diff options
author | An-Cheng Huang <ancheng@vyatta.com> | 2008-03-10 17:57:18 -0700 |
---|---|---|
committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-03-10 17:57:18 -0700 |
commit | 8c19cf60345065b1d573e7befea9be6042d296a2 (patch) | |
tree | 4d00842161546c662c934736834402d441d099cd /scripts/system/vyatta_update_login.pl | |
parent | e7b2082e077f2ac4625f8a7e2a45749b3ce56140 (diff) | |
download | vyatta-cfg-system-8c19cf60345065b1d573e7befea9be6042d296a2.tar.gz vyatta-cfg-system-8c19cf60345065b1d573e7befea9be6042d296a2.zip |
fix for bug 2083: add radius authentication support.
Diffstat (limited to 'scripts/system/vyatta_update_login.pl')
-rwxr-xr-x | scripts/system/vyatta_update_login.pl | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl new file mode 100755 index 00000000..985ef7b4 --- /dev/null +++ b/scripts/system/vyatta_update_login.pl @@ -0,0 +1,132 @@ +#!/usr/bin/perl + +use strict; +use lib "/opt/vyatta/share/perl5"; +use VyattaConfig; + +# handle "user" +my $uconfig = new VyattaConfig; +$uconfig->setLevel("system login user"); +my %users = $uconfig->listNodeStatus(); +my @user_keys = sort keys %users; +if ((scalar(@user_keys) <= 0) || !(grep /^root$/, @user_keys) + || ($users{'root'} eq 'deleted')) { + # root is deleted + print STDERR "User \"root\" cannot be deleted\n"; + exit 1; +} + +# we have some users +for my $user (@user_keys) { + if ($users{$user} eq 'deleted') { + system("sudo /opt/vyatta/sbin/vyatta_update_login_user.pl -d '$user'"); + exit 1 if ($? >> 8); + } elsif ($users{$user} eq 'added' || $users{$user} eq 'changed') { + my $fname = $uconfig->returnValue("$user full-name"); + my $level = $uconfig->returnValue("$user level"); + my $p = $uconfig->returnValue("$user authentication encrypted-password"); + system("sudo /opt/vyatta/sbin/vyatta_update_login_user.pl '$user' " + . "'$fname' '$p' '$level'"); + exit 1 if ($? >> 8); + } else { + # not changed. do nothing. + } +} + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; +my $PAM_RAD_END = '# END Vyatta Radius servers'; + +sub is_pam_radius_present { + if (!open(AUTH, '/etc/pam.d/common-auth')) { + print STDERR "Cannot open /etc/pam.d/common-auth\n"; + exit 1; + } + my $present = 0; + while (<AUTH>) { + if (/\ssufficient\spam_radius_auth\.so$/) { + $present = 1; + last; + } + } + close AUTH; + return $present; +} + +sub remove_pam_radius { + return 1 if (!is_pam_radius_present()); + my $cmd = 'sudo sh -c "' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' + . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +sub add_pam_radius { + return 1 if (is_pam_radius_present()); + my $cmd = 'sudo sh -c "' + . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' + . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' + . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +sub remove_radius_servers { + system("sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " + . "$PAM_RAD_CFG"); + return 0 if ($? >> 8); + return 1; +} + +sub add_radius_servers { + my $str = shift; + system("sudo sh -c \"" + . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\""); + return 0 if ($? >> 8); + return 1; +} + +# handle "radius-server" +my $rconfig = new VyattaConfig; +$rconfig->setLevel("system login radius-server"); +my %servers = $rconfig->listNodeStatus(); +my @server_keys = sort keys %servers; +if (scalar(@server_keys) <= 0) { + # all radius servers deleted + exit 1 if (!remove_pam_radius()); + exit 0; +} + +# we have some servers +my $all_deleted = 1; +my $server_str = ''; +remove_radius_servers(); +for my $server (@server_keys) { + if ($servers{$server} ne 'deleted') { + $all_deleted = 0; + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + $server_str .= "$server:$port\t$secret\t$timeout\n"; + } +} + +if ($all_deleted) { + # all radius servers deleted + exit 1 if (!remove_pam_radius()); +} else { + exit 1 if (!add_radius_servers($server_str)); + exit 1 if (!add_pam_radius()); +} + +exit 0; + |