From bf86040fef55fdb644b3670a9e1ec093e67df828 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 2 Jun 2009 14:08:23 -0700 Subject: Make Radius server work Translate radius-server to Vyatta::Login::RadiusServer --- Makefile.am | 2 +- lib/Vyatta/Login/Radius.pm | 126 ---------------------------------- lib/Vyatta/Login/RadiusServer.pm | 126 ++++++++++++++++++++++++++++++++++ scripts/system/vyatta_update_login.pl | 2 + 4 files changed, 129 insertions(+), 127 deletions(-) delete mode 100644 lib/Vyatta/Login/Radius.pm create mode 100644 lib/Vyatta/Login/RadiusServer.pm diff --git a/Makefile.am b/Makefile.am index 2168e11e..4a7e23a4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -44,7 +44,7 @@ sbin_SCRIPTS += scripts/zone-mgmt/vyatta-zone.pl sbin_SCRIPTS += scripts/vyatta-banner.pl share_perl5_DATA = lib/Vyatta/Login/User.pm -share_perl5_DATA += lib/Vyatta/Login/Radius.pm +share_perl5_DATA += lib/Vyatta/Login/RadiusServer.pm noinst_DATA = test_bootfile diff --git a/lib/Vyatta/Login/Radius.pm b/lib/Vyatta/Login/Radius.pm deleted file mode 100644 index 6a949434..00000000 --- a/lib/Vyatta/Login/Radius.pm +++ /dev/null @@ -1,126 +0,0 @@ -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -package Vyatta::Login::Radius; -use strict; -use warnings; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; -my $PAM_RAD_END = '# END Vyatta Radius servers'; - -sub is_pam_radius_present { - open( my $auth , '<' , '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - - my $present; - while (<$auth>) { - if (/\ssufficient\spam_radius_auth\.so$/) { - $present = 1; - last; - } - } - close $auth; - return $present; -} - -sub remove_pam_radius { - return 1 if ( !is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' - . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_pam_radius { - return 1 if ( is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' - . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' - . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub remove_radius_servers { - system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " - . "$PAM_RAD_CFG" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_radius_servers { - my $str = shift; - system( "sudo sh -c \"" - . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub new { - my $that = shift; - my $class = ref($that) || $that; - my $rconfig = new Vyatta::Config; - $rconfig->setLevel("system login radius-server"); - my %servers = $rconfig->listNodeStatus(); - my $self = \%servers; - - bless $self, $class; - - return $self; -} - -sub update { - my $self = shift; - my %servers = %$self; - my $server_str = ''; - my $rconfig = new Vyatta::Config; - $rconfig->setLevel('system login radius-server'); - - if (%servers) { - remove_radius_servers(); - - for my $server (sort keys %servers) { - next if ( $servers{$server} eq 'deleted' ); - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - $server_str .= "$server:$port\t$secret\t$timeout\n"; - } - - exit 1 if ( !add_radius_servers($server_str) ); - exit 1 if ( !add_pam_radius() ); - - } else { - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); - } -} - -1; diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm new file mode 100644 index 00000000..97ae4eb6 --- /dev/null +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -0,0 +1,126 @@ +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +package Vyatta::Login::RadiusServer; +use strict; +use warnings; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; +my $PAM_RAD_END = '# END Vyatta Radius servers'; + +sub is_pam_radius_present { + open( my $auth , '<' , '/etc/pam.d/common-auth' ) + or die "Cannot open /etc/pam.d/common-auth\n"; + + my $present; + while (<$auth>) { + if (/\ssufficient\spam_radius_auth\.so$/) { + $present = 1; + last; + } + } + close $auth; + return $present; +} + +sub remove_pam_radius { + return 1 if ( !is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' + . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_pam_radius { + return 1 if ( is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' + . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' + . