diff options
-rw-r--r-- | Makefile.am | 1 | ||||
-rwxr-xr-x | scripts/system/vyatta_update_login.pl | 201 | ||||
-rw-r--r-- | scripts/system/vyatta_update_radius.pl | 119 | ||||
-rw-r--r-- | templates/system/login/node.def | 3 | ||||
-rw-r--r-- | templates/system/login/radius-server/node.def | 1 | ||||
-rw-r--r-- | templates/system/login/tacplus-server/node.def | 4 | ||||
-rw-r--r-- | templates/system/login/tacplus-server/node.tag/secret/node.def | 2 | ||||
-rw-r--r-- | templates/system/login/tacplus-server/node.tag/timeout/node.def | 3 | ||||
-rw-r--r-- | templates/system/login/user/node.def | 1 |
9 files changed, 124 insertions, 211 deletions
diff --git a/Makefile.am b/Makefile.am index 4107298d..8fbce753 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,6 +24,7 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_update_login.pl +sbin_SCRIPTS += scripts/system/vyatta_update_radius.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index a28224f8..d482c297 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -31,10 +31,8 @@ if ( ( scalar(@user_keys) <= 0 ) || !( grep /^root$/, @user_keys ) || ( $users{'root'} eq 'deleted' ) ) { - # root is deleted - print STDERR "User \"root\" cannot be deleted\n"; - exit 1; + die "User \"root\" cannot be deleted\n"; } # Exit codes form useradd.8 man page @@ -127,201 +125,4 @@ for my $user (@user_keys) { } } -## setup tacacs+ server info -# add tacacs to PAM file -sub add_tacacs { - my $param_string = shift; - my $pam = shift; - - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(' - . "$pam" - . '\trequired\tpam_unix\.so.*\)$/' - . "$pam" - . '\tsufficient\tpam_tacplus.so\t' - . "$param_string # Vyatta" - . '\n\1/\' ' - . "/etc/pam.d/common-$pam\""; - - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -# remove tacacs from PAM files -sub remove_tacacs { - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' - . '/etc/pam.d/common-auth ' - . '/etc/pam.d/common-account ' - . '/etc/pam.d/common-session "'; - - system($cmd); - return 0 if ($? >> 8); - return 1; -} - -# main tacacs -# There is a race confition in here betwen radius and tacacs currently. -# Also should probably add a chack to see if we ned to actually reconfig -# PAM rather than jusy doing it each commit. -# Finally, service and protocol will need to be removed. They are just -# in there for troubleshootig purposes right now. -# -my $tconfig = new Vyatta::Config; -if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; } -$tconfig->setLevel("system login tacacs-plus"); -my @tacacs_params = $tconfig->listNodes(); - -if ( scalar(@tacacs_params) > 0 ) { - remove_tacacs; - my ($acctall, $debug, $firsthit, $noencrypt); - if ( $tconfig->exists("acct-all") ) { $acctall = 1; } - if ( $tconfig->exists("debug") ) { $debug = 1; } - if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } - if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } - my $protocol = $tconfig->returnValue("protocol"); - my $secret = $tconfig->returnValue("secret"); - my $server = $tconfig->returnValue("server"); - my $service = $tconfig->returnValue("service"); - - if ( $server ne '' && $secret ne '') { - my ($authstr, $accountstr, $sessionstr, $ip); - my @servers = split /\s/, $server; - - ## 3 common options - # encrypt this session - if (! $noencrypt ) { $authstr = "encrypt "; } - # single secret - $authstr .= "secret=$secret "; - # and debug - if ($debug) { $authstr .= "debug "; } - - ## now they get specific - $accountstr = $sessionstr = $authstr; - - # can be multiple servers for auth and session - foreach my $ip (@servers) { - $authstr .= "server=$ip "; - $sessionstr .= "server=$ip "; - } - - # first hit for auth - if ($firsthit) { $authstr .= "firsthit "; } - - # acctall for session - if ($acctall) { $sessionstr .= "acctall "; } - - # service and protocol for account and session - if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; } - if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; } - - add_tacacs("$authstr", "auth"); - add_tacacs("$accountstr", "account"); - add_tacacs("$sessionstr", "session"); - } - else { exit 1; } -} -## end tacacs - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; -my $PAM_RAD_END = '# END Vyatta Radius servers'; - -sub is_pam_radius_present { - open( my $auth , '<' , '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - - my $present; - while (<$auth>) { - if (/\ssufficient\spam_radius_auth\.so$/) { - $present = 1; - last; - } - } - close $auth; - return $present; -} - -sub remove_pam_radius { - return 1 if ( !is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' - . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_pam_radius { - return 1 if ( is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' - . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' - . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub remove_radius_servers { - system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " - . "$PAM_RAD_CFG" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_radius_servers { - my $str = shift; - system( "sudo sh -c \"" - . