diff options
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 5 | ||||
-rw-r--r-- | lib/Vyatta/Login/RadiusServer.pm | 33 | ||||
-rw-r--r-- | sysconf/pam-radius | 10 |
4 files changed, 18 insertions, 32 deletions
diff --git a/Makefile.am b/Makefile.am index 00327c24..3065b533 100644 --- a/Makefile.am +++ b/Makefile.am @@ -65,6 +65,7 @@ sysconf_DATA += sysconf/securetty sysconf_DATA += sysconf/vyatta-sysctl.conf sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 +sysconf_DATA += sysconf/pam-radius libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules @@ -78,4 +79,3 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ install-exec-hook: mkdir -p $(DESTDIR)$(cfgdir) cd templates; $(cpiop) $(DESTDIR)$(cfgdir) - diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 1a9f0bd5..730815f6 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -115,6 +115,7 @@ EOF cp $sysconfdir/$f /etc/$f fi done + fi # update crontab for logrotate @@ -124,6 +125,7 @@ rm /etc/crontab mv /etc/crontab.$$ /etc/crontab crontab /etc/crontab + # create needed directories mkdir -p /var/log/user @@ -144,6 +146,9 @@ update-rc.d -f ssh remove >/dev/null # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login +# Install pamradius config (should come with radius client eventually) +cp $sysconfdir/pam-radius /usr/share/pam-configs/radius + [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist # diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 2dadd2bb..820f6da2 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -27,41 +27,12 @@ my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; my $PAM_RAD_END = '# END Vyatta Radius servers'; -sub is_pam_radius_present { - open( my $auth, '<', '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - my $present = grep { /\ssufficient\spam_radius_auth\.so$/ } <$auth>; - close $auth; - return $present; -} - sub remove_pam_radius { - return 1 if ( !is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' - . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; + return system('sudo pam-auth-update --package --remove radius') == 0; } sub add_pam_radius { - return 1 if ( is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' - . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' - . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; + return system('sudo pam-auth-update --package --add radius') == 0; } sub update { diff --git a/sysconf/pam-radius b/sysconf/pam-radius new file mode 100644 index 00000000..455bcd9c --- /dev/null +++ b/sysconf/pam-radius @@ -0,0 +1,10 @@ +Name: Radius authentication +Default: no +Priority: 512 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_radius_auth.so try_first_pass +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_radius_auth.so try_first_pass + |