Split up system login scripts

1. User and Radius separate scripts 2. Tacacs (incomplete) moved to separate package
author: Stephen Hemminger <stephen.hemminger@vyatta.com> 2009-05-05 13:42:51 -0700
committer: Stephen Hemminger <stephen.hemminger@vyatta.com> 2009-05-05 13:42:51 -0700
commit: 3591ae5310a40b457baecde3ab1b06182893f25b (patch)
tree: 73fe7153236a98ef47bbcf60e0cfa49f8002a9d3 /scripts/system
parent: d26620bb8534591c1678e8087b0fc809d33fc67f (diff)
download: vyatta-cfg-quagga-3591ae5310a40b457baecde3ab1b06182893f25b.tar.gz
vyatta-cfg-quagga-3591ae5310a40b457baecde3ab1b06182893f25b.zip
2 files changed, 120 insertions, 200 deletions
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index a28224f8..d482c297 100755
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -31,10 +31,8 @@ if (   ( scalar(@user_keys) <= 0 )
     || !( grep /^root$/, @user_keys )
     || ( $users{'root'} eq 'deleted' ) )
 {
-
     # root is deleted
-    print STDERR "User \"root\" cannot be deleted\n";
-    exit 1;
+    die "User \"root\" cannot be deleted\n";
 }
 
 # Exit codes form useradd.8 man page
@@ -127,201 +125,4 @@ for my $user (@user_keys) {
     }
 }
 
-## setup tacacs+ server info
-# add tacacs to PAM file
-sub add_tacacs {
-    my $param_string = shift;
-    my $pam = shift;
-
-    my $cmd =
-        'sudo sh -c "'
-      . 'sed -i \'s/^\('
-      . "$pam"
-      . '\trequired\tpam_unix\.so.*\)$/'
-      . "$pam"
-      . '\tsufficient\tpam_tacplus.so\t'
-      . "$param_string # Vyatta"
-      . '\n\1/\' '
-      . "/etc/pam.d/common-$pam\"";
-
-    system($cmd);
-    return 0 if ( $? >> 8 );
-    return 1;
-}
-
-# remove tacacs from PAM files
-sub remove_tacacs {
-    my $cmd =
-        'sudo sh -c "'
-      . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' '
-      . '/etc/pam.d/common-auth '
-      . '/etc/pam.d/common-account '
-      . '/etc/pam.d/common-session "';
-
-    system($cmd);
-    return 0 if ($? >> 8);
-    return 1;
-}
-
-# main tacacs
-# There is a race confition in here betwen radius and tacacs currently.
-# Also should probably add a chack to see if we ned to actually reconfig 
-# PAM rather than jusy doing it each commit.
-# Finally, service and protocol will need to be removed.  They are just 
-# in there for troubleshootig purposes right now.
-#
-my $tconfig = new Vyatta::Config;
-if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; }
-$tconfig->setLevel("system login tacacs-plus");
-my @tacacs_params = $tconfig->listNodes();
-
-if ( scalar(@tacacs_params) > 0 ) {
-    remove_tacacs;
-    my ($acctall, $debug, $firsthit, $noencrypt);
-    if ( $tconfig->exists("acct-all") ) { $acctall = 1; }
-    if ( $tconfig->exists("debug") ) { $debug = 1; }
-    if ( $tconfig->exists("first-hit") ) { $firsthit = 1; }
-    if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; }
-    my $protocol = $tconfig->returnValue("protocol");
-    my $secret = $tconfig->returnValue("secret");
-    my $server = $tconfig->returnValue("server");
-    my $service = $tconfig->returnValue("service");
-
-    if ( $server ne '' && $secret ne '') {
-      my ($authstr, $accountstr, $sessionstr, $ip);
-      my @servers = split /\s/, $server;
-
-      ## 3 common options
-      # encrypt this session
-      if (! $noencrypt ) { $authstr = "encrypt "; }
-      # single secret
-      $authstr .= "secret=$secret ";
-      # and debug
-      if ($debug) { $authstr .= "debug "; }
-
-      ## now they get specific
-      $accountstr = $sessionstr = $authstr;
-
-      # can be multiple servers for auth and session
