summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/control3
-rw-r--r--debian/vyatta-cfg-system.postinst.in5
-rwxr-xr-xscripts/install-system40
-rwxr-xr-xscripts/quick-install4
-rwxr-xr-xscripts/rl-system.init34
-rwxr-xr-xscripts/standalone_root_pw_reset27
-rwxr-xr-xscripts/system/vyatta_update_login.pl178
-rwxr-xr-xscripts/vyatta-grub-setup18
-rwxr-xr-xscripts/vyatta_net_name2
-rw-r--r--sysconf/vyatta-sysctl.conf6
-rw-r--r--templates/service/ssh/node.def31
-rw-r--r--templates/service/ssh/protocol-version/node.def1
-rw-r--r--templates/system/login/tacacs-plus/acct-all/node.def1
-rw-r--r--templates/system/login/tacacs-plus/debug/node.def1
-rw-r--r--templates/system/login/tacacs-plus/first-hit/node.def1
-rw-r--r--templates/system/login/tacacs-plus/no-encrypt/node.def1
-rw-r--r--templates/system/login/tacacs-plus/node.def3
-rw-r--r--templates/system/login/tacacs-plus/protocol/node.def2
-rw-r--r--templates/system/login/tacacs-plus/secret/node.def2
-rw-r--r--templates/system/login/tacacs-plus/server/node.def3
-rw-r--r--templates/system/login/tacacs-plus/service/node.def2
-rw-r--r--templates/system/ntp-server/node.def7
22 files changed, 242 insertions, 130 deletions
diff --git a/debian/control b/debian/control
index b8128287..8b05318a 100644
--- a/debian/control
+++ b/debian/control
@@ -39,7 +39,8 @@ Depends: sed (>= 4.1.5),
dnsmasq,
mdadm,
ddclient,
- libio-socket-ssl-perl
+ libio-socket-ssl-perl,
+ pam-tacplus
Pre-Depends: bash-completion
Suggests: util-linux (>= 2.13-5),
net-tools,
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 3304fdd8..0f699d2b 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -11,6 +11,11 @@ for init in ntp ssh snmpd openhpid vyatta-keepalived ipvsadm dnsmasq ddclient; d
update-rc.d -f ${init} remove >/dev/null
done
+# remove extra call to clock setup only need one
+if [ -L /etc/rcS.d/S08hwclockfirst.sh -a -L /etc/rcS.d/S11hwclock.sh ]; then
+ rm /etc/init.d/rcS.d/S11hwclock.sh
+fi
+
case `grep '^RULES_FILE=' /lib/udev/write_net_rules` in
*z25_persistent-net.rules* )
vyatta_net_rules=z24_vyatta-net.rules;;
diff --git a/scripts/install-system b/scripts/install-system
index b941d9b6..65a31571 100755
--- a/scripts/install-system
+++ b/scripts/install-system
@@ -52,7 +52,7 @@ rootfsdir=/mnt/rootfs
# install log file name
INSTALL_LOG="install.log"
# root partition minimum size in MB
-ROOT_MIN="450"
+ROOT_MIN=500
# the base install drive e.g. sda
if [ -n "$INSTALL_DRIVE" ]; then
INSTALL_DRIVE=""
@@ -75,9 +75,6 @@ PARTITION=''
# Process ID of this script for the lame marketing spinner
SPID=$$
-# Path to standalone root password reset script
-PWRESET=/opt/vyatta/sbin/standalone_root_pw_reset
-
# Grub options
GRUB_OPTIONS="quiet"
@@ -85,20 +82,6 @@ GRUB_OPTIONS="quiet"
VTY_CONSOLE="console=ttyS0,9600 console=tty0"
SERIAL_CONSOLE="console=tty0 console=ttyS0,9600"
-# If VGA_LOGO is set, enable use of the VGA monitor for displaying the
-# logo during boot. The "vga=" boot command specifies a VGA mode that
-# is encoded as shown below. We pick a value that is likely to work
-# on most systems:
-#
-# Color depth | 640x480 | 800x600 | 1024x768 | 1280x1024
-# -----------------+---------+---------+----------+----------
-# 256 (8bit) | 769 771 773 775
-# 32000 (15bit) | 784 787 790 793
-# 65000 (16bit) | 785 788 791 794
-# 16.7 Mill.(24bit)| 786 789 792 795
-#
-VGA_LOGO="vga=788"
-
# trap signals so we can kill runaway progress indicators
trap 'progress_indicator stop; exit 1' 1
trap 'progress_indicator stop; exit 1' 2
@@ -771,7 +754,7 @@ install_root_filesystem () {
echo "Unable to read filesystem UUID. Exiting."
