From 2dfccfb76f04c03100e9552e98c0fe899818071d Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Wed, 16 May 2018 22:22:59 +0200 Subject: Add 2 users used for radius mapping. --- lib/Vyatta/Login/User.pm | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib') diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index e03888cd..e0305fbb 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -231,6 +231,9 @@ sub update { # This can happen if user added but configuration not saved # and system is rebooted foreach my $user ( _local_users() ) { + # skip radius users + next if $user eq 'radius_user'; + next if $user eq 'radius_priv_user'; # did we see this user in configuration? next if defined $users{$user}; -- cgit v1.2.3 From ae343b4687046bb257490d4445c4a9a8f35dff3b Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Wed, 16 May 2018 23:34:39 +0200 Subject: Add extra configuration options for Radius --- lib/Vyatta/Login/RadiusServer.pm | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib') diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 0de9bd28..275f9e47 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -66,6 +66,8 @@ sub update { my $timeout = $rconfig->returnValue("$server timeout"); print $cfg "$server:$port\t$secret\t$timeout\n"; ++$count; + print $cfg "priv-lvl 15\n"; + print $cfg "mapped_priv_user radius_priv_user\n"; } close($cfg); -- cgit v1.2.3 From 881da62cd36e0f499fa8dda165feb4f94e71a3c5 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Thu, 17 May 2018 20:53:42 +0200 Subject: Radius update nsswitch.conf --- lib/Vyatta/Login/RadiusServer.pm | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 275f9e47..9eec4aa3 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -29,8 +29,14 @@ my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; sub remove_pam_radius { + qx'sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ + -e \'/^passwd:.*[ \t]mapname/s/[ \t]mapname//\' \ + -e \'/^group:.*[ \t]mapname/s/[ \t]mapname//\' \ + -e \'s/[ \t]*$//\' \ + /etc/nsswitch.conf'; + system("DEBIAN_FRONTEND=noninteractive " . - " pam-auth-update --package --remove radius") == 0 + "pam-auth-update --package --remove radius") == 0 or die "pam-auth-update remove failed"; unlink($PAM_RAD_AUTH) @@ -43,7 +49,16 @@ sub add_pam_radius { system("DEBIAN_FRONTEND=noninteractive " . "pam-auth-update --package radius") == 0 - or die "pam-auth-update add failed" + or die "pam-auth-update add failed"; + + qx'sed -i -e \'/\smapname/b\' \ + -e \'/^passwd:/s/\s\s*/&mapuid /\' \ + -e \'/^passwd:.*#/s/#.*/mapname &/\' \ + -e \'/^passwd:[^#]*$/s/$/ mapname &/\' \ + -e \'/^group:.*#/s/#.*/ mapname &/\' \ + -e \'/^group:[^#]*$/s/: */&mapname /\' \ + /etc/nsswitch.conf' == 0 + or die "NSS configuration failed"; } sub update { -- cgit v1.2.3 From e40a06138fa685ff0822598aca6a936ed03077da Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Thu, 17 May 2018 21:48:30 +0200 Subject: Use system instead of qx --- lib/Vyatta/Login/RadiusServer.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 9eec4aa3..5a71b1f8 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -29,11 +29,11 @@ my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; sub remove_pam_radius { - qx'sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ + system('sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ -e \'/^passwd:.*[ \t]mapname/s/[ \t]mapname//\' \ -e \'/^group:.*[ \t]mapname/s/[ \t]mapname//\' \ -e \'s/[ \t]*$//\' \ - /etc/nsswitch.conf'; + /etc/nsswitch.conf'); system("DEBIAN_FRONTEND=noninteractive " . "pam-auth-update --package --remove radius") == 0 @@ -51,13 +51,13 @@ sub add_pam_radius { "pam-auth-update --package radius") == 0 or die "pam-auth-update add failed"; - qx'sed -i -e \'/\smapname/b\' \ + system('sed -i -e \'/\smapname/b\' \ -e \'/^passwd:/s/\s\s*/&mapuid /\' \ -e \'/^passwd:.*#/s/#.*/mapname &/\' \ -e \'/^passwd:[^#]*$/s/$/ mapname &/\' \ -e \'/^group:.*#/s/#.*/ mapname &/\' \ -e \'/^group:[^#]*$/s/: */&mapname /\' \ - /etc/nsswitch.conf' == 0 + /etc/nsswitch.conf') == 0 or die "NSS configuration failed"; } -- cgit v1.2.3 From a628e955dc687c64192947c280bbe374c5b2502c Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Mon, 28 May 2018 11:16:48 +0200 Subject: Ignore nss mapuser when radius is enabled. --- lib/Vyatta/Login/User.pm | 2 +- scripts/system/vyatta_check_username.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index e0305fbb..02fb96ee 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -167,7 +167,7 @@ sub _update_user { # not found in existing passwd, must be new my $cmd; - unless ( defined($uid) ) { + unless ( defined($uid) and $uid ne "1001" ) { # make new user using vyatta shell # and make home directory (-m) # and with default group of 100 (users) diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl index 30917ecb..9ecc42db 100755 --- a/scripts/system/vyatta_check_username.pl +++ b/scripts/system/vyatta_check_username.pl @@ -68,7 +68,7 @@ foreach my $user (@ARGV) { # User does not exist in system, its okay my $uid = getpwnam($user); - next unless defined($uid); + next unless defined($uid) and $uid ne "1001"; # System accounts should not be listed in vyatta configuration # 1000 is SYS_UID_MIN -- cgit v1.2.3