| Age | Commit message (Collapse) | Author |
|---|
|
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
|
|
This reverts commit 7b36c363cd5b0168bd83c399f50a0a360ba3ee58.
A general solution is implemented in Commit ae9dde04 ("T4975: always sync()
filesystem after commit").
|
|
User profile files are not saved to disk after configuration is fully applied.
Because of this, after a fast system reset, profile files can be empty, and CLI
is broken.
This fix adds a `sync()` call after the user's configuration, which should
protect from data loss and fix the problem with profiles.
|
|
(cherry picked from commit 796178f69ce09e28ab9f20c7b5e1ce97ef00a1ff)
|
|
(cherry picked from commit efa753bc661d04967237e7ec3d72d3757230aaf9)
|
|
This patch allows the use of `"` in ssh public-key options which
unlocks the ability to set the `from` option in a way that sshd will
accept to limit what hosts a user can connect from.
(cherry picked from commit 6b52387190f8213e7e02060e894c6ddd4fb7cb3d)
|
|
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius:
T3192: migrate to get_config_dict()") the user-name was not excluded
from mangling (no_tag_node_value_mangle=True).
This resulted in a username "vyos-user" from CLI to be actually created as
"vyos_user" on the system.
This commit also adds respective Smoketests to prevent this in the future.
(cherry picked from commit 658de9ea0fbe91e593f9cf0a8c434791282af100)
|
|
|
|
|
|
Commit e8a1c291 ("login: radius: T3192: migrate to get_config_dict()") did an
invalid forward of the newly encrypted passwort to my_set to store it inside
the config.
(cherry picked from commit a7fe2ff4fdfcb2619b892aff170d42609965b20b)
|
|
(cherry picked from commit 586b440a835cba7d45e50bb6d1781823903332b6)
|
|
|
|
|
|
|
|
|
|
|
|
Fix for https://phabricator.vyos.net/T2725
T2492 / a07e22377ab83104ac925e13d1824f241f0f8d4a
introduced a change which broke the initialization of
the user dict. In case the config contained an user
without an encrypted-password set, the property would
be missing and the commit would crash with
`KeyError: 'password_encrypted'`
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
|
|
|
|
|
|
|
|
This allows the radius client to work when a management VRF is in use.
|
|
|
|
convert all call to jinja to use template.render
|
|
|
|
os.system does print the ouput of the command, run() does not.
A new function called call() does the printing and return the error code.
|
|
Previously failures of mkpasswd would not be reported to users
|
|
|
|
* A type must be present for any one public-key element
* A key must be present for any one public-key element
|
|
We should not rely on the home dir value stored in user['home_dir'] as if a
crazy user will choose username root or any other system user this will fail.
Should be deny using root at all?
|
|
Splitting was not a good idea. By combining both we can create a RADIUS server
XML include file which can be reused by multiple implementations to get a
uniformed CLI for the users.
|
