From f892e6846dc62ba992f8d233f0d8eb5a089249c3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 19 Aug 2019 22:49:11 +0200 Subject: openvpn: T1548: remove authy 2fa provider According to https://github.com/twilio/authy-openvpn commit 3e5dc73: > This plugin is no longer actively maintained. If you're interested in becoming a maintainer, we welcome forks of this project. In addition this plugin was always missing in the current branch ov VyOS and did not make it into VyOS 1.2 (crux) If 2FA for OpenVPN is required we should probably opt for Google Authenticator or if possible a U2F device. (cherry picked from commit 5d858f0e6ad05b032c88c88a08c15d0876c44e8b) --- src/conf_mode/interface-openvpn.py | 31 ------------------------------- 1 file changed, 31 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index e4bde7bb0..a8313378b 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -219,10 +219,6 @@ client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }} {% for option in options -%} {{ option }} {% endfor -%} - -{%- if server_2fa_authy_key %} -plugin /usr/lib/authy/authy-openvpn.so https://api.authy.com/protected/json {{ server_2fa_authy_key }} nopam -{% endif %} """ client_tmpl = """ @@ -269,8 +265,6 @@ default_config_data = { 'remote_address': '', 'remote_host': [], 'remote_port': '', - 'server_2fa_authy_key': '', - 'server_2fa_authy': [], 'client': [], 'server_domain': '', 'server_max_conn': '', @@ -453,31 +447,6 @@ def get_config(): if conf.exists('replace-default-route local'): openvpn['redirect_gateway'] = 'local def1' - # Two Factor Authentication providers - # currently limited to authy - if conf.exists('2-factor-authentication authy api-key'): - openvpn['server_2fa_authy_key'] = conf.return_value('2-factor-authentication authy api-key') - - # Authy users (must be email address) - for user in conf.list_nodes('server 2-factor-authentication authy user'): - # set configuration level - conf.set_level('interfaces openvpn ' + openvpn['intf'] + ' 2-factor-authentication authy user ' + user) - data = { - 'user': user, - 'country_code': '', - 'mobile_number': '' - } - - # Country calling codes - if conf.exists('country-calling-code'): - data['country_code'] = conf.return_value('country-calling-code') - - # Mobile phone number - if conf.exists('phone-number'): - data['mobile_number'] = conf.return_value('phone-number') - - openvpn['server_2fa_authy'].append(data) - # Topology for clients if conf.exists('server topology'): openvpn['server_topology'] = conf.return_value('server topology') -- cgit v1.2.3 From 501908ae54a1aaae1337673617ebfcc281b02662 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 27 Aug 2019 22:18:41 +0200 Subject: openvpn: T1617: bugfix for server push-route (cherry picked from commit e4f1bbb270f0afea295646764516675bbcfe0be5) --- src/conf_mode/interface-openvpn.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index a8313378b..4e5915d4e 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -522,9 +522,9 @@ def get_config(): # Route to be pushed to all clients if conf.exists('server push-route'): - network = conf.return_value('server push-route') - tmp = IPv4Interface(network).with_netmask - openvpn['server_push_route'] = tmp.replace(r'/', ' ') + for network in conf.return_values('server push-route'): + tmp = IPv4Interface(network).with_netmask + openvpn['server_push_route'].append(tmp.replace(r'/', ' ')) # Reject connections from clients that are not explicitly configured if conf.exists('server reject-unconfigured-clients'): -- cgit v1.2.3 From c4dbaa158c9b5c6e3c4ff3fe2f9f17d095732547 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 9 Oct 2019 08:14:40 -0700 Subject: ssh - T1719: ssh deprecated options removed * Deprecated option since openssh 7.5 UsePrivilegeSeparation, KeyRegenerationInterval, ServerKeyBits, RSAAuthentication, RhostsRSAAuthentication --- src/conf_mode/ssh.