Age | Commit message (Collapse) | Author |
|
|
|
Calling system-login.py with no mounted VyOS config has the negative effect
that the script will not detect any local useraccounts and thus assumes they
all need to be removed from the password backend.
As soon as the VyOS configuration is mounted and the CLI content is processed,
system-login.py get's invoked and re-creates the before deleted user accounts.
As the account names are sorted in alphabetical order, the name <-> UID mapping
can get mixed up during system reboot.
The intention behind calling system-login.py from vyos-router init was to
reset system services (PAM, NSS) back to sane defaults with the defaults
provided via system-login.py. As PAM is already reset in vyos-router startup
script, /etc/nsswitch.conf was the only candidate left.
This is now accomplished by simply creating a standard NSS configuration file
tailored for local system accounts.
This is the second revision after the first change via commit 64d32329958
("login: T5521: home directory owner changed during reboot") got reverted.
|
|
This reverts commit 64d323299586da646ca847e78255ff2cd8464578.
|
|
init: T5577: clear mandatory and optional RADIUS/TACACS PAM settings
|
|
login: T5521: home directory owner changed during reboot
|
|
T5436: Add missing preconfig-script
|
|
During system startup the system-login.py script is invoked by vyos-router
systemd service. As there is no complete configuration available at this
point in time - and the sole purpose of this call is to reset/re-render
the system NSS/PAM configs back to default - it accidently also deleted the
local useraccounts.
Once the VyOS configuration got mounted, users got recreated in alphabetical
order and thus UIDs flipped and the /home suddenely belonged to a different
account.
This commit prevents any mangling with the local userdatabase during VyOS
bootup phase.
|
|
This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and
'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added
'mandatory' and 'optional' modes for TACACS+"). As those new services
should also be cleaned during system boot.
|
|
vyos@vyos:~$ show system login users
Username Type Locked Tty From Last login
---------- ------ -------- ----- ------------- ------------------------
vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023
|
|
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
T5165: Migrate policy local-route rule x destination to address
|
|
ddclient: T5612: Miscellaneous improvements and fixes for dynamic DNS
|
|
T5497: Add ability to resequence rule numbers for firewall
|
|
T5616: firewall and policy: add option to be able to match firewall marks
|
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
|
|
Updated spacing.
|
|
filter and in policy route.
|
|
Fixes `KeyError: 'conntrack_sync'`
Ignore `ConfigError("ConfigError('Interface eth1 requires an IP address!')")` due to calling conntrack-sync too early
|
|
|
|
T5577: Optimized PAM configs for RADIUS/TACACS+
|
|
|
|
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the
convention used by other config files.
|
|
This commit adds a new configuration option to the mDNS repeater service
to allow controlling which IP version to use for mDNS repeater.
Additionally, publishing AAAA record over IPv4 and A record over IPv6 is
disabled as suggested.
See:
- https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104
- https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
|
|
T5217: Add firewall synproxy
|
|
conntrack: T5376: T5598: Restore kernel conntrack helpers
|
|
ipsec: T5606: Add support for whole CA chains
|
|
Add option `protocol` for policy local-route
set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'
|
|
firewall: T5160: Remove zone policy op-mode
|
|
|
|
|
|
`nf_conntrack_helper` that auto-assigned helpers is removed from the kernel
|
|
Also includes an update to smoketest to verify
|
|
Additional cleanup and refactoring for ddclient scripts including the
smotektests.
|
|
Adjust the validator and completion for ddclient to remove unsupported
or superfluous protocols.
Specifically,
- remove 'nsupdate' protocol from the list because there is a separate
config path for that protocol (rfc2136)
- remove 'cloudns' protocol from the list because it has non standard
configuration and is not supported by our configurator at this time
|
|
Enable TTL support for web-service based protocols in addition to
RFC2136 based (nsupdate) protocol.
Since TTL is not supported by all protocols, and thus cannot have a
configuration default, the existing XML snippet `include/dns/time-to-live.xml.i`
does not have common `<defaultValue>300</defaultValue>` anymore and is
instead added explicitly whenever necessary.
|
|
dyndns2 protocol in ddclient honors dual stack for selective servers
because of the way it is implemented in ddclient.
We formalize the well known servers that support dual stack in a list
and check against it when validating the configuration.
|
|
Fix VRF support interface definition and configuration mode for ddclient
to actually capture the VRF name and pass it to the template.
|
|
Add op-mode command `generate firewall rule-resequence`
Generates output with new sequences for firewall rules
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Allow loopback'
$ generate firewall rule-resequence start 10 step 10
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 description 'Allow loopback'
|
|
smoketest: T5607: support getting SCSI device by drive-id
|
|
Add ability to SYNPROXY connections
It is useful to protect against TCP SYN flood attacks and port-scanners
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
|
|
|
|
|
|
|
|
|
|
conntrack: firewall: T4502: Update conntrack check for new flowtable CLI
|
|
Also updates flowtable smoketest to verify conntrack enabled
|
|
init: T5239: configure system hostname prior to FRR startup
|
|
On first boot after an upgrade /etc/hostname and FRR configuration is not
populated. FRR determines the system hostname once during startup and does not
repect changes of the hostname CLI value.
Thus after an upgrade of VyOS FRR started with a hostname of debian that was
propagated to peers.
The commit retrieves the hostname from the CLI and presets this before FRR is
initially started.
|
|
After sources analysis, we found the next possible return statuses for PAM
modules:
1. pam_tacplus
Auth:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BUF_ERR
- PAM_CRED_INSUFFICIENT
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Account:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Session:
- PAM_AUTHINFO_UNAVAIL
- PAM_SESSION_ERR
- PAM_SUCCESS
- PAM_USER_UNKNOWN
2. pam_radius_auth
Auth:
- PAM_ABORT
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
Account:
- PAM_SUCCESS
Session:
- PAM_ABORT
- PAM_AUTHINFO_UNAVAIL
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
PAM configurations were replaced with tuned versions to take this into account.
|