diff options
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | debian/control | 1 | ||||
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 1 | ||||
| -rwxr-xr-x | scripts/system/vyatta_update_login.pl | 132 | ||||
| -rw-r--r-- | templates/system/login/node.def | 2 | ||||
| -rw-r--r-- | templates/system/login/radius-server/node.def | 10 | ||||
| -rw-r--r-- | templates/system/login/user/node.def | 26 |
7 files changed, 141 insertions, 32 deletions
diff --git a/Makefile.am b/Makefile.am index d92c4dc1..68e9fbea 100644 --- a/Makefile.am +++ b/Makefile.am @@ -14,6 +14,7 @@ sbin_SCRIPTS += scripts/rl-system.init sbin_SCRIPTS += scripts/install-system sbin_SCRIPTS += scripts/quick-install sbin_SCRIPTS += scripts/standalone_root_pw_reset +sbin_SCRIPTS += scripts/system/vyatta_update_login.pl sbin_SCRIPTS += scripts/system/vyatta_update_login_user.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl diff --git a/debian/control b/debian/control index d950155d..ac3bec6d 100644 --- a/debian/control +++ b/debian/control @@ -12,6 +12,7 @@ Depends: bash (>= 3.1), perl (>= 5.8.8), procps (>= 1:3.2.7-3), coreutils (>= 5.97-5.3), + libpam-radius-auth, vyatta-cfg, sysv-rc, ntp, sysklogd, busybox, ssh, whois, sudo, snmpd, keepalived, vyatta-bash, bridge-utils Suggests: util-linux (>= 2.13-5), diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 979760f6..aca479ea 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -64,7 +64,6 @@ mv /etc/crontab.$$ /etc/crontab crontab /etc/crontab # create needed directories -mkdir -p /etc/raddb mkdir -p /var/log/{user,vrrpd} touch /etc/environment diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl new file mode 100755 index 00000000..985ef7b4 --- /dev/null +++ b/scripts/system/vyatta_update_login.pl @@ -0,0 +1,132 @@ +#!/usr/bin/perl + +use strict; +use lib "/opt/vyatta/share/perl5"; +use VyattaConfig; + +# handle "user" +my $uconfig = new VyattaConfig; +$uconfig->setLevel("system login user"); +my %users = $uconfig->listNodeStatus(); +my @user_keys = sort keys %users; +if ((scalar(@user_keys) <= 0) || !(grep /^root$/, @user_keys) + || ($users{'root'} eq 'deleted')) { + # root is deleted + print STDERR "User \"root\" cannot be deleted\n"; + exit 1; +} + +# we have some users +for my $user (@user_keys) { + if ($users{$user} eq 'deleted') { + system("sudo /opt/vyatta/sbin/vyatta_update_login_user.pl -d '$user'"); + exit 1 if ($? >> 8); + } elsif ($users{$user} eq 'added' || $users{$user} eq 'changed') { + my $fname = $uconfig->returnValue("$user full-name"); + my $level = $uconfig->returnValue("$user level"); + my $p = $uconfig->returnValue("$user authentication encrypted-password"); + system("sudo /opt/vyatta/sbin/vyatta_update_login_user.pl '$user' " + . "'$fname' '$p' '$level'"); + exit 1 if ($? >> 8); + } else { + # not changed. do nothing. + } +} + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; +my $PAM_RAD_END = '# END Vyatta Radius servers'; + +sub is_pam_radius_present { + if (!open(AUTH, '/etc/pam.d/common-auth')) { + print STDERR "Cannot open /etc/pam.d/common-auth\n"; + exit 1; + } + my $present = 0; + while (<AUTH>) { + if (/\ssufficient\spam_radius_auth\.so$/) { + $present = 1; + last; + } + } + close AUTH; + return $present; +} + +sub remove_pam_radius { + return 1 if (!is_pam_radius_present()); + my $cmd = 'sudo sh -c "' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' + . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +sub add_pam_radius { + return 1 if (is_pam_radius_present()); + my $cmd = 'sudo sh -c "' + . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' + . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' + . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +sub remove_radius_servers { + system("sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " + . "$PAM_RAD_CFG"); + return 0 if ($? >> 8); + return 1; +} + +sub add_radius_servers { + my $str = shift; + system("sudo sh -c \"" + . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\""); + return 0 if ($? >> 8); + return 1; +} + +# handle "radius-server" +my $rconfig = new VyattaConfig; +$rconfig->setLevel("system login radius-server"); +my %servers = $rconfig->listNodeStatus(); +my @server_keys = sort keys %servers; +if (scalar(@server_keys) <= 0) { + # all radius servers deleted + exit 1 if (!remove_pam_radius()); + exit 0; +} + +# we have some servers +my $all_deleted = 1; +my $server_str = ''; +remove_radius_servers(); +for my $server (@server_keys) { + if ($servers{$server} ne 'deleted') { + $all_deleted = 0; + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + $server_str .= "$server:$port\t$secret\t$timeout\n"; + } +} + +if ($all_deleted) { + # all radius servers deleted + exit 1 if (!remove_pam_radius()); +} else { + exit 1 if (!add_radius_servers($server_str)); + exit 1 if (!add_pam_radius()); +} + +exit 0; + diff --git a/templates/system/login/node.def b/templates/system/login/node.def index ca2da1b3..d98c03c6 100644 --- a/templates/system/login/node.def +++ b/templates/system/login/node.def @@ -1,3 +1,3 @@ help: Configure user access delete:expression: "echo User root cannot be deleted 1>&2 && exit 1" - +end: /opt/vyatta/sbin/vyatta_update_login.pl diff --git a/templates/system/login/radius-server/node.def b/templates/system/login/radius-server/node.def index 6d87890c..85ca4cc5 100644 --- a/templates/system/login/radius-server/node.def +++ b/templates/system/login/radius-server/node.def @@ -1,10 +1,6 @@ tag: type: ipv4 help: Radius server authentication configuration -# need mandatory secret. also need port & timeout (default values?) -update:expression: "sudo sh -c \"touch /etc/raddb/server && \ -sed -i '/$VAR(@)/d' /etc/raddb/server && \ -echo \\\"$VAR(@):$VAR(port/@)\t$VAR(secret/@)\t$VAR(timeout/@)\\\" \ ->> /etc/raddb/server\" " -delete:expression: "sudo sh -c \"touch /etc/raddb/server && \ -sed -i '/$VAR(@)/d' /etc/raddb/server\" " +commit:expression: $VAR(port) != "" && $VAR(secret) != "" + && $VAR(timeout) != "" + ; "Port, secret, and timeout must be specified for Radius" diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def index 0c1a393d..205a4b7a 100644 --- a/templates/system/login/user/node.def +++ b/templates/system/login/user/node.def @@ -4,26 +4,6 @@ help: User account information commit:expression: $VAR(authentication/encrypted-password) != "" || ($VAR(authentication/plaintext-password) != "" && $VAR(authentication/plaintext-password/@) != "") - ; "user password must be specified" -syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$" ; "invalid user name $VAR(@)" -# line continuation and $() expansion are done by cli, not sh. -# need mandatory encrypted password. -end:expression: "if [ -d /tmp/vyatta-delete-system-login-user-$VAR(@).$PPID ]; \ -then rm -rf /tmp/vyatta-delete-system-login-user-$VAR(@).$PPID && exit 0; \ -fi && \ -sudo /opt/vyatta/sbin/vyatta_update_login_user.pl \ - '$VAR(@)' '$VAR(full-name/@)' '$VAR(authentication/encrypted-password/@)' \ - '$VAR(level/@)'" -delete:expression: "if [ x$VAR(@) == x ]; then exit 1; fi && \ -if [ x$VAR(@) == xroot ]; then \ - echo Cannot delete user \"root\" 1>&2 && exit 2; \ -fi && \ -if mkdir /tmp/vyatta-delete-system-login-user-$VAR(@).$PPID >& /dev/null; \ -then \ - if ! sudo /opt/vyatta/sbin/vyatta_update_login_user.pl -d '$VAR(@)'; then \ - rm -rf /tmp/vyatta-delete-system-login-user-$VAR(@).$PPID; \ - exit 1; \ - fi; \ -else \ - exit 1; \ -fi" + ; "user password must be specified" +syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$" + ; "invalid user name $VAR(@)" |