exit 1
else
- echo -e "UUID=$uuid\t/\text3\tdefaults\t0 1" >> $rootfsdir/etc/fstab
+ echo -e "UUID=$uuid\t/\text3\tnoatime\t0 1" >> $rootfsdir/etc/fstab
fi
#setup the hostname file
@@ -888,17 +871,6 @@ change_password() {
set_encrypted_password $user $epwd $rootfsdir$ofrconfdir/config.boot
}
-system_setup () {
- echo -n "Would you like to set the passwords for system users (Yes/No) [Yes]: "
- local response=$(get_response "Yes" "Yes No Y N")
-
- if [ "$response" == "yes" ] || [ "$response" == "y" ]; then
- change_password root
- change_password vyatta
- fi
-}
-
-
# setup grub on the boot sector of a user queried drive
install_grub () {
# we now use INSTALL_DRIVE to reference the grub boot drive.
@@ -1033,7 +1005,7 @@ setup_method_auto() {
lsize=$(get_drive_size "$INSTALL_DRIVE")
total=$ROOT_MIN
if [ "$total" -gt "$lsize" ]; then
- echo "Unfortunately, the OFR requires a total of at least $total"MB" to properly install."
+ echo "Unfortunately, Vyatta requires a total of at least $total"MB" to properly install."
echo "$INSTALL_DRIVE is below the minimum required capacity and therefore, cannot be used to"
echo -e "complete the installation.\n"
echo "If other drives are present"
@@ -1314,7 +1286,11 @@ copy_config "$CONFIG_PARTITION"
# Modify config to match system
# Assume user wants to keep password from old config
if [ ! -d /mnt/config ]; then
- system_setup
+ # Disable root login
+ set_encrypted_password root "*" $rootfsdir$ofrconfdir/config.boot
+
+ echo "Enter password for administrator account"
+ change_password vyatta
fi
# check for xen part images in /var/xen
diff --git a/scripts/quick-install b/scripts/quick-install
index 347cafd2..82475cb1 100755
--- a/scripts/quick-install
+++ b/scripts/quick-install
@@ -571,7 +571,7 @@ install_grub () {
# set serial console options
echo -e "serial --unit=0 --speed=9600\nterminal --timeout=5 console serial\n\n" >> $grub_file
# set primary boot option
- echo -e "title Vyatta OFR\n\troot $root" >> $grub_file
+ echo -e "title Vyatta\n\troot $root" >> $grub_file
echo -en "\tkernel /boot/vmlinuz root=/dev/$ROOT_PARTITION $ISCF console=ttyS0,9600 console=tty0\n" >> $grub_file
echo -e "\tinitrd /boot/initrd.img" >> $grub_file
@@ -675,7 +675,7 @@ setup_method_auto() {
lsize=$(get_drive_size "$INSTALL_DRIVE")
total=$(($ROOT_MIN + $CONFIG_MIN))
if [ "$total" -gt "$lsize" ]; then
- echo "Unfortunately, the OFR requires a total of at least $total"MB" to properly install."
