From 5e55ab28a732d0082c803f1e473936a3d9c92f22 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 26 Apr 2010 14:49:14 -0700 Subject: Ignore comments in level file Standard practice to ignore lines starting with # --- lib/Vyatta/Login/User.pm | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib') diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 419a882d..fa0cca7d 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -47,7 +47,9 @@ sub _level_groups { while (<$f>) { chomp; + # Ignore blank lines and comments next unless $_; + next if /^#/; my ( $l, $g ) = split /:/; if ( $l eq $level ) { -- cgit v1.2.3 From f37b24ae59372da6361b4acf9755270061bdc857 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 24 May 2010 10:10:35 -0700 Subject: Don't enable PAM Radius by default The pam-config mechanism will insert Radius pam module if it is in /usr/share/pam-configs. Therefore hold off installing file until Radius really needed. --- debian/vyatta-cfg-system.postinst.in | 3 --- lib/Vyatta/Login/RadiusServer.pm | 29 ++++++++++++++++++++--------- scripts/rl-system.init | 4 +++- 3 files changed, 23 insertions(+), 13 deletions(-) (limited to 'lib') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index fbf53739..4265d14b 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -132,9 +132,6 @@ EOF fi done - # Install pamradius config (should come with radius client eventually) - cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius - cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf fi diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index d60f2baa..0de9bd28 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -20,18 +20,30 @@ use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; use File::Compare; +use File::Copy; my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; +my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; +my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; + sub remove_pam_radius { - return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update --remove radius") == 0; + system("DEBIAN_FRONTEND=noninteractive " . + " pam-auth-update --package --remove radius") == 0 + or die "pam-auth-update remove failed"; + + unlink($PAM_RAD_AUTH) + or die "Can't remove $PAM_RAD_AUTH"; } sub add_pam_radius { - return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update radius") == 0; + copy($PAM_RAD_SYSCONF,$PAM_RAD_AUTH) + or die "Can't copy $PAM_RAD_SYSCONF to $PAM_RAD_AUTH"; + + system("DEBIAN_FRONTEND=noninteractive " . + "pam-auth-update --package radius") == 0 + or die "pam-auth-update add failed" } sub update { @@ -58,16 +70,15 @@ sub update { close($cfg); if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { - system("sudo cp $PAM_RAD_TMP $PAM_RAD_CFG") == 0 + copy ($PAM_RAD_TMP, $PAM_RAD_CFG) or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; } unlink($PAM_RAD_TMP); if ( $count > 0 ) { - exit 1 unless add_pam_radius(); - } - else { - exit 1 unless remove_pam_radius(); + add_pam_radius(); + } else { + remove_pam_radius(); } } diff --git a/scripts/rl-system.init b/scripts/rl-system.init index e7eaed14..ca51166a 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -173,7 +173,9 @@ security_reset () { # restore PAM back to virgin state (no radius other services) rm -f /etc/pam_radius_auth.conf if grep -q radius /etc/pam.d/common-auth - then pam-auth-update --remove radius + then + pam-auth-update --package --remove radius + rm /usr/share/pam-configs/radius fi # Disable root login with ssh -- cgit v1.2.3