From b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 30 Jan 2020 21:45:51 +0100 Subject: login: T1948: initial support for RADIUS configuration --- src/conf_mode/system-login.py | 47 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 8aa3991fd..3d29010b9 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -16,6 +16,7 @@ import sys import os +import jinja2 from pwd import getpwall, getpwnam from grp import getgrnam @@ -26,6 +27,21 @@ from vyos.config import Config from vyos.configdict import list_diff from vyos import ConfigError +radius_config_file = "/etc/pam_radius_auth.conf" +radius_config_tmpl = """ +# Automatically generated by VyOS +# RADIUS configuration file +# server[:port] shared_secret timeout (s) source_ip +{% if radius_server -%} +{% for s in radius_server -%} +{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source -%}{{ radius_source }}{% endif %} +{% endfor -%} + +priv-lvl 15 +mapped_priv_user radius_priv_user +{% endif %} + +""" default_config_data = { 'deleted': False, @@ -152,7 +168,6 @@ def get_config(): return login def verify(login): - pass def generate(login): @@ -186,7 +201,7 @@ def generate(login): if not os.path.isdir(key_dir): os.mkdir(key_dir) os.chown(key_dir, uid, gid) - os.chmod(key_dir, S_IRWXU|S_IRGRP|S_IXGRP) + os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP) key_file = key_dir + '/authorized_keys'; with open(key_file, 'w') as f: @@ -202,7 +217,23 @@ def generate(login): f.write(line) os.chown(key_file, uid, gid) - os.chmod(key_file, S_IRUSR|S_IWUSR) + os.chmod(key_file, S_IRUSR | S_IWUSR) + + # + # RADIUS + # + if len(login['radius_server']) > 0: + tmpl = jinja2.Template(radius_config_tmpl) + config_text = tmpl.render(login) + with open(radius_config_file, 'w') as f: + f.write(config_text) + + uid = getpwnam('root').pw_uid + gid = getpwnam('root').pw_gid + os.chown(radius_config_file, uid, gid) + os.chmod(radius_config_file, S_IRUSR | S_IWUSR) + else: + os.unlink(radius_config_file) pass @@ -241,6 +272,16 @@ def apply(login): except Exception as e: print('Deleting user "{}" raised an exception'.format(user)) + # + # RADIUS + # + if len(login['radius_server']) > 0: + # Enable RADIUS in PAM + os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --enable radius") + else: + # Disable RADIUS in PAM + os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --remove radius") + pass if __name__ == '__main__': -- cgit v1.2.3