+ echo "Unfortunately, Vyatta requires a total of at least $total"MB" to properly install."
echo "$INSTALL_DRIVE is below the minimum required capacity and therefore, cannot be used to"
echo -e "complete the installation.\n"
echo "If other drives are present"
diff --git a/scripts/rl-system.init b/scripts/rl-system.init
index 5391d409..0570924f 100755
--- a/scripts/rl-system.init
+++ b/scripts/rl-system.init
@@ -53,10 +53,16 @@ syslog ()
logger -p user.warning -t "$progname" "$*"
}
+# easy way to make empty file without any command
+empty()
+{
+ >$1
+}
+
shopt -s extglob nullglob
search_config_if_wan () {
- grep "\<serial\>.*\<$1\>" $BOOTFILE >/dev/null
+ grep -q "\<serial\>.*\<$1\>" $BOOTFILE
}
add_new_serial_if () {
@@ -85,23 +91,11 @@ update_version_info () {
fi
}
-## Clear out apt config file--it will be filled in by rtrmgr
-clear_apt_config()
-{
- cat /dev/null >/etc/apt/sources.list || true
-}
-
## snmp should be a separate package,
## but for now load the kernel module here
add_snmp_stats_module()
{
- modprobe ipt_rlsnmpstats || true
-}
-
-set_reboot_on_panic()
-{
- echo 1 > /proc/sys/kernel/panic_on_oops
- echo 60 > /proc/sys/kernel/panic
+ modprobe ipt_rlsnmpstats &
}
clear_or_override_config_files ()
@@ -111,11 +105,9 @@ clear_or_override_config_files ()
ipvsadm.rules default/ipvsadm resolv.conf
do
if [ -f /etc/$conf ] ; then
- cat /dev/null > /etc/$conf || true
+ empty /etc/$conf
fi
done
- # ssh v1. remove the empty key file
- rm -f /etc/ssh/ssh_host_key
}
udev_rescan ()
@@ -151,19 +143,19 @@ create_ssh_host_keys () {
start () {
udev_rescan
+ add_snmp_stats_module
create_ssh_host_keys || \
log_failure_msg "can't initialize ssh host keys"
clear_or_override_config_files || \
log_failure_msg "can\'t reset config files"
- set_reboot_on_panic || \
- log_failure_msg "can\'t set reboot on panic"
add_new_serial_if || \
log_failure_msg "can\'t add serial interfaces"
sysctl -q -p /opt/vyatta/etc/vyatta-sysctl.conf ||
log_failure_msg "can\'t configure kernel settings"
update_version_info
- clear_apt_config
- add_snmp_stats_module
+
+ ## Clear out apt config file--it will be filled in by rtrmgr
+ empty /etc/apt/sources.list
}
case "$ACTION" in
diff --git a/scripts/standalone_root_pw_reset b/scripts/standalone_root_pw_reset
index d089b50d..b75d19df 100755
--- a/scripts/standalone_root_pw_reset
+++ b/scripts/standalone_root_pw_reset
@@ -14,7 +14,7 @@
# All Rights Reserved.
#
# Author: Bob Gilligan <gilligan@vyatta.com>
-# Description: Standalone script to set the root passwd to new value
+# Description: Standalone script to set the admin passwd to new value
# value. Note: This script can ONLY be run as a standalone
# init program by grub.
#
@@ -23,9 +23,11 @@
# The Vyatta config file:
CF=/opt/vyatta/etc/config/config.boot
+# Admin user name
+ADMIN=vyatta
set_encrypted_password() {
sed -i \
- -e "/ user $1 {/,/}/s/encrypted-password.*\$/encrypted-password \"$2\"/" $3
+ -e "/ user $1 {/,/}/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3
}
change_password() {
@@ -65,18 +67,18 @@ fi
# OK, now we know we are running in standalone mode. Talk to the
# user.
#
-read -p "Do you wish to change the root password? " response
+echo "Do you wish to reset the admin password?"
+read response
response=${response:0:1}
-
if [ "$response" != "y" -a "$response" != "Y" ]; then
- echo "OK, the root password will not be changed."
+ echo "OK, the admin password will not be reset."
echo -n "Rebooting in 5 seconds..."
sleep 5
echo
/sbin/reboot -f
fi
-echo "Starting process to change the root password..."
