Updated libpam-radius-auth package for user level auth in radius (mirror of https://github.com/vyos/libpam-radius-auth.git) https://git.amelek.net/vyos/libpam-radius-auth.git/atom?h=sagitta 2023-02-24T14:43:54+00:00 2023-02-24T14:43:54+00:00 zsdc taras@vyos.io 2023-02-24T14:43:54+00:00 urn:sha1:0b995934b6f5b52523e056921740d6e0749d59fd This change was lost after cf571ca6c722d3d2b0c359dddf835a3f406b194b 2023-02-20T15:12:51+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2023-02-20T15:12:51+00:00 urn:sha1:5990bdd349953796bfcad8a58ebb547fdd72312f 2021-05-02T16:13:57+00:00 Christian Poessinger christian@poessinger.com 2021-05-02T16:13:57+00:00 urn:sha1:cf571ca6c722d3d2b0c359dddf835a3f406b194b 2020-05-25T15:42:09+00:00 DmitriyEshenko dmitriy.eshenko@vyos.io 2020-05-25T15:42:09+00:00 urn:sha1:488621e38b798d4d633180eb430f7cb3ee787a07 2018-05-25T13:13:41+00:00 Kim Hagen kim.sidney@gmail.com 2018-05-25T13:13:41+00:00 urn:sha1:84e78a4150ff451a96e8089ed6d762cadab79463 2018-05-24T13:14:21+00:00 Kim khagen@jessiedevel 2018-05-24T13:14:21+00:00 urn:sha1:ff7ea358fa9e5703858e4a7e3241fea35e0166cf This reverts commit 80ec9b746124ca540faeac332131a7833a08b14c. 2018-05-17T20:52:01+00:00 UnicronNL kim.sidney@gmail.com 2018-05-17T20:52:01+00:00 urn:sha1:80ec9b746124ca540faeac332131a7833a08b14c Use vbash instead of bash Only change shell for priv user 2018-04-15T21:39:26+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-15T21:39:26+00:00 urn:sha1:91ae2ae210f9cf530038d071db41e3da574e092d Ticket: CM-20606 Reviewed By: nobody Testing Done: ran my own tests, and the automated radius tests All the shells need to accept -c someargument, for 'su -c' non-interactive shell, etc. Fixed by adjusting args[0], and using execv instead of execl. Passes regular radius automated tests again. 2018-04-13T22:04:03+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-13T06:57:55+00:00 urn:sha1:acc77c4757775bb7689ba769465951a65523db75 Ticket: CM-19457 Reviewed By: nobody Testing Done: multiple logins, separately and simultaneously Because we can't determine privilege level separately and up front with the RADIUS protocol, unlike TACACS+, we wind up with all logins as the same unprivileged radius uid. But we can set the auid (accounting or auditing uid) correctly, and a separate setcap radius_shell can be set as the login shell, and can fixup the uid before running /bin/bash. To set the auid correctly, we need to know the privileged radius user account. Added mapped_priv_user to the configuration file to handle that. mapped_priv_user has to match the account used by libnss-mapuser. That's a bit ugly, but a common config file would be uglier. The radius shell is in a new package, since it has binaries. The new package is radius-shell. In it's post actions, it changes the radius users shell to radius_shell if they are present, and back to /bin/bash on package removal. It uses capabilities, tries to be very restrictive in what it changes, and depends on being installed setcap cap_setuid Make the existing libpam-radius-auth package depend on radius-shell, so it will pull in the new package on upgrades. Also fixed another issue with reparsing changed config file, have to handle case where there were servers defined, but aren't any longer. 2018-04-06T22:50:09+00:00 Dave Olson olson@cumulusnetworks.com 2018-04-06T22:47:42+00:00 urn:sha1:a0d0d2fb1b321d65425951fc70f5c42c2dcfda41 Ticket: CM-20454 Reviewed By: nobody My code to avoid redoing all the config didn't work right when re-entered with no server listed in the config file. The result was I'd return an error the first time, and success the 2nd-Nth times, and then later code would try to dereference the NULL pointer server list, and segv in login or sshd, etc. Redid the logic in initialize() to fix that.