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub remove_radius_servers { + system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " + . "$PAM_RAD_CFG" ); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_radius_servers { + my $str = shift; + system( "sudo sh -c \"" + . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); + return 0 if ( $? >> 8 ); + return 1; +} + +sub new { + my $that = shift; + my $class = ref($that) || $that; + my $rconfig = new Vyatta::Config; + $rconfig->setLevel("system login radius-server"); + my %servers = $rconfig->listNodeStatus(); + my $self = \%servers; + + bless $self, $class; + + return $self; +} + +sub update { + my $self = shift; + my %servers = %$self; + my $server_str = ''; + my $rconfig = new Vyatta::Config; + $rconfig->setLevel('system login radius-server'); + + if (%servers) { + remove_radius_servers(); + + for my $server (sort keys %servers) { + next if ( $servers{$server} eq 'deleted' ); + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + $server_str .= "$server:$port\t$secret\t$timeout\n"; + } + + exit 1 if ( !add_radius_servers($server_str) ); + exit 1 if ( !add_pam_radius() ); + + } else { + # all radius servers deleted + exit 1 if ( !remove_pam_radius() ); + } +} + +1; diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index b2125de1..b854427b 100644 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -28,6 +28,8 @@ $config->setLevel("system login"); foreach my $type ($config->listNodes()) { my $kind = ucfirst $type; + $kind =~ s/-server/Server/; + my $location = "Vyatta/Login/$kind.pm"; my $class = "Vyatta::Login::$kind"; -- cgit v1.2.3 From 37ba59896d4c9ac5c914d1901d86ed7e7d844871 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 2 Jun 2009 14:22:15 -0700 Subject: Change API for login modules The login modules aren't really objects (if Perl really had objects), so just use dynamic invoke of update routine. --- lib/Vyatta/Login/RadiusServer.pm | 16 +--------------- lib/Vyatta/Login/User.pm | 33 +++++++-------------------------- scripts/system/vyatta_update_login.pl | 13 +++++-------- 3 files changed, 13 insertions(+), 49 deletions(-) diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 97ae4eb6..34da8a31 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -83,25 +83,11 @@ sub add_radius_servers { return 1; } -sub new { - my $that = shift; - my $class = ref($that) || $that; +sub update { my $rconfig = new Vyatta::Config; $rconfig->setLevel("system login radius-server"); my %servers = $rconfig->listNodeStatus(); - my $self = \%servers; - - bless $self, $class; - - return $self; -} - -sub update { - my $self = shift; - my %servers = %$self; my $server_str = ''; - my $rconfig = new Vyatta::Config; - $rconfig->setLevel('system login radius-server'); if (%servers) { remove_radius_servers(); diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index f053abf1..c4870986 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -20,29 +20,6 @@ use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; -sub new { - my ( $that ) = @_; - my $class = ref($that) || $that; - my $config = new Vyatta::Config; - $config->setLevel("system login user"); - my %users = $config->listNodeStatus(); - my @user_keys = sort keys %users; - - if ( ( scalar(@user_keys) <= 0 ) - || !( grep /^root$/, @user_keys ) - || ( $users{'root'} eq 'deleted' ) ) - { - - # root is deleted - die "User \"root\" cannot be deleted\n"; - } - - my $self = \%users; - bless $self, $class; - - return $self; -} - # Exit codes form useradd.8 man page my %reasons = ( 0 => 'success', @@ -81,10 +58,14 @@ sub get_groups { } sub update { - my $self = shift; - my %users = %$self; my $membership = get_groups(); - my $uconfig = new Vyatta::Config; + my $uconfig = new Vyatta::Config; + $uconfig->setLevel("system login user"); + my %users = $uconfig->listNodeStatus(); + + die "All users deleted!