+echo "Starting process to reset the admin password..."
echo "Re-mounting root filesystem read/write..."
mount -o remount,rw /
@@ -88,14 +90,19 @@ then
mount /opt/vyatta/etc/config/
fi
+if ! grep -q " user $ADMIN " $CF
+then
+ echo "Administrator account $ADMIN missing..."
+ exit 1
+fi
+
echo "Saving backup copy of config.boot..."
cp $CF ${CF}.before_pwrecovery
-echo
-change_password root
+echo "Setting the administrator ($ADMIN) password..."
+change_password $ADMIN
-echo "Root password changed"
-echo $(date "+%b%e %T") $(hostname) "Root password changed" \
+echo $(date "+%b%e %T") $(hostname) "Admin password changed" \
| tee -a /var/log/auth.log >>/var/log/messages
sync
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index 1f71434b..ad33412a 100755
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -57,18 +57,48 @@ my %level_map = (
'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ],
);
+# Construct a map from existing users to group membership
+# Use space seperated format
+my %group_map;
+while (my ($name, undef, undef, $members) = getgrent()) {
+ foreach my $user (split / /,$members) {
+ my $g = $group_map{$user};
+ if ($g) {
+ my @l = split / /, $g;
+ push @l, $name;
+ $group_map{$user} = join(' ', sort @l);
+ } else {
+ $group_map{$user} = $name;
+ }
+
+ }
+}
+
# we have some users
for my $user (@user_keys) {
if ( $users{$user} eq 'deleted' ) {
- system("sudo userdel -r '$user'");
- die "userdel failed\n" if ( $? >> 8 );
+ system("sudo userdel -r '$user'") == 0
+ or die "userdel failed: $?\n"
}
elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) {
$uconfig->setLevel("system login user $user");
+ my $pwd = $uconfig->returnValue('authentication encrypted-password');
+ $pwd or die "Encrypted password not in configuration for $user";
+
+ my $level = $uconfig->returnValue('level');
+ $level or die "Level not defined for $user";
- # See if this is a modification of existing account
- my (undef, undef, $uid, undef, undef,
- undef, undef, undef, $shell, undef) = getpwnam($user);
+ # map level to group membership
+ my @groups = @{$level_map{$level}};
+ # add any additional groups from configuration
+ push( @groups, $uconfig->returnValues('group') );
+
+ my $fname = $uconfig->returnValue('full-name');
+ my $home = $uconfig->returnValue('home-directory');
+
+ # Read existing settings
+ my (undef, $opwd, $uid, $gid, undef, $comment,
+ undef, $dir, $shell, undef) = getpwnam($user);
my $cmd;
# not found in existing passwd, must be new
@@ -77,48 +107,124 @@ for my $user (@user_keys) {
# and make home directory (-m)
# and with default group of 100 (users)
$cmd = 'useradd -s /bin/vbash -m -N';
- }
- # TODO Add checks for attempts to put system users
- # in configuration file
+ } else {
+ # If no part of password or group file changed
+ # then there is nothing to do here.
