From 407074ee8e51ee47dfddb91d630c54521777f34f Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Wed, 21 Jun 2023 22:50:45 +0200
Subject: tacacs: T141: cleanup configuration files on system boot

---
 scripts/init/vyos-router | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'scripts/init')

diff --git a/scripts/init/vyos-router b/scripts/init/vyos-router
index ec68db2..7b752b8 100755
--- a/scripts/init/vyos-router
+++ b/scripts/init/vyos-router
@@ -208,11 +208,11 @@ cleanup_post_commit_hooks () {
 # system defaults.
 security_reset ()
 {
-    # restore PAM back to virgin state (no radius other services)
+    # restore PAM back to virgin state (no radius/tacacs services)
+    pam-auth-update --package --remove radius
     rm -f /etc/pam_radius_auth.conf
-    if grep -q radius /etc/pam.d/common-auth; then
-        pam-auth-update --package --remove radius
-    fi
+    pam-auth-update --package --remove tacplus
+    rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
 
     # Certain configuration files are re-generated by the configuration
     # subsystem and must reside under /etc and can not easily be moved to /run.
@@ -278,6 +278,9 @@ gen_duid ()
 
 start ()
 {
+    # reset and clean config files
+    security_reset || log_failure_msg "security reset failed"
+
     # some legacy directories migrated over from old rl-system.init
     mkdir -p /var/run/vyatta /var/log/vyatta
     chgrp vyattacfg /var/run/vyatta /var/log/vyatta
@@ -308,9 +311,6 @@ start ()
     [ ! -d ${cni_dir} ] && mkdir -p ${cni_dir}
     mount -t tmpfs none ${cni_dir}
 
-    # reset and clean config files
-    security_reset || log_failure_msg "security reset failed"
-
     # Init firewall
     nfct helper add rpc inet tcp
     nfct helper add rpc inet udp
@@ -324,6 +324,7 @@ start ()
     # As VyOS does not execute commands that are not present in the CLI we call
     # the script by hand to have a single source for the login banner and MOTD
     ${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console"
+    ${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login"
     ${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files"
     ${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files"
     ${vyos_conf_scripts_dir}/conntrack.py || log_failure_msg "could not reset conntrack subsystem"
-- 
cgit v1.2.3