From 0e0639d6aedc184400067cecb8f5a0530df193cd Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 18 Apr 2019 18:23:22 +0200 Subject: T1344: rename RADIUS 'system login' nodes In order to prepare for adding a RADIUS source IP address and synchronize the syntax with L2TP/PPTP the nodes have been renamed from: set system login radius-server x.x.x.x to set system login radius server x.x.x.x --- Makefile.am | 4 +- cfg-version/system@10 | 0 cfg-version/system@11 | 0 lib/Vyatta/Login/Radius.pm | 102 +++++++++++++++++++++ lib/Vyatta/Login/RadiusServer.pm | 102 --------------------- lib/Vyatta/Login/User.pm | 0 scripts/system/vyatta_update_login.pl | 5 +- templates/system/login/radius-server/node.def | 6 -- .../login/radius-server/node.tag/port/node.def | 8 -- .../login/radius-server/node.tag/secret/node.def | 2 - .../login/radius-server/node.tag/timeout/node.def | 5 - templates/system/login/radius/node.def | 1 + templates/system/login/radius/server/node.def | 6 ++ .../login/radius/server/node.tag/port/node.def | 8 ++ .../login/radius/server/node.tag/secret/node.def | 2 + .../login/radius/server/node.tag/timeout/node.def | 5 + 16 files changed, 127 insertions(+), 129 deletions(-) delete mode 100644 cfg-version/system@10 create mode 100644 cfg-version/system@11 create mode 100644 lib/Vyatta/Login/Radius.pm delete mode 100644 lib/Vyatta/Login/RadiusServer.pm mode change 100755 => 100644 lib/Vyatta/Login/User.pm delete mode 100644 templates/system/login/radius-server/node.def delete mode 100644 templates/system/login/radius-server/node.tag/port/node.def delete mode 100644 templates/system/login/radius-server/node.tag/secret/node.def delete mode 100644 templates/system/login/radius-server/node.tag/timeout/node.def create mode 100644 templates/system/login/radius/node.def create mode 100644 templates/system/login/radius/server/node.def create mode 100644 templates/system/login/radius/server/node.tag/port/node.def create mode 100644 templates/system/login/radius/server/node.tag/secret/node.def create mode 100644 templates/system/login/radius/server/node.tag/timeout/node.def diff --git a/Makefile.am b/Makefile.am index 70a6bb28..4ecc9dee 100644 --- a/Makefile.am +++ b/Makefile.am @@ -76,7 +76,7 @@ src_valid_address = src/valid_address.c src_local_ip = src/local_ip.c share_perl5_DATA = lib/Vyatta/Login/User.pm -share_perl5_DATA += lib/Vyatta/Login/RadiusServer.pm +share_perl5_DATA += lib/Vyatta/Login/Radius.pm sysconf_DATA += sysconf/LICENSE sysconf_DATA += sysconf/issue @@ -108,7 +108,7 @@ rsyslogdir = /etc/rsyslog.d #rsyslog_DATA = sysconf/vyatta-log.conf curver_DATA = cfg-version/vrrp@2 -curver_DATA += cfg-version/system@10 +curver_DATA += cfg-version/system@11 curver_DATA += cfg-version/broadcast-relay@1 curver_DATA += cfg-version/mdns@1 curver_DATA += cfg-version/dhcp-server@5 diff --git a/cfg-version/system@10 b/cfg-version/system@10 deleted file mode 100644 index e69de29b..00000000 diff --git a/cfg-version/system@11 b/cfg-version/system@11 new file mode 100644 index 00000000..e69de29b diff --git a/lib/Vyatta/Login/Radius.pm b/lib/Vyatta/Login/Radius.pm new file mode 100644 index 00000000..9c2d56aa --- /dev/null +++ b/lib/Vyatta/Login/Radius.pm @@ -0,0 +1,102 @@ +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +package Vyatta::Login::Radius; +use strict; +use warnings; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; +use File::Compare; +use File::Copy; + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; + +my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; +my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; + +sub remove_pam_radius { + system('sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ + -e \'/^passwd:.*[ \t]mapname/s/[ \t]mapname//\' \ + -e \'/^group:.*[ \t]mapname/s/[ \t]mapname//\' \ + -e \'s/[ \t]*$//\' \ + /etc/nsswitch.conf'); + + system("DEBIAN_FRONTEND=noninteractive " . + "pam-auth-update --package --remove radius") == 0 + or die "pam-auth-update remove failed"; + + unlink($PAM_RAD_AUTH) + or die "Can't remove $PAM_RAD_AUTH"; +} + +sub add_pam_radius { + copy($PAM_RAD_SYSCONF,$PAM_RAD_AUTH) + or die "Can't copy $PAM_RAD_SYSCONF to $PAM_RAD_AUTH"; + + system("DEBIAN_FRONTEND=noninteractive " . + "pam-auth-update --package radius") == 0 + or die "pam-auth-update add failed"; + + system('sed -i -e \'/\smapname/b\' \ + -e \'/^passwd:/s/\s\s*/&mapuid /\' \ + -e \'/^passwd:.