+ next if ( $opwd eq $pwd &&
+ (!$fname || $fname eq $comment) &&
+ (!$home || $home eq $dir) &&
+ join(' ', sort @groups) eq $group_map{$user} );
- # TODO Check if nothing changed and just skip
- else {
$cmd = "usermod";
}
- my $pwd = $uconfig->returnValue('authentication encrypted-password');
- $pwd or die 'encrypted password not set';
$cmd .= " -p '$pwd'";
-
- my $fname = $uconfig->returnValue('full-name');
$cmd .= " -c \"$fname\"" if ( defined $fname );
-
- my $home = $uconfig->returnValue('home-directory');
$cmd .= " -d \"$home\"" if ( defined $home );
+ $cmd .= ' -G ' . join( ',', @groups );
+ system("sudo $cmd $user") == 0
+ or die "sudo $cmd $user failed: $?";
+ }
+}
- # map level to group membership
- my $level = $uconfig->returnValue('level');
- my $gref = $level_map{$level};
- my @groups = @{$gref};
+## setup tacacs+ server info
+# add tacacs to PAM file
+sub add_tacacs {
+ my $param_string = shift;
+ my $pam = shift;
- # add any additional groups from configuration
- push( @groups, $uconfig->returnValues('group') );
+ my $cmd =
+ 'sudo sh -c "'
+ . 'sed -i \'s/^\('
+ . "$pam"
+ . '\trequired\tpam_unix\.so.*\)$/'
+ . "$pam"
+ . '\tsufficient\tpam_tacplus.so\t'
+ . "$param_string # Vyatta"
+ . '\n\1/\' '
+ . "/etc/pam.d/common-$pam\"";
- $cmd .= ' -G ' . join( ',', @groups );
+ system($cmd);
+ return 0 if ( $? >> 8 );
+ return 1;
+}
- system("sudo $cmd $user");
- if ( $? == -1 ) {
- die "failed to exec $cmd";
- }
- elsif ( $? & 127 ) {
- die "$cmd died with signal" . ( $? & 127 );
- }
- elsif ( $? != 0 ) {
- my $reason = $reasons{ $? >> 8 };
- die "$cmd failed: $reason\n";
- }
+# remove tacacs from PAM files
+sub remove_tacacs {
+ my $cmd =
+ 'sudo sh -c "'
+ . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' '
+ . '/etc/pam.d/common-auth '
+ . '/etc/pam.d/common-account '
+ . '/etc/pam.d/common-session "';
+
+ system($cmd);
+ return 0 if ($? >> 8);
+ return 1;
+}
+
+# main tacacs
+# There is a race confition in here betwen radius and tacacs currently.
+# Also should probably add a chack to see if we ned to actually reconfig
+# PAM rather than jusy doing it each commit.
+# Finally, service and protocol will need to be removed. They are just
+# in there for troubleshootig purposes right now.
+#
+my $tconfig = new VyattaConfig;
+if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; }
+$tconfig->setLevel("system login tacacs-plus");
+my @tacacs_params = $tconfig->listNodes();
+
+if ( scalar(@tacacs_params) > 0 ) {
+ remove_tacacs;
+ my ($acctall, $debug, $firsthit, $noencrypt);
+ if ( $tconfig->exists("acct-all") ) { $acctall = 1; }
+ if ( $tconfig->exists("debug") ) { $debug = 1; }
+ if ( $tconfig->exists("first-hit") ) { $firsthit = 1; }
+ if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; }
+ my $protocol = $tconfig->returnValue("protocol");
+ my $secret = $tconfig->returnValue("secret");
+ my $server = $tconfig->returnValue("server");
+ my $service = $tconfig->returnValue("service");
+
+ if ( $server ne '' && $secret ne '') {
+ my ($authstr, $accountstr, $sessionstr, $ip);
+ my @servers = split /\s/, $server;
+
+ ## 3 common options
+ # encrypt this session
+ if (! $noencrypt ) { $authstr = "encrypt "; }
+ # single secret
+ $authstr .= "secret=$secret ";
+ # and debug
+ if ($debug) { $authstr .= "debug "; }
+
+ ## now they get specific
+ $accountstr = $sessionstr = $authstr;
+
+ # can be multiple servers for auth and session
+ foreach $ip (@servers) {
+ $authstr .= "server=$ip ";
+ $sessionstr .= "server=$ip ";
+ }
+
+ # first hit for auth
+ if ($firsthit) { $authstr .= "firsthit "; }
+
+ # acctall for session
+ if ($acctall) { $sessionstr .= "acctall "; }
+
+ # service and protocol for account and session
+ if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; }
+ if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; }
+
+ add_tacacs("$authstr", "auth");
+ add_tacacs("$accountstr", "account");
+ add_tacacs("$sessionstr", "session");
}
+ else { exit 1; }
}
+## end tacacs
my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf';
my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
@@ -214,11 +320,9 @@ if ($all_deleted) {
# all radius servers deleted
exit 1 if ( !remove_pam_radius() );
-}
-else {
+} else {
exit 1 if ( !add_radius_servers($server_str) );
exit 1 if ( !add_pam_radius() );
}
exit 0;
-
diff --git a/scripts/vyatta-grub-setup b/scripts/vyatta-grub-setup
index c37bf7a8..26a322f2 100755
--- a/scripts/vyatta-grub-setup
+++ b/scripts/vyatta-grub-setup
@@ -69,7 +69,7 @@ serial_console="console=tty0 console=ttyS0,9600"
# 65000 (16bit) | 785 788 791 794
# 16.7 Mill.(24bit)| 786 789 792 795
#
-vga_logo="vga=785"
+#vga_logo="vga=785"
# get list of kernels, except Xen
kernel_versions=$(ls $ROOTFSDIR/boot/vmlinuz-* 2> /dev/null | grep -v xen | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r)
