Updated libpam-radius-auth package for user level auth in radius (mirror of https://github.com/vyos/libpam-radius-auth.git) https://git.amelek.net/vyos/libpam-radius-auth.git/atom?h=crux 2018-04-13T22:04:03+00:00 2018-04-13T22:04:03+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-13T06:57:55+00:00 urn:sha1:acc77c4757775bb7689ba769465951a65523db75 Ticket: CM-19457 Reviewed By: nobody Testing Done: multiple logins, separately and simultaneously Because we can't determine privilege level separately and up front with the RADIUS protocol, unlike TACACS+, we wind up with all logins as the same unprivileged radius uid. But we can set the auid (accounting or auditing uid) correctly, and a separate setcap radius_shell can be set as the login shell, and can fixup the uid before running /bin/bash. To set the auid correctly, we need to know the privileged radius user account. Added mapped_priv_user to the configuration file to handle that. mapped_priv_user has to match the account used by libnss-mapuser. That's a bit ugly, but a common config file would be uglier. The radius shell is in a new package, since it has binaries. The new package is radius-shell. In it's post actions, it changes the radius users shell to radius_shell if they are present, and back to /bin/bash on package removal. It uses capabilities, tries to be very restrictive in what it changes, and depends on being installed setcap cap_setuid Make the existing libpam-radius-auth package depend on radius-shell, so it will pull in the new package on upgrades. Also fixed another issue with reparsing changed config file, have to handle case where there were servers defined, but aren't any longer.