-      foreach my $ip (@servers) {
-        $authstr    .= "server=$ip ";
-        $sessionstr .= "server=$ip ";
-      }
-
-      # first hit for auth
-      if ($firsthit) { $authstr .= "firsthit "; }
-
-      # acctall for session
-      if ($acctall) { $sessionstr .= "acctall "; }
-
-      # service and protocol for account and session
-      if ($service)  { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; }
-      if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; }
-
-      add_tacacs("$authstr", "auth");
-      add_tacacs("$accountstr", "account");
-      add_tacacs("$sessionstr", "session");
-    }
-    else { exit 1; }
-}
-## end tacacs
-
-my $PAM_RAD_CFG   = '/etc/pam_radius_auth.conf';
-my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
-my $PAM_RAD_END   = '# END Vyatta Radius servers';
-
-sub is_pam_radius_present {
-    open( my $auth , '<' , '/etc/pam.d/common-auth' ) 
-	or die "Cannot open /etc/pam.d/common-auth\n";
-
-    my $present;
-    while (<$auth>) {
-        if (/\ssufficient\spam_radius_auth\.so$/) {
-            $present = 1;
-            last;
-        }
-    }
-    close $auth;
-    return $present;
-}
-
-sub remove_pam_radius {
-    return 1 if ( !is_pam_radius_present() );
-    my $cmd =
-        'sudo sh -c "'
-      . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;'
-      . '/\tpam_unix\.so /{s/ use_first_pass$//}\' '
-      . '/etc/pam.d/common-auth && '
-      . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' '
-      . '/etc/pam.d/common-account"';
-    system($cmd);
-    return 0 if ( $? >> 8 );
-    return 1;
-}
-
-sub add_pam_radius {
-    return 1 if ( is_pam_radius_present() );
-    my $cmd =
-        'sudo sh -c "'
-      . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$'
-      . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' '
-      . '/etc/pam.d/common-auth && '
-      . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$'
-      . '/account\tsufficient\tpam_radius_auth.so\n\1/\' '
-      . '/etc/pam.d/common-account"';
-    system($cmd);
-    return 0 if ( $? >> 8 );
-    return 1;
-}
-
-sub remove_radius_servers {
-    system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' "
-          . "$PAM_RAD_CFG" );
-    return 0 if ( $? >> 8 );
-    return 1;
-}
-
-sub add_radius_servers {
-    my $str = shift;
-    system( "sudo sh -c \""
-          . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" );
-    return 0 if ( $? >> 8 );
-    return 1;
-}
-
-# handle "radius-server"
-my $rconfig = new Vyatta::Config;
-$rconfig->setLevel("system login radius-server");
-my %servers     = $rconfig->listNodeStatus();
-my @server_keys = sort keys %servers;
-if ( scalar(@server_keys) <= 0 ) {
-
-    # all radius servers deleted
-    exit 1 if ( !remove_pam_radius() );
-    exit 0;
-}
-
-# we have some servers
-my $all_deleted = 1;
-my $server_str  = '';
-remove_radius_servers();
-for my $server (@server_keys) {
-    if ( $servers{$server} ne 'deleted' ) {
-        $all_deleted = 0;
-        my $port    = $rconfig->returnValue("$server port");
-        my $secret  = $rconfig->returnValue("$server secret");
-        my $timeout = $rconfig->returnValue("$server timeout");
-        $server_str .= "$server:$port\t$secret\t$timeout\n";
-    }
-}
-
-if ($all_deleted) {
-
-    # all radius servers deleted
-    exit 1 if ( !remove_pam_radius() );
-} else {
-    exit 1 if ( !add_radius_servers($server_str) );
-    exit 1 if ( !add_pam_radius() );
-}
-
 exit 0;
diff --git a/scripts/system/vyatta_update_radius.pl b/scripts/system/vyatta_update_radius.pl
