diff options
author | Christian Breunig <christian@breunig.cc> | 2023-06-21 22:50:45 +0200 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2023-06-21 22:50:45 +0200 |
commit | 407074ee8e51ee47dfddb91d630c54521777f34f (patch) | |
tree | ec09820e8f90d4127daf3d9af884d393759d6586 | |
parent | 0c1f4c358298498468e162bb847edb3467642ce4 (diff) | |
download | vyatta-cfg-407074ee8e51ee47dfddb91d630c54521777f34f.tar.gz vyatta-cfg-407074ee8e51ee47dfddb91d630c54521777f34f.zip |
tacacs: T141: cleanup configuration files on system boot
-rwxr-xr-x | scripts/init/vyos-router | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/scripts/init/vyos-router b/scripts/init/vyos-router index ec68db2..7b752b8 100755 --- a/scripts/init/vyos-router +++ b/scripts/init/vyos-router @@ -208,11 +208,11 @@ cleanup_post_commit_hooks () { # system defaults. security_reset () { - # restore PAM back to virgin state (no radius other services) + # restore PAM back to virgin state (no radius/tacacs services) + pam-auth-update --package --remove radius rm -f /etc/pam_radius_auth.conf - if grep -q radius /etc/pam.d/common-auth; then - pam-auth-update --package --remove radius - fi + pam-auth-update --package --remove tacplus + rm -f /etc/tacplus_nss.conf /etc/tacplus_servers # Certain configuration files are re-generated by the configuration # subsystem and must reside under /etc and can not easily be moved to /run. @@ -278,6 +278,9 @@ gen_duid () start () { + # reset and clean config files + security_reset || log_failure_msg "security reset failed" + # some legacy directories migrated over from old rl-system.init mkdir -p /var/run/vyatta /var/log/vyatta chgrp vyattacfg /var/run/vyatta /var/log/vyatta @@ -308,9 +311,6 @@ start () [ ! -d ${cni_dir} ] && mkdir -p ${cni_dir} mount -t tmpfs none ${cni_dir} - # reset and clean config files - security_reset || log_failure_msg "security reset failed" - # Init firewall nfct helper add rpc inet tcp nfct helper add rpc inet udp @@ -324,6 +324,7 @@ start () # As VyOS does not execute commands that are not present in the CLI we call # the script by hand to have a single source for the login banner and MOTD ${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console" + ${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login" ${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files" ${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files" ${vyos_conf_scripts_dir}/conntrack.py || log_failure_msg "could not reset conntrack subsystem" |