diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-02-05 19:30:33 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-02-05 19:30:33 +0100 |
| commit | 0840e9783053522cdec2826aa200c80921b6e7b8 (patch) | |
| tree | 9d2a78682637d5ac2bc451041f04d2eb13291c4d | |
| parent | 28a6a655774fa997cc58b95dede946e07fb9719a (diff) | |
| download | vyatta-cfg-system-0840e9783053522cdec2826aa200c80921b6e7b8.tar.gz vyatta-cfg-system-0840e9783053522cdec2826aa200c80921b6e7b8.zip | |
login: T1990: Migrate "system login" to XML/Python representation
27 files changed, 1 insertions, 533 deletions
diff --git a/Makefile.am b/Makefile.am index 0a6d7df0..55b6b2da 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,4 @@ cfgdir = $(datadir)/vyatta-cfg/templates -share_perl5dir = $(datarootdir)/perl5/Vyatta/Login bin_sudo_usersdir = $(bindir)/sudo-users curverdir = $(sysconfdir)/config-migrate/current gentmpdir = generated-templates @@ -39,7 +38,6 @@ sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan -sbin_SCRIPTS += scripts/system/vyatta_update_login.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl #sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl @@ -72,9 +70,6 @@ sbin_PROGRAMS += src/local_ip src_valid_address = src/valid_address.c src_local_ip = src/local_ip.c -share_perl5_DATA = lib/Vyatta/Login/User.pm -share_perl5_DATA += lib/Vyatta/Login/Radius.pm - sysconf_DATA += sysconf/LICENSE sysconf_DATA += sysconf/issue sysconf_DATA += sysconf/issue.net @@ -85,7 +80,6 @@ sysconf_DATA += sysconf/default_ssh sysconf_DATA += sysconf/securetty sysconf_DATA += sysconf/vyatta-sysctl.conf sysconf_DATA += sysconf/level -sysconf_DATA += sysconf/pam_radius.cfg sysconf_DATA += sysconf/filecaps sysconf_DATA += sysconf/capability.conf sysconf_DATA += sysconf/cpufrequtils @@ -107,7 +101,7 @@ rsyslogdir = /etc/rsyslog.d #rsyslog_DATA = sysconf/vyatta-log.conf curver_DATA = cfg-version/vrrp@2 -curver_DATA += cfg-version/system@15 +curver_DATA += cfg-version/system@16 curver_DATA += cfg-version/broadcast-relay@1 curver_DATA += cfg-version/mdns@1 curver_DATA += cfg-version/dhcp-server@5 diff --git a/cfg-version/system@15 b/cfg-version/system@16 index e69de29b..e69de29b 100644 --- a/cfg-version/system@15 +++ b/cfg-version/system@16 diff --git a/debian/control b/debian/control index da1532a3..9f9b70ee 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,6 @@ Depends: adduser, libnetaddr-ip-perl, procps (>= 1:3.2.7-3), coreutils (>= 5.97-5.3), - libpam-radius-auth, vyatta-cfg (>= 0.100.1), libc6 (>= 2.7-6), libpam-runtime (>= 1.0.1-5), diff --git a/lib/Vyatta/Login/Radius.pm b/lib/Vyatta/Login/Radius.pm deleted file mode 100644 index 07da9d8c..00000000 --- a/lib/Vyatta/Login/Radius.pm +++ /dev/null @@ -1,107 +0,0 @@ -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -package Vyatta::Login::Radius; -use strict; -use warnings; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; -use File::Compare; -use File::Copy; - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; - -my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; -my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; - -sub remove_pam_radius { - system('sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ - -e \'/^passwd:.*[ \t]mapname/s/[ \t]mapname//\' \ - -e \'/^group:.*[ \t]mapname/s/[ \t]mapname//\' \ - -e \'s/[ \t]*$//\' \ - /etc/nsswitch.conf'); - - system("DEBIAN_FRONTEND=noninteractive " . - "pam-auth-update --package --remove radius") == 0 - or die "pam-auth-update remove failed"; - - if (-e $PAM_RAD_AUTH) { - unlink ($PAM_RAD_AUTH) or die "Can't remove $PAM_RAD_AUTH"; - } -} - -sub add_pam_radius { - copy($PAM_RAD_SYSCONF,$PAM_RAD_AUTH) - or die "Can't copy $PAM_RAD_SYSCONF to $PAM_RAD_AUTH"; - - system("DEBIAN_FRONTEND=noninteractive " . - "pam-auth-update --package radius") == 0 - or die "pam-auth-update add failed"; - - system('sed -i -e \'/\smapname/b\' \ - -e \'/^passwd:/s/\s\s*/&mapuid /\' \ - -e \'/^passwd:.*#/s/#.*/mapname &/\' \ - -e \'/^passwd:[^#]*$/s/$/ mapname &/\' \ - -e \'/^group:.*#/s/#.