\n" unless %users; + die "User root cannot be deleted\n" + if (! defined $users{'root'} || $users{'root'} eq 'deleted'); foreach my $user ( keys %users ) { if ( $users{$user} eq 'deleted' ) { diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index b854427b..94e88ed1 100644 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -30,13 +30,10 @@ foreach my $type ($config->listNodes()) { my $kind = ucfirst $type; $kind =~ s/-server/Server/; - my $location = "Vyatta/Login/$kind.pm"; - my $class = "Vyatta::Login::$kind"; - - require $location; + # Dynamically load the module to handle that login method + require "Vyatta/Login/$kind.pm"; - my $obj = $class->new(); - die "Don't understand $type" unless $obj; - - $obj->update(); + # Dynamically invoke update for this type + my $login = "Vyatta::Login::$kind"; + $login->update(); } -- cgit v1.2.3 From 1151679260e673f69bdb637fec7773b574f3c7b0 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 2 Jun 2009 15:54:57 -0700 Subject: Handle deletion of radius (or other) server The login class manager must be called if login type is deleted. Also skip updating if no changes to that login type. --- scripts/system/vyatta_update_login.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index 94e88ed1..862dffe3 100644 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -26,7 +26,9 @@ use Vyatta::Config; my $config = new Vyatta::Config; $config->setLevel("system login"); -foreach my $type ($config->listNodes()) { +my %loginNodes = $config->listNodeStatus(); +while ( my ($type, $status) = each %loginNodes) { + next if ($status eq 'static'); my $kind = ucfirst $type; $kind =~ s/-server/Server/; -- cgit v1.2.3 From 8d3f5b37ec3c728d56fadc596562025821169329 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 2 Jun 2009 15:59:58 -0700 Subject: Avoid rewriting radius config unless needed Don't edit radius config unless something has changed. --- lib/Vyatta/Login/RadiusServer.pm | 79 +++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 41 deletions(-) diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 34da8a31..2dadd2bb 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -19,22 +19,18 @@ use strict; use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; +use File::Compare; + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; my $PAM_RAD_END = '# END Vyatta Radius servers'; sub is_pam_radius_present { - open( my $auth , '<' , '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - - my $present; - while (<$auth>) { - if (/\ssufficient\spam_radius_auth\.so$/) { - $present = 1; - last; - } - } + open( my $auth, '<', '/etc/pam.d/common-auth' ) + or die "Cannot open /etc/pam.d/common-auth\n"; + my $present = grep { /\ssufficient\spam_radius_auth\.so$/ } <$auth>; close $auth; return $present; } @@ -68,44 +64,45 @@ sub add_pam_radius { return 1; } -sub remove_radius_servers { - system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " - . "$PAM_RAD_CFG" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_radius_servers { - my $str = shift; - system( "sudo sh -c \"" - . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); - return 0 if ( $? >> 8 ); - return 1; -} - sub update { my $rconfig = new Vyatta::Config; $rconfig->setLevel("system login radius-server"); - my %servers = $rconfig->listNodeStatus(); - my $server_str = ''; + my %servers = $rconfig->listNodeStatus(); + my $count = 0; if (%servers) { - remove_radius_servers(); + my $cmd = "sed -e '/$PAM_RAD_BEGIN/,/$PAM_RAD_END/d' < $PAM_RAD_CFG"; + system("sudo sh -c \"$cmd\" > $PAM_RAD_TMP") == 0 + or die "$cmd failed"; - for my $server (sort keys %servers) { - next if ( $servers{$server} eq 'deleted' ); - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - $server_str .= "$server:$port\t$secret\t$timeout\n"; - } + open( my $newcfg, '>>', $PAM_RAD_TMP ) + or die "Can't open $PAM_RAD_TMP: $!\n"; - exit 1 if ( !add_radius_servers($server_str) ); - exit 1 if ( !add_pam_radius() ); + print $newcfg "$PAM_RAD_BEGIN\n"; + + for my $server ( sort keys %servers ) { + next if ( $servers{$server} eq 'deleted' ); + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + print $newcfg "$server:$port\t$secret\t$timeout\n"; + ++$count; + } + print $newcfg "$PAM_RAD_END\n"; + close $newcfg; - } else { - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); + if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { + system("sudo cp $PAM_RAD_TMP $PAM_RAD_CFG") == 0 + or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; + } + unlink($PAM_RAD_TMP); + } + + if ( $count > 0 ) { + exit 1 if ( !add_pam_radius() ); + } + else { + exit 1 if ( !remove_pam_radius() ); } } -- cgit v1.2.3