@@ -178,7 +178,7 @@ fi
if [ -f "$ROOTFSDIR/boot/vmlinuz" ] && ! eval $UNION ; then
# Set first system boot option. Make KVM the default console in this one.
- echo -e "menuentry \"Vyatta OFR (KVM console)\" {"
+ echo -e "menuentry \"Vyatta (KVM console)\" {"
echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console"
echo -e "\tinitrd /boot/initrd.img"
echo -e "}"
@@ -186,7 +186,7 @@ fi
# Set the second system boot option. Make the serial port be the default
# console in this one.
echo
- echo -e "menuentry \"Vyatta OFR (Serial console)\" {"
+ echo -e "menuentry \"Vyatta (Serial console)\" {"
echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console"
echo -e "\tinitrd /boot/initrd.img"
echo -e "}"
@@ -196,12 +196,12 @@ fi
if [ -n "$union_kernel_versions" ]; then
for kversion in $union_kernel_versions; do
echo
- echo -e "menuentry \"Vyatta OFR linux$kversion (KVM console)\" {"
+ echo -e "menuentry \"Vyatta linux$kversion (KVM console)\" {"
echo -e "\tlinux /boot/$livedir/vmlinuz$kversion $GRUB_OPTIONS $vga_logo $vty_console"
echo -e "\tinitrd /boot/$livedir/initrd.img$kversion"
echo -e "}"
echo
- echo -e "menuentry \"Vyatta OFR linux$kversion (Serial console)\" {"
+ echo -e "menuentry \"Vyatta linux$kversion (Serial console)\" {"
echo -e "\tlinux /boot/$livedir/vmlinuz$kversion $GRUB_OPTIONS $serial_console"
echo -e "\tinitrd /boot/$livedir/initrd.img$kversion"
echo -e "}"
@@ -212,12 +212,12 @@ fi
if [ -n "$kernel_versions" ]; then
for kversion in $kernel_versions; do
echo
- echo -e "menuentry \"Vyatta OFR linux$kversion (KVM console)\" {"
+ echo -e "menuentry \"Vyatta linux$kversion (KVM console)\" {"
echo -e "\tlinux /boot/vmlinuz$kversion $GRUB_OPTIONS $vga_logo $vty_console"
echo -e "\tinitrd /boot/initrd.img$kversion"
echo -e "}"
echo
- echo -e "menuentry \"Vyatta OFR linux$kversion (Serial console)\" {"
+ echo -e "menuentry \"Vyatta linux$kversion (Serial console)\" {"
echo -e "\tlinux /boot/vmlinuz$kversion $GRUB_OPTIONS $serial_console"
echo -e "\tinitrd /boot/initrd.img$kversion"
echo -e "}"