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 2a5cba99a..e761d75ff 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -37,16 +37,11 @@ HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key -UsePrivilegeSeparation yes -KeyRegenerationInterval 3600 -ServerKeyBits 1024 SyslogFacility AUTH LoginGraceTime 120 StrictModes yes -RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes -RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no @@ -58,7 +53,7 @@ TCPKeepAlive yes Banner /etc/issue.net Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes -HostKey /etc/ssh/ssh_host_key +HostKey /etc/ssh/ssh_host_rsa_key # Specifies whether sshd should look up the remote host name, # and to check that the resolved host name for the remote IP -- cgit v1.2.3 From 67221f47d290655b3d587606287489537a132e5c Mon Sep 17 00:00:00 2001 From: Jernej Jakob Date: Fri, 13 Dec 2019 08:35:25 +0100 Subject: T1873: DHCP: ship our own server init scripts --- src/conf_mode/dhcp_server.py | 13 ++--- src/conf_mode/dhcpv6_server.py | 9 ++-- src/etc/init.d/isc-dhcpv4-server | 113 +++++++++++++++++++++++++++++++++++++++ src/etc/init.d/isc-dhcpv6-server | 14 ++--- 4 files changed, 132 insertions(+), 17 deletions(-) create mode 100755 src/etc/init.d/isc-dhcpv4-server (limited to 'src/conf_mode') diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index c2a188812..bf86e484b 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -28,7 +28,8 @@ from vyos import ConfigError config_file = r'/etc/dhcp/dhcpd.conf' lease_file = r'/config/dhcpd.leases' -daemon_config_file = r'/etc/default/isc-dhcp-server' +pid_file = r'/var/run/dhcpd.pid' +daemon_config_file = r'/etc/default/isc-dhcpv4-server' # Please be careful if you edit the template. config_tmpl = """ @@ -231,10 +232,10 @@ shared-network {{ network.name }} { daemon_tmpl = """ ### Autogenerated by dhcp_server.py ### -# sourced by /etc/init.d/isc-dhcp-server +# sourced by /etc/init.d/isc-dhcpv4-server -DHCPD_CONF=/etc/dhcp/dhcpd.conf -DHCPD_PID=/var/run/dhcpd.pid +DHCPD_CONF={{ config_file }} +DHCPD_PID={{ pid_file }} OPTIONS="-4 -lf {{ lease_file }}" INTERFACES="" """ @@ -827,7 +828,7 @@ def generate(dhcp): def apply(dhcp): if (dhcp is None) or dhcp['disabled']: # DHCP server is removed in the commit - os.system('sudo systemctl stop isc-dhcp-server.service') + os.system('sudo systemctl stop isc-dhcpv4-server.service') if os.path.exists(config_file): os.unlink(config_file) if os.path.exists(daemon_config_file): @@ -837,7 +838,7 @@ def apply(dhcp): if not os.path.exists(lease_file): os.mknod(lease_file) - os.system('sudo systemctl restart isc-dhcp-server.service') + os.system('sudo systemctl restart isc-dhcpv4-server.service') return None diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index 039321430..44a927789 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018 VyOS maintainers and contributors +# Copyright (C) 2018-2019 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -29,6 +29,7 @@ from vyos import ConfigError config_file = r'/etc/dhcp/dhcpdv6.conf' lease_file = r'/config/dhcpdv6.leases' +pid_file = r'/var/run/dhcpdv6.pid' daemon_config_file = r'/etc/default/isc-dhcpv6-server' # Please be careful if you edit the template. @@ -115,12 +116,12 @@ shared-network {{ network.name }} { """ daemon_tmpl = """ -### Autogenerated by dhcp_server.py ### +### Autogenerated by dhcpv6_server.py ### # sourced by /etc/init.d/isc-dhcpv6-server -DHCPD_CONF=/etc/dhcp/dhcpdv6.conf -DHCPD_PID=/var/run/dhcpdv6.pid +DHCPD_CONF={{ config_file }} +DHCPD_PID={{ pid_file }} OPTIONS="-6 -lf {{ lease_file }}" INTERFACES="" """ diff --git a/src/etc/init.d/isc-dhcpv4-server b/src/etc/init.d/isc-dhcpv4-server new file mode 100755 index 000000000..377634a13 --- /dev/null +++ b/src/etc/init.d/isc-dhcpv4-server @@ -0,0 +1,113 @@ +#!