*/ mapname &/\' \ - -e \'/^group:[^#]*$/s/: */&mapname /\' \ - /etc/nsswitch.conf') == 0 - or die "NSS configuration failed"; -} - -sub update { - my $rconfig = new Vyatta::Config; - $rconfig->setLevel("system login radius"); - my %servers = $rconfig->listNodeStatus("server"); - my $count = 0; - my $bindaddr = $rconfig->returnValue("source-address"); - if (!defined($bindaddr)) { - $bindaddr = "0"; - } - - open (my $cfg, ">", $PAM_RAD_TMP) - or die "Can't open config tmp: $PAM_RAD_TMP :$!"; - - print $cfg "# RADIUS configuration file\n"; - print $cfg "# automatically generated do not edit\n"; - print $cfg "# server[:port]\t\tshared_secret\t\t\ttimeout (s)\tsource_ip\n"; - - for my $server ( sort keys %servers ) { - next if ( $servers{$server} eq 'deleted' ); - my $port = $rconfig->returnValue("server $server port"); - my $secret = $rconfig->returnValue("server $server key"); - my $timeout = $rconfig->returnValue("server $server timeout"); - print $cfg "$server:$port\t$secret\t$timeout\t$bindaddr\n"; - ++$count; - print $cfg "priv-lvl 15\n"; - print $cfg "mapped_priv_user radius_priv_user\n"; - } - close($cfg); - - if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { - copy ($PAM_RAD_TMP, $PAM_RAD_CFG) - or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; - } - unlink($PAM_RAD_TMP); - - if ( $count > 0 ) { - add_pam_radius(); - } else { - remove_pam_radius(); - } -} - -1; diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm deleted file mode 100644 index c8b53e0a..00000000 --- a/lib/Vyatta/Login/User.pm +++ /dev/null @@ -1,247 +0,0 @@ -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -package Vyatta::Login::User; -use strict; -use warnings; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; -use Vyatta::Misc; - -# Exit codes form useradd.8 man page -my %reasons = ( - 0 => 'success', - 1 => 'can´t update password file', - 2 => 'invalid command syntax', - 3 => 'invalid argument to option', - 4 => 'UID already in use (and no -o)', - 6 => 'specified group doesn´t exist', - 9 => 'username already in use', - 10 => 'can´t update group file', - 12 => 'can´t create home directory', - 13 => 'can´t create mail spool', -); - -my $levelFile = "/opt/vyatta/etc/level"; - -# Convert level to additional groups -sub _level_groups { - my $level = shift; - my @groups; - - open( my $f, '<', $levelFile ) - or return; - - while (<$f>) { - chomp; - # Ignore blank lines and comments - next unless $_; - next if /^#/; - - my ( $l, $g ) = split /:/; - if ( $l eq $level ) { - @groups = split( /,/, $g ); - last; - } - } - close $f; - return @groups; -} - -sub _authorized_keys { - my $user = shift; - my $config = new Vyatta::Config; - $config->setLevel("system login user $user authentication public-keys"); - - # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) - # = getpw* - my ( undef, undef, $uid, $gid, undef, undef, undef, $home ) = - getpwnam($user); - return unless $home; - return unless -d $home; - - my $sshdir = "$home/.ssh"; - unless ( -d $sshdir ) { - mkdir $sshdir; - chown( $uid, $gid, $sshdir ); - chmod( 0750, $sshdir ); - } - - my $keyfile = "$sshdir/authorized_keys"; - open( my $auth, '>', $keyfile) - or die "open $keyfile failed: $!"; - - print {$auth} "# Automatically generated by Vyatta configuration\n"; - print {$auth} "# Do not edit, all changes will be lost\n"; - - foreach my $name ($config->listNodes()) { - my $options = $config->returnValue("$name options"); - my $type = $config->returnValue("$name type"); - my $key = $config->returnValue("$name key"); - - print {$auth} "$options " if $options; - print {$auth} "$type $key $name\n"; - } - - close $auth; - chmod( 0640, $keyfile ); - chown( $uid, $gid, $keyfile) -} - -sub _delete_user { - my $user = shift; - - my $login = getlogin(); - if ( $user eq 'root' ) { - warn "Disabling root account, instead of deleting\n"; - system('usermod -p ! root') == 0 - or die "usermod of root failed: $?\n"; - } elsif ( defined($login) && $login eq $user ) { - die "Attempting to delete current user: $user\n"; - } elsif ( getpwnam($user) ) { - if (`who | grep "^$user"` ne '') { - warn "$user is logged in, forcing logout\n"; - system("pkill -HUP -u $user"); - } - system("pkill -9 -u $user"); - - system("userdel -r $user 2>/dev/null") == 0 - or die "userdel of $user failed: $?