new file mode 100644
index 00000000..69e605da
--- /dev/null
+++ b/scripts/system/vyatta_update_radius.pl
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+use strict;
+use lib "/opt/vyatta/share/perl5";
+use Vyatta::Config;
+
+my $PAM_RAD_CFG   = '/etc/pam_radius_auth.conf';
+my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
+my $PAM_RAD_END   = '# END Vyatta Radius servers';
+
+sub is_pam_radius_present {
+    open( my $auth , '<' , '/etc/pam.d/common-auth' ) 
+	or die "Cannot open /etc/pam.d/common-auth\n";
+
+    my $present;
+    while (<$auth>) {
+        if (/\ssufficient\spam_radius_auth\.so$/) {
+            $present = 1;
+            last;
+        }
+    }
+    close $auth;
+    return $present;
+}
+
+sub remove_pam_radius {
+    return 1 if ( !is_pam_radius_present() );
+    my $cmd =
+        'sudo sh -c "'
+      . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;'
+      . '/\tpam_unix\.so /{s/ use_first_pass$//}\' '
+      . '/etc/pam.d/common-auth && '
+      . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' '
+      . '/etc/pam.d/common-account"';
+    system($cmd);
+    return 0 if ( $? >> 8 );
+    return 1;
+}
+
+sub add_pam_radius {
+    return 1 if ( is_pam_radius_present() );
+    my $cmd =
+        'sudo sh -c "'
+      . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$'
+      . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' '
+      . '/etc/pam.d/common-auth && '
+      . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$'
+      . '/account\tsufficient\tpam_radius_auth.so\n\1/\' '
+      . '/etc/pam.d/common-account"';
+    system($cmd);
+    return 0 if ( $? >> 8 );
+    return 1;
+}
+
+sub remove_radius_servers {
+    system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' "
+          . "$PAM_RAD_CFG" );
+    return 0 if ( $? >> 8 );
+    return 1;
+}
+
+sub add_radius_servers {
+    my $str = shift;
+    system( "sudo sh -c \""
+          . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" );
+    return 0 if ( $? >> 8 );
+    return 1;
+}
+
+# handle "radius-server"
+my $rconfig = new Vyatta::Config;
+$rconfig->setLevel("system login radius-server");
+my %servers     = $rconfig->listNodeStatus();
+my @server_keys = sort keys %servers;
+if ( scalar(@server_keys) <= 0 ) {
+
+    # all radius servers deleted
+    exit 1 if ( !remove_pam_radius() );
+    exit 0;
+}
+
+# we have some servers
+my $all_deleted = 1;
+my $server_str  = '';
+remove_radius_servers();
+
+for my $server (@server_keys) {
+    if ( $servers{$server} ne 'deleted' ) {
+        $all_deleted = 0;
+        my $port    = $rconfig->returnValue("$server port");
+        my $secret  = $rconfig->returnValue("$server secret");
+        my $timeout = $rconfig->returnValue("$server timeout");
+        $server_str .= "$server:$port\t$secret\t$timeout\n";
+    }
+}
+
+if ($all_deleted) {
+    # all radius servers deleted
+    exit 1 if ( !remove_pam_radius() );
+} else {
+    exit 1 if ( !add_radius_servers($server_str) );
+    exit 1 if ( !add_pam_radius() );
+}
author	Stephen Hemminger <stephen.hemminger@vyatta.com>	2009-05-05 13:42:51 -0700
committer	Stephen Hemminger <stephen.hemminger@vyatta.com>	2009-05-05 13:42:51 -0700
commit	3591ae5310a40b457baecde3ab1b06182893f25b (patch)
tree	73fe7153236a98ef47bbcf60e0cfa49f8002a9d3 /scripts/system
parent	d26620bb8534591c1678e8087b0fc809d33fc67f (diff)
download	vyatta-cfg-quagga-3591ae5310a40b457baecde3ab1b06182893f25b.tar.gz vyatta-cfg-quagga-3591ae5310a40b457baecde3ab1b06182893f25b.zip