Use pam-auth-update to configure radius

This keeps radius from fighting with tacacs+

4 files changed, 18 insertions, 32 deletions

diff --git a/Makefile.am b/Makefile.am
index 00327c24..3065b533 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -65,6 +65,7 @@ sysconf_DATA += sysconf/securetty
 sysconf_DATA += sysconf/vyatta-sysctl.conf
 sysconf_DATA += sysconf/blacklist.DSA-1024
 sysconf_DATA += sysconf/blacklist.RSA-2048
+sysconf_DATA += sysconf/pam-radius
 
 libudev_SCRIPTS	 = scripts/vyatta_net_name
 etcudev_DATA	 = sysconf/vyatta-net.rules
@@ -78,4 +79,3 @@ cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
 install-exec-hook:
 	mkdir -p $(DESTDIR)$(cfgdir)
 	cd templates; $(cpiop) $(DESTDIR)$(cfgdir)
-
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 1a9f0bd5..730815f6 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -115,6 +115,7 @@ EOF
             cp $sysconfdir/$f /etc/$f
         fi
     done
+
 fi
 
 # update crontab for logrotate
@@ -124,6 +125,7 @@ rm /etc/crontab
 mv /etc/crontab.$$ /etc/crontab
 crontab /etc/crontab
 
+
 # create needed directories
 mkdir -p /var/log/user
 
@@ -144,6 +146,9 @@ update-rc.d -f ssh remove >/dev/null
 # for password
 sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
 
+# Install pamradius config (should come with radius client eventually)
+cp $sysconfdir/pam-radius /usr/share/pam-configs/radius
+
 [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
 
 #
diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm
index 2dadd2bb..820f6da2 100644
--- a/lib/Vyatta/Login/RadiusServer.pm
+++ b/lib/Vyatta/Login/RadiusServer.pm
@@ -27,41 +27,12 @@ my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$";
 my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
 my $PAM_RAD_END   = '# END Vyatta Radius servers';
 
-sub is_pam_radius_present {
-    open( my $auth, '<', '/etc/pam.d/common-auth' )
-      or die "Cannot open /etc/pam.d/common-auth\n";
-    my $present = grep { /\ssufficient\spam_radius_auth\.so$/ } <$auth>;
-    close $auth;
-    return $present;
-}
-
 sub remove_pam_radius {
-    return 1 if ( !is_pam_radius_present() );
-    my $cmd =
-        'sudo sh -c "'
-      . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;'
-      . '/\tpam_unix\.so /{s/ use_first_pass$//}\' '
-      . '/etc/pam.d/common-auth && '
-      . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' '
-      . '/etc/pam.d/common-account"';
-    system($cmd);
-    return 0 if ( $? >> 8 );
-    return 1;
+    return system('sudo pam-auth-update --package --remove radius') == 0;
 }
 
 sub add_pam_radius {
-    return 1 if ( is_pam_radius_present() );
-    my $cmd =
-        'sudo sh -c "'
-      . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$'
-      . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' '
-      . '/etc/pam.d/common-auth && '
-      . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$'
-      . '/account\tsufficient\tpam_radius_auth.so\n\1/\' '
-      . '/etc/pam.d/common-account"';
-    system($cmd);
-    return 0 if ( $? >> 8 );
-    return 1;
+    return system('sudo pam-auth-update --package --add radius') == 0;
 }
 
 sub update {
diff --git a/sysconf/pam-radius b/sysconf/pam-radius
new file mode 100644
index 00000000..455bcd9c
--- /dev/null
+++ b/sysconf/pam-radius
@@ -0,0 +1,10 @@
+Name: Radius authentication
+Default: no
+Priority: 512
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_radius_auth.so try_first_pass
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_radius_auth.so try_first_pass
+