summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am2
-rw-r--r--debian/vyatta-cfg-system.postinst.in5
-rw-r--r--lib/Vyatta/Login/RadiusServer.pm33
-rw-r--r--sysconf/pam-radius10
4 files changed, 18 insertions, 32 deletions
diff --git a/Makefile.am b/Makefile.am
index 00327c24..3065b533 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -65,6 +65,7 @@ sysconf_DATA += sysconf/securetty
sysconf_DATA += sysconf/vyatta-sysctl.conf
sysconf_DATA += sysconf/blacklist.DSA-1024
sysconf_DATA += sysconf/blacklist.RSA-2048
+sysconf_DATA += sysconf/pam-radius
libudev_SCRIPTS = scripts/vyatta_net_name
etcudev_DATA = sysconf/vyatta-net.rules
@@ -78,4 +79,3 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
install-exec-hook:
mkdir -p $(DESTDIR)$(cfgdir)
cd templates; $(cpiop) $(DESTDIR)$(cfgdir)
-
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 1a9f0bd5..730815f6 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -115,6 +115,7 @@ EOF
cp $sysconfdir/$f /etc/$f
fi
done
+
fi
# update crontab for logrotate
@@ -124,6 +125,7 @@ rm /etc/crontab
mv /etc/crontab.$$ /etc/crontab
crontab /etc/crontab
+
# create needed directories
mkdir -p /var/log/user
@@ -144,6 +146,9 @@ update-rc.d -f ssh remove >/dev/null
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+# Install pamradius config (should come with radius client eventually)
+cp $sysconfdir/pam-radius /usr/share/pam-configs/radius
+
[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
#
diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm
index 2dadd2bb..820f6da2 100644
--- a/lib/Vyatta/Login/RadiusServer.pm
+++ b/lib/Vyatta/Login/RadiusServer.pm
@@ -27,41 +27,12 @@ my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$";
my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
my $PAM_RAD_END = '# END Vyatta Radius servers';
-sub is_pam_radius_present {
- open( my $auth, '<', '/etc/pam.d/common-auth' )
- or die "Cannot open /etc/pam.d/common-auth\n";
- my $present = grep { /\ssufficient\spam_radius_auth\.so$/ } <$auth>;
- close $auth;
- return $present;
-}
-
sub remove_pam_radius {
- return 1 if ( !is_pam_radius_present() );
- my $cmd =
- 'sudo sh -c "'
- . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;'
- . '/\tpam_unix\.so /{s/ use_first_pass$//}\' '
- . '/etc/pam.d/common-auth && '
- . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' '
- . '/etc/pam.d/common-account"';
- system($cmd);
- return 0 if ( $? >> 8 );
- return 1;
+ return system('sudo pam-auth-update --package --remove radius') == 0;
}
sub add_pam_radius {
- return 1 if ( is_pam_radius_present() );
- my $cmd =
- 'sudo sh -c "'
- . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$'
- . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' '
- . '/etc/pam.d/common-auth && '
- . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$'
- . '/account\tsufficient\tpam_radius_auth.so\n\1/\' '
- . '/etc/pam.d/common-account"';
- system($cmd);
- return 0 if ( $? >> 8 );
- return 1;
+ return system('sudo pam-auth-update --package --add radius') == 0;
}
sub update {
diff --git a/sysconf/pam-radius b/sysconf/pam-radius
new file mode 100644
index 00000000..455bcd9c
--- /dev/null
+++ b/sysconf/pam-radius
@@ -0,0 +1,10 @@
+Name: Radius authentication
+Default: no
+Priority: 512
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_radius_auth.so try_first_pass
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_radius_auth.so try_first_pass
+