@@ -228,13 +228,13 @@ fi
# options for both serial and KVM console.
echo
- echo -e "menuentry \"Root password reset to factory (KVM console)\" {"
+ echo -e "menuentry \"Lost password change (KVM console)\" {"
echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console init=$pass_reset"
echo -e "\tinitrd /boot/initrd.img"
echo -e "}"
echo
- echo -e "menuentry \"Root password reset to factory (Serial console)\" {"
+ echo -e "menuentry \"Lost password change (Serial console)\" {"
echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console init=$pass_reset"
echo -e "\tinitrd /boot/initrd.img"
echo -e "}"
diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name
index ff8b9bf5..54f91f04 100755
--- a/scripts/vyatta_net_name
+++ b/scripts/vyatta_net_name
@@ -78,12 +78,14 @@ declare -a cfg_net_hwid=( $( sed -ne '
/^interfaces {/,/^}/ {
/^ *ethernet eth[0-9]* {/,/^ $/ {
/^ *ethernet/ {
+ s/\r//
s/.* eth\([0-9]\+\) {$/ eth\1=/
# hold interface name
h
}
/^.*hw-id:\?/ {
# translate field name
+ s/\r//
s/.*hw-id:\? *//
# tolower hex mac address
y/ABCDEF/abcdef/
diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf
index a021c42a..9f2cd39f 100644
--- a/sysconf/vyatta-sysctl.conf
+++ b/sysconf/vyatta-sysctl.conf
@@ -3,6 +3,12 @@
# See sysctl.conf (5) for information.
#
+# Panic on OOPS
+sys.kernel.panic_on_oops=1
+
+# Timeout before rebooting on panic
+sys.kernel.panic=60
+
# Only answer ARP requests on same subnet
net.ipv4.conf.default.arp_filter=1
diff --git a/templates/service/ssh/node.def b/templates/service/ssh/node.def
index fbb29687..dbe32a6f 100644
--- a/templates/service/ssh/node.def
+++ b/templates/service/ssh/node.def
@@ -1,17 +1,16 @@
help: Enable/disable Secure SHell (SSH) protocol
-delete:expression: "sudo /usr/sbin/invoke-rc.d ssh stop && \
- sudo sh -c \"echo 'SSHD_OPTS=' > /etc/default/ssh\" "
-end:expression: "if [ -z \"$VAR(port/@)\" ]; then exit 0; fi; \
- sudo sh -c \
- \"[ -f /etc/ssh/ssh_host_key ] \
- || sudo ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key\"; \
- case \"$VAR(protocol-version/@)\" in \
- v2) VER=2;; \
- v1) VER=1;; \
- all) VER=\"1,2\";; \
- *) VER=2;; \
- esac; \
- STR=\"SSHD_OPTS=\\\"-p $VAR(port/@) -o HostKey=/etc/ssh/ssh_host_key \
--o Protocol=${VER}\\\"\"; \
- sudo sh -c \"echo '$STR' > /etc/default/ssh\"; \
- sudo /usr/sbin/invoke-rc.d ssh restart"
+delete:sudo /usr/sbin/invoke-rc.d ssh stop
+ sudo sh -c "echo 'SSHD_OPTS=' > /etc/default/ssh"
+end: if [ -z "$VAR(port/@)" ]; then exit 0; fi;
+ if [ ! -f /etc/ssh/ssh_host_key ]; then
+ sudo ssh-keygen -q -t rsa1 -N '' -f /etc/ssh/ssh_host_key
+ fi
+ case $VAR(protocol-version/@) in
+ v2) VER=2;;
+ v1) VER=1;;
+ all) VER="1,2";;
+ *) VER=2;;
+ esac;
+ STR="SSHD_OPTS=\"-p $VAR(port/@) -o Hostkey=/etc/ssh/ssh_host_key -o Protocol=${VER}\""
+ sudo sh -c "echo '$STR' > /etc/default/ssh"
+ sudo /usr/sbin/invoke-rc.d ssh restart
diff --git a/templates/service/ssh/protocol-version/node.def b/templates/service/ssh/protocol-version/node.def
index 051ea062..d025015b 100644
--- a/templates/service/ssh/protocol-version/node.def
+++ b/templates/service/ssh/protocol-version/node.def
@@ -1,3 +1,4 @@
type: txt
+allowed: echo "v1 v2 all"
default: "v2"
help: Set SSH version (default: v2)
diff --git a/templates/system/login/tacacs-plus/acct-all/node.def b/templates/system/login/tacacs-plus/acct-all/node.def
new file mode 100644
index 00000000..22522f17
