From d7457268fcaa5626e512eb00a9aab36f4a617f28 Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Tue, 26 Sep 2023 11:27:07 +0300
Subject: PAM: T5577: Optimized RADIUS PAM config

- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS

New modes:

- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.

In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
---
 debian/vyos-1x.postinst                              |  9 +++++++++
 .../include/radius-server-ipv4-ipv6.xml.i            | 20 ++++++++++++++++++++
 src/conf_mode/system-login.py                        | 10 +++++++---
 src/pam-configs/radius                               | 20 --------------------
 src/pam-configs/radius-mandatory                     | 19 +++++++++++++++++++
 src/pam-configs/radius-optional                      | 19 +++++++++++++++++++
 6 files changed, 74 insertions(+), 23 deletions(-)
 delete mode 100644 src/pam-configs/radius
 create mode 100644 src/pam-configs/radius-mandatory
 create mode 100644 src/pam-configs/radius-optional

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 81ba74b9b..7b865fb11 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -45,3 +45,12 @@ done
 
 # Enable Cloud-init pre-configuration service
 systemctl enable vyos-config-cloud-init.service
+
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+    addgroup --quiet radius
+fi
+
+# And add RADIUS users to this group
+usermod -aG radius radius_user
+usermod -aG radius radius_priv_user
diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
index 5b12bec62..6a432bac9 100644
--- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
+++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
@@ -47,6 +47,26 @@
         <multi/>
       </properties>
     </leafNode>
+    <leafNode name="security-mode">
+      <properties>
+        <help>Security mode for RADIUS authentication</help>
+        <completionHelp>
+          <list>mandatory optional</list>
+        </completionHelp>
+        <valueHelp>
+          <format>mandatory</format>
+          <description>Deny access immediately if RADIUS answers with Access-Reject</description>
+        </valueHelp>
+        <valueHelp>
+          <format>optional</format>
+          <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description>
+        </valueHelp>
+        <constraint>
+          <regex>(mandatory|optional)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>optional</defaultValue>
+    </leafNode>
   </children>
 </node>
 <!-- include end -->
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 7cfd5c940..4e61bd8ad 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -299,9 +299,15 @@ def apply(login):
     env = os.environ.copy()
     env['DEBIAN_FRONTEND'] = 'noninteractive'
     try:
+        # Disable PAM before enabling or modifying anything
+        cmd('pam-auth-update --disable radius-mandatory radius-optional', env=env)
         if 'radius' in login:
             # Enable RADIUS in PAM
-            cmd('pam-auth-update --package --enable radius', env=env)
+            if login['radius'].get('security_mode', '') == 'mandatory':
+                pam_profile = 'radius-mandatory'
+            else:
+                pam_profile = 'radius-optional'
+            cmd(f'pam-auth-update --enable {pam_profile}', env=env)
             # Make NSS system aware of RADIUS
             # This fancy snipped was copied from old Vyatta code
             command = "sed -i -e \'/\smapname/b\' \
@@ -312,8 +318,6 @@ def apply(login):
                           -e \'/^group:[^#]*$/s/: */&mapname /\' \
                           /etc/nsswitch.conf"
         else:
-            # Disable RADIUS in PAM
-            cmd('pam-auth-update --package --remove radius', env=env)
             # Drop RADIUS from NSS NSS system
             # This fancy snipped was copied from old Vyatta code
             command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
deleted file mode 100644
index 0e2c71e38..000000000
--- a/src/pam-configs/radius
+++ /dev/null
@@ -1,20 +0,0 @@
-Name: RADIUS authentication
-Default: yes
-Priority: 257
-Auth-Type: Primary
-Auth:
-    [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet
-    [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet
-    [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so
-
-Account-Type: Primary
-Account:
-    [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet
-    [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet
-    [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
-
-Session-Type: Additional
-Session:
-    [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet
-    [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet
-    [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so
diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory
new file mode 100644
index 000000000..3368fe7ff
--- /dev/null
+++ b/src/pam-configs/radius-mandatory
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so
+Auth:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=bad success=ok] pam_radius_auth.so
diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional
new file mode 100644
index 000000000..73085061d
--- /dev/null
+++ b/src/pam-configs/radius-optional
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end] pam_radius_auth.so
+Auth:
+    [default=ignore success=end] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so
-- 
cgit v1.2.3