\n"; - } -} - -sub _update_user { - my $user = shift; - my $cfg = new Vyatta::Config; - my $pwd = ""; - - $cfg->setLevel("system login user $user"); - if ($cfg->exists('authentication encrypted-password')) { - $pwd = $cfg->returnValue('authentication encrypted-password'); - } else { - $pwd = "!"; - } - my $level = $cfg->returnValue('level'); - my $fname = $cfg->returnValue('full-name'); - my $home = $cfg->returnValue('home-directory'); - - unless ($pwd) { - warn "Encrypted password not in configuration for $user"; - return; - } - - unless ($level) { - warn "Level not defined for $user"; - return; - } - - # map level to group membership - my @groups = _level_groups($level); - - # add any additional groups from configuration - push( @groups, $cfg->returnValues('group') ); - - # Read existing settings - my $uid = getpwnam($user); - - my $shell; - if ($level eq "operator") { - $shell = "/opt/vyatta/bin/restricted-shell"; - } - else { - $shell = "/bin/vbash"; - } - - # not found in existing passwd, must be new - my $cmd; - unless ( defined($uid) and $uid ne "1001" ) { - # make new user using vyatta shell - # and make home directory (-m) - # and with default group of 100 (users) - $cmd = "useradd -s $shell -m -N"; - } else { - # update existing account - $cmd = "usermod"; - } - - $cmd .= " -p '$pwd'"; - $cmd .= " -s $shell"; - $cmd .= " -c \"$fname\"" if ( defined $fname ); - $cmd .= " -d \"$home\"" if ( defined $home ); - $cmd .= ' -G ' . join( ',', @groups ); - system("$cmd $user"); - - unless ( $? == 0 ) { - my $reason = $reasons{ ( $? >> 8 ) }; - die "Attempt to change user $user failed: $reason\n"; - } -} - -# returns list of dynamically allocated users (see Debian Policy Manual) -sub _local_users { - my @users; - - setpwent(); - while ( my ($name, undef, $uid, undef, undef, undef, - undef, undef, $shell) = getpwent() ) { - next unless ($uid >= 1000 && $uid <= 29999); - next unless $shell eq '/bin/vbash'; - - push @users, $name; - } - endpwent(); - - return @users; -} - -sub update { - my $uconfig = new Vyatta::Config; - $uconfig->setLevel("system login user"); - my %users = $uconfig->listNodeStatus(); - - die "All users deleted!\n" unless %users; - - foreach my $user ( keys %users ) { - my $state = $users{$user}; - if ( $state eq 'deleted' ) { - _delete_user($user); - next; - } - - next unless ( $state eq 'added' || $state eq 'changed' ); - - _update_user($user); - _authorized_keys($user); - } - - # Remove any normal users that do not exist in current configuration - # This can happen if user added but configuration not saved - # and system is rebooted - foreach my $user ( _local_users() ) { - # skip radius users - next if $user eq 'radius_user'; - next if $user eq 'radius_priv_user'; - # did we see this user in configuration? - next if defined $users{$user}; - - warn "removing $user not listed in current configuration\n"; - # Remove user account but leave home directory to be safe - system("userdel $user") == 0 - or die "Attempt to delete user $user failed: $!"; - } -} - -1; diff --git a/scripts/rl-system.init b/scripts/rl-system.init index c220f49e..458bf9da 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -163,7 +163,6 @@ security_reset () { if grep -q radius /etc/pam.d/common-auth then pam-auth-update --package --remove radius - rm /usr/share/pam-configs/radius fi # Disable root login over telnet diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl deleted file mode 100755 index 41172c55..00000000 --- a/scripts/system/vyatta_update_login.pl +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -# This is just a simple wrapper that allows for extensiblility -# of login types. - -my $config = new Vyatta::Config; -$config->setLevel("system login"); - -my %loginNodes = $config->listNodeStatus(); -while ( my ($type, $status) = each %loginNodes) { - next if ($status eq 'static'); - next if ($type eq 'banner'); - - # Dynamically load the module to handle that login method - my $kind = ucfirst $type; - require "Vyatta/Login/$kind.pm"; - - # Dynamically invoke update for this type - my $login = "Vyatta::Login::$kind"; - $login->update($status); -} diff --git a/sysconf/pam_radius.cfg b/sysconf/pam_radius.cfg deleted file mode 100644 index ba3037ea..00000000 --- a/sysconf/pam_radius.cfg +++ /dev/null @@ -1,14 +0,0 @@ -Name: RADIUS authentication -Default: yes -Priority: 257 -Auth-Type: Primary -Auth: - [authinfo_unavail=ignore success=end default=ignore] /lib/security/pam_radius_auth.so - -Account-Type: Primary -Account: - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] /lib/security/pam_radius_auth.so - -Session-Type: Additional -Session: - [authinfo_unavail=ignore success=ok default=ignore] /lib/security/pam_radius_auth.so diff --git a/templates/system/login/node.def b/templates/system/login/node.def deleted file mode 100644 index 09255a76..00000000 --- a/templates/system/login/node.def +++ /dev/null @@ -1,4 +0,0 @@ -priority: 400 -help: User login -delete: echo 'All login methods can not be deleted' 1>&2; exit 1 -end: sudo /opt/vyatta/sbin/vyatta_update_login.pl diff --git a/templates/system/login/radius/node.def b/templates/system/login/radius/node.def deleted file mode 100644 index 86baaabe..00000000 --- a/templates/system/login/radius/node.def +++ /dev/null @@ -1 +0,0 @@ -help: RADIUS specific configuration diff --git a/templates/system/login/radius/server/node.def b/templates/system/login/radius/server/node.def deleted file mode 100644 index ba47c5d7..00000000 --- a/templates/system/login/radius/server/node.def +++ /dev/null @@ -1,6 +0,0 @@ -tag: -type: ipv4 -help: Radius server authentication -commit:expression: $VAR(port) != "" && $VAR(key) != "" - && $VAR(timeout) != "" - ; "Port, Key, and Timeout must be specified for RADIUS" diff --git a/templates/system/login/radius/server/node.tag/key/node.def b/templates/system/login/radius/server/node.tag/key/node.def deleted file mode 100644 index 90420518..00000000 --- a/templates/system/login/radius/server/node.tag/key/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Secret for radius access [REQUIRED] diff --git a/templates/system/login/radius/server/node.tag/port/node.def b/templates/system/login/radius/server/node.tag/port/node.def deleted file mode 100644 index d3869f55..00000000 --- a/templates/system/login/radius/server/node.tag/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: u32 -help: Radius port [default: 1812] -default: 1812 - -val_help: u32:1-65535; Numeric IP port -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ - "Port number must be in range 1 to 65535" - diff --git a/templates/system/login/radius/server/node.tag/timeout/node.def b/templates/system/login/radius/server/node.tag/timeout/node.def deleted file mode 100644 index a4637981..00000000 --- a/templates/system/login/radius/server/node.tag/timeout/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: u32 -help: Timeout for radius session in seconds [default: 2] -default: 2 -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 30 \ - ; "Timeout must be between 1 and 30 seconds" diff --git a/templates/system/login/radius/source-address/node.def b/templates/system/login/radius/source-address/node.def deleted file mode 100644 index 546bfaa3..00000000 --- a/templates/system/login/radius/source-address/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: ipv4 -help: Local RADIUS client address from which packets are sent diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def deleted file mode 100644 index 4dffb9b7..00000000 --- a/templates/system/login/user/node.def +++ /dev/null @@ -1,14 +0,0 @@ -tag: -type: txt -help: User account information - -syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_username.pl $VAR(@)" -syntax:expression: exec "${vyos_libexec_dir}/validate-value.py --regex \'^[a-zA-Z0-9\-_\.]{1,100}\' --value \'$VAR(@)\'"; "illegal characters in username or longer than 100 chars" - -commit:expression: $VAR(@) == "" || - $VAR(authentication/plaintext-password) != "" || - $VAR(authentication/plaintext-password/@) = "" - -commit:expression: $VAR(@) == "" || - $VAR(authentication/encrypted-password) != "" || - $VAR(authentication/encrypted-password/@) = "!" diff --git a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def deleted file mode 100644 index 29ad14a8..00000000 --- a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Encrypted password -# Allow * or ! to disable account -# DES format password (13 characters) -# MD5 format ($1) and SHA format passwords -syntax:expression: ($VAR(@) == "*" || $VAR(@) == "!" \ - || ( pattern $VAR(@) "^[a-zA-Z0-9\.\/]{13}$" ) \ - || ( pattern $VAR(@) "^\\$1\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{22}$" ) \ - || ( pattern $VAR(@) "^\\$5\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{43}$" ) \ - || ( pattern $VAR(@) "^\\$6\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{86}$" )) \ - ; "Not a valid encrypted password for user $VAR(../../@)" diff --git a/templates/system/login/user/node.tag/authentication/node.def b/templates/system/login/user/node.tag/authentication/node.def deleted file mode 100644 index 4306d008..00000000 --- a/templates/system/login/user/node.tag/authentication/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Authentication password diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def deleted file