries in `vyos-hostsd` not updated when dhclient receives nameservers from DHCPv6. 3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and `/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6 reason (like `BOUND6`) is given.
2022-10-17login: 2fa: T874: fix PAM string during ISO buildChristian Poessinger
Turns out a local installation of a package using "dpkg -i" differs when assembling an ISO using live-build. The previous version worked when using "dpkg -i" but it failed hard (no login possible) during ISO build. This has been fixed by using double quotes.
2022-10-16login: 2fa: T874: fix PAM string generation on multiple package installationsChristian Poessinger
Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used different strings for grep and sed resulting in the same line beeing added on every installation of the package. This is only disturbing during development not during ISO build.
2022-10-14login: 2fa: T874: fix Google authenticator issuesChristian Poessinger
Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos'
2022-10-12system login: T874: add 2FA support for local and ssh authentication. BugfixgoodNETnick
2022-10-11system login: T874: add 2FA support for local and ssh authenticationgoodNETnick
2022-07-22ssh: T3212: cleanup deprecated /etc/default/ssh fileChristian Poessinger
2022-07-22dns-forwarding: T2185: cleanup deprecated /etc/powerdns files - now living ↵Christian Poessinger
in /run/powerdns
2022-07-22ntp: T2185: cleanup deprecated /etc/ntp.conf - now living in /run/ntpdChristian Poessinger
2022-07-22fastnetmon: T2659: also clean /etc/networks_whitelistChristian Poessinger
2022-07-21fastnetmon: T2659: move configuration files to /runChristian Poessinger
2022-07-17login: T4536: add all accounts to frr groupChristian Poessinger
2022-03-07logrotate: T4250: Fixed logrotate config generationzsdc
* Removed `/var/log/auth.log` and `/var/log/messages` from `/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled items what leads to service error. * Removed generation config file for `/var/log/messages` from `system-syslog.py` - this should be done from `syslom logs` now. * Generate each logfile from `system syslog file` to a dedicated logrotate config file. * Fixed logrotate config file names in `/etc/rsyslog.d/vyos-rsyslog.conf`. * Added default logrotate settins for `/var/log/messages`
2022-03-05flow-accounting: T4277: delete Debian common configsChristian Poessinger
2022-03-05conntrackd: T4259: fix daemon configuration pathChristian Poessinger
2021-08-08Debian: T3641: drop dead symlink file in /etc/init.dChristian Poessinger
2021-07-03ipsec: T2816: Remove legacy vyatta code that references Openswansarthurdev
2021-06-26Debian: disable systemd salt-minion configuration - all handled in vyos-buildChristian Poessinger
2021-06-26Debian: ensure path for vyos-postconfig-bootup.script existsChristian Poessinger
2021-06-26Debian: drop ipsec key removal from postinst script - done on every system bootChristian Poessinger
2021-06-26Import vyos-postconfig-bootup.script from vyatta-cfg-systemChristian Poessinger
2021-06-26Debian: no need to disable salt-minion in postinst scriptChristian Poessinger
This is already done in systemd service disable hook from vyos-build.
2021-06-26Import sudoers configuration from vyatta-cfg-systemChristian Poessinger
2021-05-28ipsec: T2816: IPSec python rework, includes DMVPN and VTI supportSimon
2021-05-02radius: T3510: authenticated users must use /sbin/radius_shell as shellChristian Poessinger
2021-01-20Debian: add openvpn user via postinstallChristian Poessinger
Migrated from vyatta-cfg-system.
2021-01-20Debian: add radius_user and radius_priv_user via postinstallChristian Poessinger
2020-12-28webproxy: T563: squidguard: support default rulesetChristian Poessinger
2020-06-11dhcp(v6)-server: T2583: run as 'dhcpd' userJernej Jakob
Add a 'dhcpd' system user that is a member of hostsd group and can connect to vyos-hostsd. Run dhcpd as this user.
2020-06-11vyos-hostsd: T2583: add hostsd groupJernej Jakob
To better control access from other daemons that may not be running as root, create a new group 'hostsd' to which the other daemons running users can be added. Run vyos-hostsd as root:hostsd to create the socket file with correct user and group.
2020-04-26salt: T2382: run as user minionChristian Poessinger