*#/s/#.*/mapname &/\' \ + -e \'/^passwd:[^#]*$/s/$/ mapname &/\' \ + -e \'/^group:.*#/s/#.*/ mapname &/\' \ + -e \'/^group:[^#]*$/s/: */&mapname /\' \ + /etc/nsswitch.conf') == 0 + or die "NSS configuration failed"; +} + +sub update { + my $rconfig = new Vyatta::Config; + $rconfig->setLevel("system login radius server"); + my %servers = $rconfig->listNodeStatus(); + my $count = 0; + + open (my $cfg, ">", $PAM_RAD_TMP) + or die "Can't open config tmp: $PAM_RAD_TMP :$!"; + + print $cfg "# RADIUS configuration file\n"; + print $cfg "# automatically generated do not edit\n"; + print $cfg "# Server\tSecret\tTimeout\n"; + + for my $server ( sort keys %servers ) { + next if ( $servers{$server} eq 'deleted' ); + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + print $cfg "$server:$port\t$secret\t$timeout\n"; + ++$count; + print $cfg "priv-lvl 15\n"; + print $cfg "mapped_priv_user radius_priv_user\n"; + } + close($cfg); + + if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { + copy ($PAM_RAD_TMP, $PAM_RAD_CFG) + or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; + } + unlink($PAM_RAD_TMP); + + if ( $count > 0 ) { + add_pam_radius(); + } else { + remove_pam_radius(); + } +} + +1; diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm deleted file mode 100644 index 5a71b1f8..00000000 --- a/lib/Vyatta/Login/RadiusServer.pm +++ /dev/null @@ -1,102 +0,0 @@ -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -package Vyatta::Login::RadiusServer; -use strict; -use warnings; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; -use File::Compare; -use File::Copy; - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; - -my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; -my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; - -sub remove_pam_radius { - system('sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ - -e \'/^passwd:.*[ \t]mapname/s/[ \t]mapname//\' \ - -e \'/^group:.*[ \t]mapname/s/[ \t]mapname//\' \ - -e \'s/[ \t]*$//\' \ - /etc/nsswitch.conf'); - - system("DEBIAN_FRONTEND=noninteractive " . - "pam-auth-update --package --remove radius") == 0 - or die "pam-auth-update remove failed"; - - unlink($PAM_RAD_AUTH) - or die "Can't remove $PAM_RAD_AUTH"; -} - -sub add_pam_radius { - copy($PAM_RAD_SYSCONF,$PAM_RAD_AUTH) - or die "Can't copy $PAM_RAD_SYSCONF to $PAM_RAD_AUTH"; - - system("DEBIAN_FRONTEND=noninteractive " . - "pam-auth-update --package radius") == 0 - or die "pam-auth-update add failed"; - - system('sed -i -e \'/\smapname/b\' \ - -e \'/^passwd:/s/\s\s*/&mapuid /\' \ - -e \'/^passwd:.*#/s/#.*/mapname &/\' \ - -e \'/^passwd:[^#]*$/s/$/ mapname &/\' \ - -e \'/^group:.*#/s/#.*/ mapname &/\' \ - -e \'/^group:[^#]*$/s/: */&mapname /\' \ - /etc/nsswitch.conf') == 0 - or die "NSS configuration failed"; -} - -sub update { - my $rconfig = new Vyatta::Config; - $rconfig->setLevel("system login radius-server"); - my %servers = $rconfig->listNodeStatus(); - my $count = 0; - - open (my $cfg, ">", $PAM_RAD_TMP) - or die "Can't open config tmp: $PAM_RAD_TMP :$!"; - - print $cfg "# RADIUS configuration file\n"; - print $cfg "# automatically generated do not edit\n"; - print $cfg "# Server\tSecret\tTimeout\n"; - - for my $server ( sort keys %servers ) { - next if ( $servers{$server} eq 'deleted' ); - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - print $cfg "$server:$port\t$secret\t$timeout\n"; - ++$count; - print $cfg "priv-lvl 15\n"; - print $cfg "mapped_priv_user radius_priv_user\n"; - } - close($cfg); - - if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { - copy ($PAM_RAD_TMP, $PAM_RAD_CFG) - or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; - } - unlink($PAM_RAD_TMP); - - if ( $count > 0 ) { - add_pam_radius(); - } else { - remove_pam_radius(); - } -} - -1; diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm old mode 100755 new mode 100644 diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index c41bb9df..41172c55 