--- /dev/null
+++ b/templates/system/login/tacacs-plus/acct-all/node.def
@@ -0,0 +1 @@
+help: Send TACACS+ accounting requests to all servers
diff --git a/templates/system/login/tacacs-plus/debug/node.def b/templates/system/login/tacacs-plus/debug/node.def
new file mode 100644
index 00000000..10aa10b1
--- /dev/null
+++ b/templates/system/login/tacacs-plus/debug/node.def
@@ -0,0 +1 @@
+help: Enable TACACS+ debugging
diff --git a/templates/system/login/tacacs-plus/first-hit/node.def b/templates/system/login/tacacs-plus/first-hit/node.def
new file mode 100644
index 00000000..18f2fdf6
--- /dev/null
+++ b/templates/system/login/tacacs-plus/first-hit/node.def
@@ -0,0 +1 @@
+help: Set TACACS+ to try multiple servers if a negative auth is returned
diff --git a/templates/system/login/tacacs-plus/no-encrypt/node.def b/templates/system/login/tacacs-plus/no-encrypt/node.def
new file mode 100644
index 00000000..7aa90dfb
--- /dev/null
+++ b/templates/system/login/tacacs-plus/no-encrypt/node.def
@@ -0,0 +1 @@
+help: Set TACACS+ to not encrypt communications
diff --git a/templates/system/login/tacacs-plus/node.def b/templates/system/login/tacacs-plus/node.def
new file mode 100644
index 00000000..d8eab559
--- /dev/null
+++ b/templates/system/login/tacacs-plus/node.def
@@ -0,0 +1,3 @@
+help: Set TACACS+ server authentication
+commit:expression: $VAR(server) != "" && $VAR(secret) != ""
+ ; "One server and a secret must be specified for TACACS+"
diff --git a/templates/system/login/tacacs-plus/protocol/node.def b/templates/system/login/tacacs-plus/protocol/node.def
new file mode 100644
index 00000000..6a5c739d
--- /dev/null
+++ b/templates/system/login/tacacs-plus/protocol/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set TACACS+ protocol for authentication and accounting
diff --git a/templates/system/login/tacacs-plus/secret/node.def b/templates/system/login/tacacs-plus/secret/node.def
new file mode 100644
index 00000000..0f673ae2
--- /dev/null
+++ b/templates/system/login/tacacs-plus/secret/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set TACACS+ secret
diff --git a/templates/system/login/tacacs-plus/server/node.def b/templates/system/login/tacacs-plus/server/node.def
new file mode 100644
index 00000000..dc1b1e94
--- /dev/null
+++ b/templates/system/login/tacacs-plus/server/node.def
@@ -0,0 +1,3 @@
+multi:
+type: ipv4
+help: Set TACACS+ server IP addresses
diff --git a/templates/system/login/tacacs-plus/service/node.def b/templates/system/login/tacacs-plus/service/node.def
new file mode 100644
index 00000000..10d1729b
--- /dev/null
+++ b/templates/system/login/tacacs-plus/service/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set TACACS+ service for authentication and accounting
diff --git a/templates/system/ntp-server/node.def b/templates/system/ntp-server/node.def
index 485cf774..a063431f 100644
--- a/templates/system/ntp-server/node.def
+++ b/templates/system/ntp-server/node.def
@@ -2,9 +2,12 @@ multi:
type: txt
help: Set name or IP address of Network Time Protocol (NTP) server
update:sudo sh -c \
- "touch /etc/ntp.conf
- if ! grep -q 'server.*$VAR(@)' /etc/ntp.conf; then
+ "if ! grep -q 'server.*$VAR(@)' /etc/ntp.conf; then
echo \"server $VAR(@) iburst dynamic\" >> /etc/ntp.conf
+ fi
+ if [ $(pgrep -c ntpd) -eq 0 ]; then
+ /usr/sbin/invoke-rc.d ntp start
+ else
/usr/sbin/invoke-rc.d ntp restart
fi"
delete:sudo sh -c \