mode 100644 index 407f49b5..00000000 --- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Plaintext password for encryption -# if plaintext is empty, assume this is left-over from blanking the plaintext -# and do nothing. - -update:expression: $VAR(@) == "" \ -|| ($VAR(../encrypted-password/@) \ - = `/usr/bin/mkpasswd --method=sha-512 '$VAR(@)' | tr -d \\\\n` \ - && $VAR(@) = "") diff --git a/templates/system/login/user/node.tag/authentication/public-keys/node.def b/templates/system/login/user/node.tag/authentication/public-keys/node.def deleted file mode 100644 index 245e7197..00000000 --- a/templates/system/login/user/node.tag/authentication/public-keys/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: -type: txt -help: Remote access public keys -val_help: Key identifier used by ssh-keygen (usually of form user@host) - -commit:expression: $VAR(./type/) != "" ; \ - "Must configure public key type for $VAR(@)" -commit:expression: $VAR(./key/) != "" ; \ - "Must configure public key value for $VAR(@)" diff --git a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/key/node.def b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/key/node.def deleted file mode 100644 index 6ca70736..00000000 --- a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/key/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Public key value (base64-encoded) -syntax:expression: pattern $VAR(@) "^[0-9A-Za-z+/=]*$" ; \ - "Invalid public key character not base-64" - -comp_help: The key is usually several hundred bytes long (because of the size -of the public key encoding). Use the loadkey tool to input key from -a URL or file. - diff --git a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/options/node.def b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/options/node.def deleted file mode 100644 index 2677594b..00000000 --- a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/options/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Additional public key options - diff --git a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def deleted file mode 100644 index bf789e06..00000000 --- a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: txt -help: Public key type -allowed: echo "ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519" -syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dss", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519"; "Unknown key type" diff --git a/templates/system/login/user/node.tag/full-name/node.def b/templates/system/login/user/node.tag/full-name/node.def deleted file mode 100644 index 42d9dfac..00000000 --- a/templates/system/login/user/node.tag/full-name/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Full name of the user (use quotes for names with spaces) -syntax:expression: pattern $VAR(@) "^[^:]*$"; "Cannot use ':' in full name" diff --git a/templates/system/login/user/node.tag/group/node.def b/templates/system/login/user/node.tag/group/node.def deleted file mode 100644 index 77d52ed8..00000000 --- a/templates/system/login/user/node.tag/group/node.def +++ /dev/null @@ -1,15 +0,0 @@ -multi: -type: txt -help: Additional group membership -val_help: <groupname>; Group name -val_help: u32:0-65535; Group ID - -syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$" - ; "Invalid group name $VAR(@)" -syntax:expression: ! $VAR(@) in \ - "frrvty", "vyattacfg", "vyattaop", "sudo", "adm", "operator" - ; "Use configuration level to change membership of operator and admin groups" -allowed: awk -F: ' - $1 == "frrvty" || $1 == "vyattacfg" || $1 == "vyattaop" || \ - $1 == "sudo" || $1 == "adm" || $1 == "operator" { next; } - {printf "%s ", $1}' </etc/group diff --git a/templates/system/login/user/node.tag/home-directory/node.def b/templates/system/login/user/node.tag/home-directory/node.def deleted file mode 100644 index 90b62195..00000000 --- a/templates/system/login/user/node.tag/home-directory/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Home directory diff --git a/templates/system/login/user/node.tag/level/node.def b/templates/system/login/user/node.tag/level/node.def deleted file mode 100644 index 73b1b3c2..00000000 --- a/templates/system/login/user/node.tag/level/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: User privilege level -default: "admin" -allowed: echo admin -syntax:expression: $VAR(@) in "admin"; "Allowed levels are \"admin\"" - -val_help: admin; Administrators |