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); - return 0 if ( $? >> 8 ); - return 1; -} - -# handle "radius-server" -my $rconfig = new Vyatta::Config; -$rconfig->setLevel("system login radius-server"); -my %servers = $rconfig->listNodeStatus(); -my @server_keys = sort keys %servers; -if ( scalar(@server_keys) <= 0 ) { - - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); - exit 0; -} - -# we have some servers -my $all_deleted = 1; -my $server_str = ''; -remove_radius_servers(); -for my $server (@server_keys) { - if ( $servers{$server} ne 'deleted' ) { - $all_deleted = 0; - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - $server_str .= "$server:$port\t$secret\t$timeout\n"; - } -} - -if ($all_deleted) { - - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); -} else { - exit 1 if ( !add_radius_servers($server_str) ); - exit 1 if ( !add_pam_radius() ); -} - exit 0; diff --git a/scripts/system/vyatta_update_radius.pl b/scripts/system/vyatta_update_radius.pl new file mode 100644 index 00000000..69e605da --- /dev/null +++ b/scripts/system/vyatta_update_radius.pl @@ -0,0 +1,119 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; +my $PAM_RAD_END = '# END Vyatta Radius servers'; + +sub is_pam_radius_present { + open( my $auth , '<' , '/etc/pam.d/common-auth' ) + or die "Cannot open /etc/pam.d/common-auth\n"; + + my $present; + while (<$auth>) { + if (/\ssufficient\spam_radius_auth\.so$/) { + $present = 1; + last; + } + } + close $auth; + return $present; +} + +sub remove_pam_radius { + return 1 if ( !is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' + . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_pam_radius { + return 1 if ( is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' + . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' + . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub remove_radius_servers { + system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " + . "$PAM_RAD_CFG" ); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_radius_servers { + my $str = shift; + system( "sudo sh -c \"" + . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); + return 0 if ( $? >> 8 ); + return 1; +} + +# handle "radius-server" +my $rconfig = new Vyatta::Config; +$rconfig->setLevel("system login radius-server"); +my %servers = $rconfig->listNodeStatus(); +my @server_keys = sort keys %servers; +if ( scalar(@server_keys) <= 0 ) { + + # all radius servers deleted + exit 1 if ( !remove_pam_radius() ); + exit 0; +} + +# we have some servers +my $all_deleted = 1; +my $server_str = ''; +remove_radius_servers(); + +for my $server (@server_keys) { + if ( $servers{$server} ne 'deleted' ) { + $all_deleted = 0; + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + $server_str .= "$server:$port\t$secret\t$timeout\n"; + } +} + +if ($all_deleted) { + # all radius servers deleted + exit 1 if ( !remove_pam_radius() ); +} else { + exit 1 if ( !add_radius_servers($server_str) ); + exit 1 if ( !add_pam_radius() ); +} diff --git a/templates/system/login/node.def b/templates/system/login/node.def index 62e693e2..66ac660c 100644 --- a/templates/system/login/node.def +++ b/templates/system/login/node.def @@ -1,3 +1,2 @@ help: Set user access -delete:expression: "echo User root cannot be deleted 1>&2 && exit 1" -end: /opt/vyatta/sbin/vyatta_update_login.pl +delete: echo 'User root cannot be deleted' 1>&2; exit 1 diff --git a/templates/system/login/radius-server/node.def b/templates/system/login/radius-server/node.def index 137a92a0..f74cc568 100644 --- a/templates/system/login/radius-server/node.def +++ b/templates/system/login/radius-server/node.def @@ -4,3 +4,4 @@ help: Set radius server authentication commit:expression: $VAR(port) != "" && $VAR(secret) != "" && $VAR(timeout) != "" ; "Port, secret, and timeout must be specified for Radius" +end: /opt/vyatta/sbin/vyatta_update_radius.pl diff --git a/templates/system/login/tacplus-server/node.def b/templates/system/login/tacplus-server/node.def deleted file mode 100644 index 7fe9cc27..00000000 --- a/templates/system/login/tacplus-server/node.def +++ /dev/null @@ -1,4 +0,0 @@ -tag: -type: txt -help: Set TACACS+ server IP addresses -commit:expression: $VAR(secret) != "" ; "secret must be specified for TACACS+" diff --git a/templates/system/login/tacplus-server/node.tag/secret/node.def b/templates/system/login/tacplus-server/node.tag/secret/node.def deleted file mode 100644 index 0f673ae2..00000000 --- a/templates/system/login/tacplus-server/node.tag/secret/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Set TACACS+ secret diff --git a/templates/system/login/tacplus-server/node.tag/timeout/node.def b/templates/system/login/tacplus-server/node.tag/timeout/node.def deleted file mode 100644 index 8ce5f585..00000000 --- a/templates/system/login/tacplus-server/node.tag/timeout/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: u32 -help: Set TACACS+ server connection timeout in seconds -default: 3 diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def index d23a397f..26625b7f 100644 --- a/templates/system/login/user/node.def +++ b/templates/system/login/user/node.def @@ -7,3 +7,4 @@ commit:expression: $VAR(authentication/encrypted-password) != "" ; "user password must be specified" syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$" ; "invalid user name $VAR(@)" +end: /opt/vyatta/sbin/vyatta_update_login.pl |