Age | Commit message (Collapse) | Author |
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
|
|
debian: T5003: Upgrade base system to Debian 12 "Bookworm"
|
|
|
|
|
|
Kernel now performs this function internally
|
|
|
|
|
|
|
|
|
|
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
|
|
This reverts commit 36d16f531236a62b5afc6cdd5f04d20c2b1883e6.
|
|
|
|
|
|
|
|
skopeo does not support overwriting an image - simply remove and readd it.
|
|
1. When a PPPoE session is connected, `pppd` will update
`/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set.
This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`,
which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection.
This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead.
2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`.
This causes IPv6 name server entries in `vyos-hostsd` not updated
when dhclient receives nameservers from DHCPv6.
3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and
`/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those
IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6
reason (like `BOUND6`) is given.
|
|
|
|
Using humps.decamelize in vyos.opmode requires python3-pyhumps to be a
build dependency for the nosetest test_op_mode.py.
|
|
humps Convert strings (and dictionary keys) between snake case,
camel case and pascal case in Python
% decamelize('superTCPOption')
'super_tcp_option'
%
% decamelize({'ParamOption': 'one', 'fooBarBaz': True})
{'param_option': 'one', 'foo_bar_baz': True}
%
|
|
|
|
Turns out a local installation of a package using "dpkg -i" differs when
assembling an ISO using live-build. The previous version worked when using
"dpkg -i" but it failed hard (no login possible) during ISO build.
This has been fixed by using double quotes.
|
|
|
|
In order to properly retrieve JSON information in the Smoketests for the new
QoS implementation we need a recent (>6.0) version of iproute2. This requires
the libbpf-dev package and this small source-code change.
|
|
Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used
different strings for grep and sed resulting in the same line beeing added on
every installation of the package.
This is only disturbing during development not during ISO build.
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
|
|
support
|
|
|
|
|
|
in /run/powerdns
|
|
|
|
|
|
|
|
|
|
After discussion with @zsdc this was decided the better long term fix
* Removes hourly logrotate cron in favour of systemd timer override
|
|
Allows easy creation of test PKI objects using `vyos.pki` module
Generates objects for PKI migration tests
|
|
OWAMP is a command line client application and a policy daemon used
to determine one way latencies between hosts.
OWAMP session control uses traditional client-server communication
between a control-client and a server,
TWAMP (two-way active measurement protocol)
Add configuration and operation modes
set service sla owamp-server
set service sla twamp-server
run force owping 192.0.2.120
run force twping 192.0.2.190
|
|
|
|
|
|
|
|
* Removed `/var/log/auth.log` and `/var/log/messages` from
`/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled
items what leads to service error.
* Removed generation config file for `/var/log/messages` from
`system-syslog.py` - this should be done from `syslom logs` now.
* Generate each logfile from `system syslog file` to a dedicated
logrotate config file.
* Fixed logrotate config file names in
`/etc/rsyslog.d/vyos-rsyslog.conf`.
* Added default logrotate settins for `/var/log/messages`
|
|
|
|
|
|
|
|
upnpd: T3420: Support UPNP protocol
|
|
|