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -31,11 +31,8 @@ while ( my ($type, $status) = each %loginNodes) { next if ($status eq 'static'); next if ($type eq 'banner'); - # convert radius-server to RadiusServer - my $kind = ucfirst $type; - $kind =~ s/-server/Server/; - # Dynamically load the module to handle that login method + my $kind = ucfirst $type; require "Vyatta/Login/$kind.pm"; # Dynamically invoke update for this type diff --git a/templates/system/login/radius-server/node.def b/templates/system/login/radius-server/node.def deleted file mode 100644 index efc917ef..00000000 --- a/templates/system/login/radius-server/node.def +++ /dev/null @@ -1,6 +0,0 @@ -tag: -type: ipv4 -help: Radius server authentication -commit:expression: $VAR(port) != "" && $VAR(secret) != "" - && $VAR(timeout) != "" - ; "Port, secret, and timeout must be specified for Radius" diff --git a/templates/system/login/radius-server/node.tag/port/node.def b/templates/system/login/radius-server/node.tag/port/node.def deleted file mode 100644 index 06ff7f02..00000000 --- a/templates/system/login/radius-server/node.tag/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: u32 -help: Radius port [REQUIRED] -default: 1812 - -val_help: u32:1-65535; Numeric IP port -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ - "Port number must be in range 1 to 65535" - diff --git a/templates/system/login/radius-server/node.tag/secret/node.def b/templates/system/login/radius-server/node.tag/secret/node.def deleted file mode 100644 index 90420518..00000000 --- a/templates/system/login/radius-server/node.tag/secret/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Secret for radius access [REQUIRED] diff --git a/templates/system/login/radius-server/node.tag/timeout/node.def b/templates/system/login/radius-server/node.tag/timeout/node.def deleted file mode 100644 index 34fcbdb0..00000000 --- a/templates/system/login/radius-server/node.tag/timeout/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: u32 -help: Timeout for radius session [REQUIRED] -default: 2 -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 30 \ - ; "Timeout must be between 1 and 30 seconds" diff --git a/templates/system/login/radius/node.def b/templates/system/login/radius/node.def new file mode 100644 index 00000000..86baaabe --- /dev/null +++ b/templates/system/login/radius/node.def @@ -0,0 +1 @@ +help: RADIUS specific configuration diff --git a/templates/system/login/radius/server/node.def b/templates/system/login/radius/server/node.def new file mode 100644 index 00000000..efc917ef --- /dev/null +++ b/templates/system/login/radius/server/node.def @@ -0,0 +1,6 @@ +tag: +type: ipv4 +help: Radius server authentication +commit:expression: $VAR(port) != "" && $VAR(secret) != "" + && $VAR(timeout) != "" + ; "Port, secret, and timeout must be specified for Radius" diff --git a/templates/system/login/radius/server/node.tag/port/node.def b/templates/system/login/radius/server/node.tag/port/node.def new file mode 100644 index 00000000..d3869f55 --- /dev/null +++ b/templates/system/login/radius/server/node.tag/port/node.def @@ -0,0 +1,8 @@ +type: u32 +help: Radius port [default: 1812] +default: 1812 + +val_help: u32:1-65535; Numeric IP port +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ + "Port number must be in range 1 to 65535" + diff --git a/templates/system/login/radius/server/node.tag/secret/node.def b/templates/system/login/radius/server/node.tag/secret/node.def new file mode 100644 index 00000000..90420518 --- /dev/null +++ b/templates/system/login/radius/server/node.tag/secret/node.def @@ -0,0 +1,2 @@ +type: txt +help: Secret for radius access [REQUIRED] diff --git a/templates/system/login/radius/server/node.tag/timeout/node.def b/templates/system/login/radius/server/node.tag/timeout/node.def new file mode 100644 index 00000000..a4637981 --- /dev/null +++ b/templates/system/login/radius/server/node.tag/timeout/node.def @@ -0,0 +1,5 @@ +type: u32 +help: Timeout for radius session in seconds [default: 2] +default: 2 +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 30 \ + ; "Timeout must be between 1 and 30 seconds" -- cgit v1.2.3