/bin/sh +# +# + +### BEGIN INIT INFO +# Provides: isc-dhcpv4-server +# Required-Start: $remote_fs $network $syslog +# Required-Stop: $remote_fs $network $syslog +# Should-Start: $local_fs slapd $named +# Should-Stop: $local_fs slapd +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv4 DHCP server +# Description: Dynamic Host Configuration Protocol Server for IPv4 +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +test -f /usr/sbin/dhcpd || exit 0 + +DHCPD_DEFAULT="${DHCPD_DEFAULT:-/etc/default/isc-dhcpv4-server}" + +# It is not safe to start if we don't have a default configuration... +if [ ! -f "$DHCPD_DEFAULT" ]; then + echo "$DHCPD_DEFAULT does not exist! - Aborting..." + exit 0 +fi + +. /lib/lsb/init-functions + +# Read init script configuration +[ -f "$DHCPD_DEFAULT" ] && . "$DHCPD_DEFAULT" + +NAME=dhcpd +DESC="ISC DHCP server" +# fallback to default config file +DHCPD_CONF=${DHCPD_CONF:-/etc/dhcp/dhcpd.conf} +# try to read pid file name from config file, with fallback to /var/run/dhcpd.pid +if [ -z "$DHCPD_PID" ]; then + DHCPD_PID=$(sed -n -e 's/^[ \t]*pid-file-name[ \t]*"(.*)"[ \t]*;.*$/\1/p' < "$DHCPD_CONF" 2>/dev/null | head -n 1) +fi +DHCPD_PID="${DHCPD_PID:-/var/run/dhcpd.pid}" + +test_config() +{ + if ! /usr/sbin/dhcpd -t $OPTIONS -q -cf "$DHCPD_CONF" > /dev/null 2>&1; then + echo "dhcpd self-test failed. Please fix $DHCPD_CONF." + echo "The error was: " + /usr/sbin/dhcpd -t $OPTIONS -cf "$DHCPD_CONF" + exit 1 + fi + touch /var/lib/dhcp/dhcpd.leases +} + +# single arg is -v for messages, -q for none +check_status() +{ + if [ ! -r "$DHCPD_PID" ]; then + test "$1" != -v || echo "$NAME is not running." + return 3 + fi + if read pid < "$DHCPD_PID" && ps -p "$pid" > /dev/null 2>&1; then + test "$1" != -v || echo "$NAME is running." + return 0 + else + test "$1" != -v || echo "$NAME is not running but $DHCPD_PID exists." + return 1 + fi +} + +case "$1" in + start) + test_config + log_daemon_msg "Starting $DESC" "$NAME" + start-stop-daemon --start --quiet --pidfile "$DHCPD_PID" \ + --exec /usr/sbin/dhcpd -- \ + -q $OPTIONS -cf "$DHCPD_CONF" -pf "$DHCPD_PID" $INTERFACES + sleep 2 + + if check_status -q; then + log_end_msg 0 + else + log_failure_msg "check syslog for diagnostics." + log_end_msg 1 + exit 1 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + start-stop-daemon --stop --quiet --pidfile "$DHCPD_PID" + log_end_msg $? + rm -f "$DHCPD_PID" + ;; + restart | force-reload) + test_config + $0 stop + sleep 2 + $0 start + if [ "$?" != "0" ]; then + exit 1 + fi + ;; + status) + echo -n "Status of $DESC: " + check_status -v + exit "$?" + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload|status}" + exit 1 +esac + +exit 0 diff --git a/src/etc/init.d/isc-dhcpv6-server b/src/etc/init.d/isc-dhcpv6-server index 441827d5f..55f59b68e 100755 --- a/src/etc/init.d/isc-dhcpv6-server +++ b/src/etc/init.d/isc-dhcpv6-server @@ -31,15 +31,15 @@ fi # Read init script configuration [ -f "$DHCPD_DEFAULT" ] && . "$DHCPD_DEFAULT" -NAME=dhcpd -DESC="ISC DHCP server" +NAME=dhcpdv6 +DESC="ISC DHCP server IPv6" # fallback to default config file -DHCPD_CONF=${DHCPD_CONF:-/etc/dhcp/dhcpd.conf} -# try to read pid file name from config file, with fallback to /var/run/dhcpd.pid +DHCPD_CONF=${DHCPD_CONF:-/etc/dhcp/dhcpdv6.conf} +# try to read pid file name from config file, with fallback to /var/run/dhcpdv6.pid if [ -z "$DHCPD_PID" ]; then DHCPD_PID=$(sed -n -e 's/^[ \t]*pid-file-name[ \t]*"(.*)"[ \t]*;.*$/\1/p' < "$DHCPD_CONF" 2>/dev/null | head -n 1) fi -DHCPD_PID="${DHCPD_PID:-/var/run/dhcpd.pid}" +DHCPD_PID="${DHCPD_PID:-/var/run/dhcpdv6.pid}" test_config() { @@ -49,7 +49,7 @@ test_config() /usr/sbin/dhcpd -t $OPTIONS -cf "$DHCPD_CONF" exit 1 fi - touch /var/lib/dhcp/dhcpd.leases + touch /var/lib/dhcp/dhcpdv6.leases } # single arg is -v for messages, -q for none @@ -107,7 +107,7 @@ case "$1" in ;; *) echo "Usage: $0 {start|stop|restart|force-reload|status}" - exit 1 + exit 1 esac exit 0 -- cgit v1.2.3